Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Worker Scheme that Generated $5 Million in Revenue for the Democratic People's Republic of Korea's WMD Programs

BOSTON - Two men from New Jersey have been sentenced in federal court in Boston for their involvement in a scheme to generate revenue for the Democratic People's Republic of Korea (DPRK) weapons of mass destruction (WMD) programs. The scheme involved the dispatchment of skilled information technology (IT) workers who, using stolen identities of U.S. persons, posed as domestic workers to obtain remote IT jobs with U.S. companies, including several Fortune 500 companies and a defense contractor. The multi-year scheme used the stolen identities of at least 80 U.S. persons and generated more than $5 million in illicit revenue for the DPRK government.

Kejia "Tony" Wang, 42, of New Jersey, was sentenced today by U.S. Senior District Court Judge Nathaniel M. Gorton to nine years in prison to be followed by three years of supervised release. In September 2025, Kejia Wang pleaded guilty to conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft.

Yesterday, Zhenxing "Danny" Wang, 39, also of New Jersey, was sentenced by Judge Gorton to 92 months prison to be followed by three years of supervised release. The defendant was also ordered to pay restitution in the amount of $200,000. On Jan. 7, 2026, Zhenxing Wang pleaded guilty to conspiracy to commit mail and wire fraud and conspiracy to commit money laundering.

In addition to the prison sentences imposed, the defendants were also ordered to forfeit $600,000 that they received in connection with the scheme. To date, the United States has received $400,000 of the ordered forfeiture amount.

"This case exposes a sophisticated scheme that exploited stolen American identities and U.S. companies to generate millions of dollars for a hostile foreign regime. By operating so-called 'laptop farms,' these defendants enabled overseas actors to infiltrate U.S. businesses, access sensitive data and undermine our economic and national security," said United States Attorney Leah B. Foley. "The sentences imposed this week reflect the seriousness of this conduct and our commitment to holding accountable those who facilitate sanctions evasion and foreign threats from within our borders."

"For years, the defendants enriched themselves by assisting North Korean actors in a fraudulent scheme to gain employment with U.S. companies," said Assistant Attorney General for National Security John A. Eisenberg. "The ruse placed North Korean IT workers on the payrolls of unwitting U.S. companies and in U.S. computer systems, thereby potentially harming our national security. NSD will hold accountable those who facilitate North Korea's illicit revenue generation efforts."

"Today's announcement sends a clear message: U.S. nationals who facilitate DPRK IT worker schemes and funnel revenue to North Korea will face FBI investigation and potential prison time," said Assistant Director Brett Leatherman of the FBI's Cyber Division. "Working closely with our partners, the FBI will pursue their co-conspirators and hold accountable those who seek to empower the DPRK by defrauding American companies and stealing the identities of private citizens."

"These sentencings should act as a deterrent to foreign individuals and entities attempting to illegally access and export critical defense information," said John Helsing, Special Agent-in-Charge for the Department of Defense Office of Inspector General's Defense Criminal Investigative Service (DCIS), Western Field Office. "Investigating the theft, illegal export, diversion, or proliferation of sensitive Department technologies is a priority for DCIS, particularly where such compromises could enable foreign adversaries to use those capabilities against our nation's warfighters. We will continue to work aggressively with our law enforcement partners and the Department of Justice to investigate and prosecute those who threaten our national security."

"Homeland Security Investigations (HSI) is steadfast in its commitment to protecting the integrity of the U.S. financial system from foreign adversaries and criminal actors," said Kevin Murphy, acting Special Agent in Charge of HSI San Diego. "This case demonstrates the critical importance of collaboration across law enforcement agencies to disrupt schemes that threaten our economy and national security. HSI will continue to aggressively pursue those who exploit our financial institutions and technology infrastructure for illicit purposes, ensuring that the United States remains a safe and secure place to do business."

"Today's sentences should serve as a warning to those who continue to carry out schemes intending to deceive U.S. companies," said Special Agent in Charge Christopher S. Delzotto. "We will relentlessly pursue those responsible! The FBI is committed to working with our partners to expose and mitigate these fraudulent IT schemes and provide unwavering support to victims of North Korean cyber actors. The FBI strongly advises organizations to closely monitor their data, strengthen their remote hiring processes, and report any suspicious activity or fraud to the FBI."

