Published March 2026 | Cybersecurity & National Security

Somewhere in an American suburb, there’s a bedroom with a folding table stacked with 20, 30, maybe 90 laptops — all quietly running, all collecting paychecks from U.S. companies. None of the workers are in that room. They’re in China or Russia. And every dollar they earn flows back to Pyongyang.

This is a North Korean laptop farm — and it’s one of the most effective financial fraud operations in the world right now.

The Numbers Are Staggering

A joint report released in March 2026 by Flare and IBM X-Force estimates that North Korea has approximately 100,000 fake IT workers operating globally, generating $500 million per year for the regime. That money doesn’t fund salaries or pensions — it funds ballistic missiles and weapons programs.

CrowdStrike separately reported a 220% surge in fraudulent employment incidents in 2025. Amazon alone blocked over 1,800 North Korean job applicants in a single year. This isn’t a niche threat — it’s a systemic one.

Step 1: Getting the Job

It starts with identity theft. DPRK operatives build synthetic personas using:

  • Stolen U.S. Social Security numbers and real personal information
  • AI-generated profile photos and fabricated work histories
  • Virtual U.S. phone numbers that can be answered from anywhere in the world
  • Mail forwarding services to establish a believable American address

To survive video interviews, they use deepfake AI tools to impersonate the stolen identity on camera, often combined with real-time voice modulation software. One undercover investigation found that just 20 operatives had collectively applied to 160,000 job postings. They play the numbers game — and they win it constantly.

Step 2: The Laptop Farm Setup

Once hired, the company ships a work laptop to the U.S. address on file. That address belongs to a facilitator — a U.S.-based collaborator running the physical operation. Here’s where the real technical cleverness kicks in.

The facilitator connects an IP-KVM device (IP Keyboard-Video-Mouse) to the laptop. Think of it as a hardware remote desktop — it captures the screen via HDMI and emulates a keyboard and mouse via USB, then streams everything over the internet to the DPRK operator abroad.

The critical detail: this leaves zero software footprint on the laptop. No remote desktop app. No VPN client. Nothing that endpoint security tools would flag. To the corporate laptop, it just looks like someone plugged in a monitor and keyboard. All network traffic appears to originate from a legitimate U.S. residential IP address.

The operator, sitting in China or Russia, connects to the KVM, sees the laptop’s screen, and works a perfectly normal-looking American business day.

Step 3: Real-World Scale

This isn’t theoretical. Court records paint a vivid picture:

  • Christina Chapman (Arizona) ran a farm of up to 90 laptops, supporting work at 309 U.S. companies — including Fortune 500 firms — and funneled $17 million to North Korea before receiving a 102-month federal prison sentence.
  • Matthew Knoot (Tennessee) ran a farm generating roughly $250,000/year for the regime.
  • In June 2025, the FBI raided 29 suspected farms across 16 states, seizing approximately 200 laptops.

The North Korean regime manages this operation through internal platforms like “RB Site” and “NetkeyRegister” — dashboards that track worker timesheets, register devices, and distribute software. This is a professionally managed operation with org charts, managers, and performance tracking.

Step 4: Laundering the Money

Workers typically request payment in USDC or USDT stablecoins — preferred for their stable value and ease of conversion. From there, the laundering chain looks like this:

  1. Salary paid (~$5,000/month per worker) into DPRK-controlled crypto wallets
  2. Chain-hopping — funds shuffled through decentralized exchanges and cross-chain bridges to obscure the trail
  3. Consolidation — funds from many workers pooled into central “IT Worker Consolidation Addresses”
  4. OTC traders — Chinese or UAE-based over-the-counter brokers convert crypto to fiat currency
  5. Repatriation — fiat flows to North Korean regime representatives and state-affiliated banks

Why It’s So Hard to Catch

Detection Vector Why It Fails
Geolocation / IP checks Laptop sits on a real U.S. residential IP
Endpoint security (EDR) IP-KVM has no software footprint on the OS
Video interview verification Deepfake AI defeats face-matching tools
Background checks Real stolen U.S. identities pass most screenings
Payment monitoring Stablecoin payments bypass traditional sanctions checks

The one weak point: the IP-KVM device does appear on the local network as an anomalous hardware device. Security-aware IT teams can look for unexpected HDMI capture or USB HID devices on the network. MITRE ATT&CK has even added a formal subtechnique for this: T1219.003 (Remote Access Hardware).

What Companies Can Do

Defending against this requires layering both HR and IT controls:

  • Verify identity out-of-band — request government-issued ID via a notary or trusted third party, not just a video call
  • Watch for red flags at hiring — requests to redirect laptops to a different address, reluctance to appear on camera spontaneously, unusual working hours for the stated timezone
  • Audit your network — look for unrecognized hardware devices (IP-KVM, Raspberry Pi, capture cards) connected to corporate endpoints
  • Monitor for inconsistent behavior — login timestamps that don’t match the employee’s claimed timezone are a common tell
  • Use hardware-backed identity — FIDO2/WebAuthn keys tied to a verified physical device add a layer that’s hard to spoof remotely

The Bottom Line

North Korea turned remote work into a revenue stream for weapons development. The operation is sophisticated, well-funded, and staffed like a real enterprise — complete with HR platforms, quota tracking, and a financial pipeline that spans four continents.

The best defense is treating remote hiring with the same rigor you’d apply to physical access to your building. Because in a very real sense, that’s exactly what it is.

Sources: Flare / IBM X-Force (March 2026), U.S. Department of Justice, Chainalysis, Palo Alto Networks Unit 42, BleepingComputer, LMG Security, DomainTools

BrMoon Security
Protect your digital footprints
The FBI Is Buying Your Location Data. Here’s How to Protect Yourself.