A complex employment fraud scheme has been exposed after Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, Erick Ntekereze Prince, and Oleksandr Didenko pleaded guilty to helping North Korean IT workers obtain remote jobs at U.S. companies. The workers, who were operating from outside the United States, used stolen or borrowed identities to appear as U.S.-based employees.
The scheme functioned through what officials called “laptop farms.” Company-issued laptops were shipped to addresses provided by the defendants and kept inside their homes. This created the false impression that the hired workers were based in the United States. In reality, the laptops were remotely controlled by North Korean workers abroad.
Authorities said the operation affected more than 136 U.S. companies. The foreign workers earned more than $2.2 million, with the revenue directed to their home country, which is under sanctions for weapons development and cyber activity.
How the laptop farms and identity theft allowed the scheme to function
The defendants assisted the overseas workers by providing their own U.S. identities or supplying stolen identities of American citizens. Using these identities, the workers applied for remote IT positions and were hired by companies that believed they were employing U.S.-based staff. The companies then issued laptops and work accounts tied to those identities.
Once the laptops arrived at the defendants’ homes, remote access software was installed, allowing the foreign workers to operate the devices as if they were physically inside the United States. Because the laptops were located domestically, employer systems detected normal U.S. login activity rather than foreign access.
To further support the deception, some of the defendants even took drug tests on behalf of the workers, helping them pass standard employment screenings.
The fraudulent positions generated more than $1.28 million in salary payments. The defendants received only a small share, while most of the earnings were sent overseas. Oleksandr Didenko, who was involved in identity theft, earned hundreds of thousands of dollars by selling stolen personal information to foreign IT workers.
Links to major cyber groups and revenue streams for a foreign regime
Officials connected the scheme to a long-running effort associated with a well-known foreign cyber group active for more than a decade. This group has carried out cyberattacks, cryptocurrency thefts, and financial crimes that support government programs.
The foreign regime deploys trained IT workers to earn income through remote work. These workers operate under strict oversight and are required to send a significant portion of their earnings back. To hide their true identity, they often present themselves as U.S.-based or non-North Korean contractors and may subcontract work to avoid detection.
Government advisories issued in 2022 detailed how these workers use stolen identities, VPNs, and U.S. bank accounts to appear as domestic applicants. The advisories also warned that, while the work they perform is usually standard IT work, the access they obtain can enable malicious cyber activity. Some advisories published in later years were removed without explanation.
Authorities also announced that more than $15 million in USDT was seized in connection with four cryptocurrency heists carried out in 2023. The attacks targeted payment processors and exchanges in Estonia, Panama, and Seychelles.
U.S. Treasury freezes assets tied to North Korean hackers and shadow banks funding missile program
Guilty pleas, charges, and recovery of stolen funds
All five defendants—Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, Erick Ntekereze Prince, and Oleksandr Didenko—pleaded guilty to wire fraud. Didenko also pleaded guilty to aggravated identity theft.
Didenko admitted to running a long-term identity theft operation in which he collected personal data of U.S. citizens and sold those identities to overseas workers, enabling them to obtain jobs at roughly 40 U.S. companies. As part of his plea agreement, he will forfeit more than $1.4 million in digital and traditional currency seized during the investigation.
Authorities stated that the scheme undermined U.S. hiring systems by deceiving employers into believing the workers were physically located in the country. The combination of false identities, laptop farms, and remote access tools made the operation difficult to detect.
Officials added that efforts to recover additional stolen cryptocurrency are ongoing.