From approximately 2021 until October 2024, the defendants and other co-conspirators compromised the identities of more than 80 U.S. persons to obtain remote jobs at more than 100 U.S. companies, including many Fortune 500 companies, and caused U.S. victim companies to incur legal fees, computer network remediation costs, and other damages of at least $3 million. Kejia Wang traveled to Shenyang and Dandong, China on two separate occasions in 2023, to meet with overseas actors about the scheme, including a former classmate that Kejia Wang knew was from North Korea. Kejia Wang went on to serve as the U.S.-based manager for the scheme, supervising at least five facilitators in the United States who collectively hosted hundreds of computers of U.S. victim companies at their residences. Zhenxing Wang was among the U.S. facilitators who received and hosted victim company laptops at his residence. He and the others also enabled overseas IT workers to access the laptops remotely by, among other things, connecting the laptops to hardware devices designed to allow for remote access (referred to as keyboard-video-mouse or "KVM" switches).

Kejia Wang and Zhenxing Wang created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses. In fact, these companies had no employees or operations and existed only to further the scheme and enable the defendants and their co-conspirators to receive proceeds from the scheme. The financial accounts established by the two defendants for these shell companies ultimately received millions of dollars from victimized U.S. companies, much of which was subsequently transferred to overseas co-conspirators. In exchange for their services, Kejia Wang, Zhenxing Wang, and the four other U.S. facilitators received nearly $700,000 for their respective roles in the scheme.

IT workers employed under this scheme also gained access to sensitive employer data and source code, including International Traffic in Arms Regulations (ITAR) data from a California-based defense contractor that develops artificial intelligence-powered equipment and technologies. Specifically, between on or about Jan. 19, 2024, and on or about April 2, 2024, an overseas co-conspirator remotely accessed without authorization the company's laptop and computer files containing technical data and other information. The stolen data included information marked as being controlled under the ITAR.

In June 2025, 17 web domains used in furtherance of this scheme were seized as well as 29 financial accounts, holding tens of thousands of dollars in funds, used to launder revenue for the North Korean regime through the remote IT work scheme. In October 2024, eight locations across three states were searched that resulted in the recovery of more than 70 laptops and remote access devices, such as KVMs. Simultaneously four web domains associated with Kejia Wang's and Zhenxing Wang's shell companies Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC were also seized.

In June 2025 the defendants were charged along with eight overseas operatives who remain at large.

Concurrent with today's announcement, the U.S. Department of State's Rewards for Justice (RFJ) program announced a reward of up to $5 millionLinks to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link. for information leading to the disruption of financial mechanisms of persons engaged in certain activities that support DPRK, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support weapons of mass destruction proliferation. The reward is offered for the following eight defendants who are alleged to have participated in the above-described scheme and one suspected IT worker:

• Xu Yongzhe (徐勇哲)
• Huang Jingbin (黄靖斌)
• Tong Yuze (佟雨泽)
• Zhou Baoyu (周宝玉)
• Yuan Ziyou (Samuel Yuan)
• Zhou Zhenbang (周震邦)
• Liu Menting (劉孟婷)
• Liu Enchia (刘恩嘉)
• Song Min Kim (a.k.a. Chengmin Jin)

Today's announcement represents the Department's latest actions to combat North Korean IT worker schemes as part of a joint NSD and FBI Cyber and Counterintelligence Divisions effort, the DPRK RevGen: Domestic Enabler Initiative. This effort prioritizes targeting and disrupting the DPRK's illicit revenue generation schemes and its U.S.-based enablers. The Department previously announced sentencings of DPRK IT worker facilitators in July and December 2025 and February and March 2026.

As described in Public Service Announcements published in May 2024, January 2025 and July 2025, North Korean remote IT workers posing as legitimate remote IT workers have committed data extortion and exfiltrated the proprietary and sensitive data from U.S. companies. DPRK IT worker schemes typically involve the use of stolen identities, alias emails, social media, online cross-border payment platforms and online job site accounts, as well as false websites, proxy computers and witting and unwitting third parties located in the U.S. and elsewhere. North Korean IT workers leverage these third parties, which include U.S.-based individuals, to gain fraudulent employment and access to U.S. company networks to generate revenue

Other public advisories about the threats, red flag indicators and potential mitigation measures for these schemes include a May 2022Links to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link. advisory; a July 2023 advisory; and guidance issued in October 2023 by the United States and the Republic of Korea (South Korea). As described the May 2022 advisory, North Korean IT workers have been known individually to earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK's weapons programs.

Assistant U.S. Attorney David Holcomb of the National Security Unit prosecuted the cases alongside Trial Attorney Gregory J. Nicosia, Jr. of the National Security Division's National Security Cyber Section. Valuable assistance was provided by FBI New York, Newark and San Diego Field Offices; HSI Newark Field Office; United States Postal Inspection Service's San Diego Field Office; and the U.S. Attorney's Offices for the District of New Jersey, the Eastern District of New York and the Southern District of California.

The details contained in the charging document are allegations. The remaining defendants are presumed to be innocent unless and until proven guilty beyond a reasonable doubt in the court of law.