Two American citizens were indicted this month for helping embed North Korean IT workers inside more than one hundred U.S. companies.

They are part of a coordinated, state-backed effort to generate more than $5 million in revenue, access sensitive systems, and bypass sanctions without ever crossing a border.

The model is simple and effective. North Korean developers use stolen or fabricated identities to secure remote work at American firms. U.S.-based facilitators help them pass background checks, host company-issued laptops, and maintain the appearance of a domestic workforce. Payments are routed through layers of accounts and crypto channels, ultimately flowing back to the regime.

Hundreds of companies have been targeted. In some cases, these workers gain access to internal systems has enabled data exfiltration, intellectual property theft, and follow-on cyber activity. North Korea has found a way to turn the global shift to remote work into a revenue stream and an access vector at the same time. It no longer needs to rely solely on external cyber intrusions. It can place personnel directly inside the systems it wants to reach.

It also exposes a structural vulnerability in how the U.S. economy operates. Identity verification, remote onboarding, and distributed work environments have become points of entry. The enforcement response is catching up. The Department of Justice has begun prosecuting U.S.-based facilitators and dismantling “laptop farm” networks used to mask location.

As long as companies rely on remote talent pipelines and identity verification remains fragmented, this model will persist and expand.