“North Korea turns around and uses the money it steals through these operations to fund the unlawful development of weapons of mass destruction—nuclear bombs, for example, and ballistic missiles with which to target the United States and our allies,” Jonathan Fritz, principal deputy assistant secretary of state for East Asia Pacific affairs, said at a UN committee meeting on the North Korean fraud scheme in January.
The recent spate of prison terms is meant to be a deterrent to curious Americans who see participating in the scheme as a get-money-quick option, but investigators say this is only the tip of the iceberg when it comes to the U.S. muscle undergirding the fraud scheme. Some American facilitators are sophisticated, some are naive, and others walked away from the scheme years ago. However, involvement in this fraud isn’t casual. American identities are still circulating through the North Korean fraud apparatus after they’ve completely moved on with their lives, investigators say.
“North Koreans are taking American jobs, and they’re stealing cryptocurrency from American owners of said cryptocurrency,” said Fritz. “A North Korean IT worker can live in Laos, steal the identity of a Ukrainian online, and then use that identity to defraud a U.S. company into hiring them—often for remote jobs with salaries in the hundreds of thousands of dollars range.”
“Your citizens are competing against a mechanized system that has been honed over years of training to exploit how we hire,” Gordenker told delegates at the UN committee meeting in January. “Until we change the fundamental system of hiring, I don’t think there is anything we can do centrally to make sure that this doesn’t happen.”
“We will immediately knee-jerk assume they are a victim,” said Barnhart about the American conspirators. “And then once we start peeling back the onion, it’s like, ‘Oh, you’re enjoying this.’”
Barnhart and the other investigators in his network have been tracking several American identities for years that have circulated through the scheme and, despite being flagged by cybersecurity firms and law enforcement, have remained active as of last month. These real identities offer cover, a true social security number, and an identity veneer that the DPRK IT workers can use in their schemes to get jobs, even if the real American, who might have initially lent their identity to the scheme, has stopped participating.
Barnhart and investigators he works with—many of whom work under false identities to avoid retaliation—set up an operation in 2024 to try to lure DPRK IT workers and American facilitators into the open to trace their tactics and methods. A partner created a front company and posted some job listings. It wasn’t long before a candidate applied claiming to hail from Austin, Texas. On video calls however, the candidate didn’t show any familiarity with typical Texan culture.
“There was nothing about football, nothing about barbecue,” said Barnhart, who spoke during an DTEX panel in San Francisco in March. “You just peel back the onion a little bit, and you can see that the lies fall apart. Everything’s an inch deep.”
Barnhart and his network wanted to see how far the scheme would stretch. They told the worker he needed to come on-site for identity verification where they expected the ruse to collapse.
Instead, a young man named “David” walked into the facility in person, presented a real government-issued ID, signed the paperwork, and passed the screening. David, whose last name Fortune is withholding for privacy reasons, was not the same person from the video interviews, he was a local proxy—a real American lending his identity to someone else he likely never met face-to-face, said Barnhart.
“We thought it was a stolen identity until the real dude showed up,” Barnhart said. “That’s where we got to the facilitator stuff.”
The David who showed up claiming to be the applicant appeared to be a college student at the time. Barnhart surmised he was picking up some extra cash in a side deal he might not have truly understood.
“When he was doing this with us, he was in college,” said Barnhart. “I bet he was just, like, a poor college kid.”
But the operation didn’t end with David. When Barnhart’s operation went to ship a “company laptop” to David in Texas, David said he’d moved and asked that it be routed to Moorhead, Minnesota instead. There, a different facilitator, a man named “Aaron,” accepted the package under David’s name, said Barnhart. Aaron, whose last name Fortune is also withholding, got the laptop, set it up, and arranged it so a North Korean IT worker could perform the job tasks. Barnhart’s team had digital forensics noting every step.
“We have confirmed. We sent hardware and infrastructure to his home and it was accepted,” Barnhart said. “Through the partner company we were working with, we were able to see forensics on the laptop to show it was operational at his location.”
Multiple cybersecurity operators and law enforcement were alerted to Aaron and David’s roles, but as far as Barnhart is aware, action has not yet been taken. Barnhart suspects that their work inside the scheme might be so low level that it doesn’t meet the threshold for law enforcement working with limited resources.
Fortune corresponded with David and Aaron after being given their contact information from Barnhart.
“I actually went ahead and checked my IRS transcripts over the weekend and noticed that there were tons of w2s dating back to when I was 19 that I never applied or work [sic] for,” David wrote in a LinkedIn message this month. “Someone definitely stole my identity back then and applied to jobs without my knowledge. Many had addresses from a completely different state. I went ahead and filled out the form 14039 to report it to the [IRS]. I also reported it to FTC.”
Aaron denied any knowledge of a laptop or North Korean IT worker scheme.
“I don’t know anything about that,” Aaron wrote in an email to Fortune.
Regardless of how much the American facilitators know or don’t know, the DPRK scheme relies on their participation, prosecutors said.
“North Korean IT worker schemes would not be successful without U.S.-based facilitators,” said Assistant Attorney General John Eisenberg in an April sentencing memo. The facilitators “assist overseas remote IT workers by operating laptop farms, creating fictitious front companies and associated financial accounts, defrauding U.S. companies through the use of false and fake identification documents, and pocketing substantial sums of money for their roles.”
Whether or not Aaron or David were part of a scheme wittingly or unwittingly, their identities are still circulating through the North Korean IT worker pipeline, said Barnhart.
“I thought I’d never see [them] again, and moved on,” said Barnhart.
Then in winter 2026, another investigator colleague texted him a screenshot showing that the two names were listed as board members of an American employment company for tech workers. The company serves as a front for North Koreans in the scheme so that they appear to be vetted, background-checked workers, when in reality they use stolen or fake identities shielding their identities as North Korean operatives.
“I was like, dammit,” said Barnhart.
Barnhart said his team has also pinpointed a third identity floating around that also goes by “David” but with a different last name. The person behind all three identities, the one actually doing the work and logging into the computers from abroad, was tied to a single North Korean operative Barnhart and other investigators had been tracking for years.
The real Davids and Aaron may have walked away from whatever arrangement they once had but their names and digital footprints have taken on a life of their own inside the North Korean apparatus. Fake LinkedIn profiles with their names have been created and deleted, and resumes with their identities still land on recruiters desks. The fake Aaron and the fake Davids are still “very alive, very well, and still doing IT work,” said Barnhart.
The real people behind these identities “might not even know they’re still part of the scam,” said Barnhart.
Mitchell Green, a security researcher who spoke on the panel with Barnhart, said he has worked on more than a dozen cases that have uncovered and fired remote North Korean IT workers employed at companies. He’s seen a wide range of facilitator involvement.
“Some of them are very smart, and they’re getting really involved in the operation and they’re essentially a force multiplier,” Green said. “We have others who are very unassuming.”
The grooming process can also be extensive, Green said. North Korean IT workers invest heavily into building relationships with American conspirators, sometimes over months, in order to cultivate trust.
“We’ve seen them actually, in some cases, helping the facilitators with homework,” he said. “There’s a lot of social engineering that happens on that side, too.”
Some DPRK workers have really leaned in on American corporate culture and norms. Barnhart said he’s seen workers realize they’re about to be caught and announce that they are taking medical leave. U.S. companies are typically restricted from contacting employees who are on protected leave. In one instance, an employee got another six paychecks because he understood he could use that time to generate additional revenue for the scheme, said Barnhart.
But for every Kejia Wang who receives a near-decade prison sentence, there are facilitators who were never raided, never charged, and whose stolen or borrowed identities remain permanently lodged in an operation they may have had a hand in during a moment of weakness. At the UN event, Palo Alto’s Gordenker framed the stakes in human terms. The remote jobs that North Korean operatives are stealing—flexible, well-paying positions that can be done from home—are exactly the kind of work that Americans with disabilities, caregiving responsibilities, or limited mobility depend on.
“These are typically well-paying jobs, sometimes jobs that can be taken from home,” Gordenker said. “Folks that have issues with accessibility, folks that have children that they must care for, folks that are caring for elders—these are the types of jobs that would be gold mines for those families.”
