North Korea’s “Laptop Farms” Evolve Into Cyber Threat: From Hard-Currency Schemes to Internal Infiltration

Exploiting the pandemic-era surge in remote work through “disguised employment”
Hundreds of laptops stockpiled in U.S. homes, with proxies “clocking in” on their behalf
Holding long-term roles across multiple companies to secure sustained “access privileges”

North Korean information-technology (IT) personnel are increasingly systematizing disguised employment schemes that exploit remote work, taking the form of so-called “laptop farms.” The method involves landing jobs at U.S. companies using stolen or forged identities, then remotely controlling laptops physically located in the United States to perform the work. Experts say the activity is evolving beyond simple hiring fraud or hard-currency generation, toward a more advanced model aimed at accessing multiple companies and securing long-term internal footholds. As the operation expands into a model that mobilizes U.S.-based facilitators to establish attack pathways inside corporate environments, it is emerging as a new category of cyber-security threat.

Laptop Farms Brought to Light by the Chapman Case

On December 16 (local time), Bloomberg reported that “North Korea is exploiting the lax remote hiring systems of U.S. companies to disrupt America’s national security and economic system,” placing the laptop-farm model under a spotlight. Laptop farms operate by using stolen or forged U.S. identification to place North Korean workers into IT roles at U.S. firms, then enabling them to access U.S.-based laptops remotely and carry out their duties. North Korea’s fraud campaign using remote work has persisted since 2020 in the wake of the COVID-19 pandemic, but the “farm” model—built around laptop clusters inside the United States—scaled in earnest after 2023.

Bloomberg cited the Christina Chapman case, the first laptop-farm operation uncovered by authorities. Chapman, who had been struggling financially while working as a waitress and massage therapist, posted on LinkedIn in March 2020 that she had completed a coding boot camp. Around that time, she received an offer from an entity that asked her to “be the face of a software company.” It presented itself as a firm connecting overseas engineers with U.S. companies, but in reality it was a shell company created by the North Korean government to generate hard currency.

Chapman’s role was to receive laptops shipped to her home in Litchfield Park, Arizona, power them on, and keep them connected to the internet. U.S. companies believed their newly hired employees were logging in and working from within the United States, but in fact North Korean IT workers based overseas were accessing those laptops via remote-control software to perform the work. The numerous laptops lining shelves in Chapman’s home blinked continuously, serving as access conduits into U.S. companies for North Korean workers.

It remains unclear whether Chapman fully understood that her “clients” were tied to North Korea. However, after she began complying with their demands, the operation expanded rapidly, and North Korean hackers are believed to have generated substantial proceeds. Chapman was ultimately sentenced by a U.S. court to 102 months (8 years and 6 months) in prison. The U.S. Department of Justice said the group used stolen U.S. identities to secure remote employment at prominent companies, and that millions of dollars in wages earned through the scheme flowed to Pyongyang. U.S. authorities believe the funds were diverted to North Korea’s weapons of mass destruction (WMD) development programs.

The laptop-farm phenomenon extends beyond this case. On June 30, the U.S. Department of Justice searched 29 laptop farms across 16 states including California, freezing 29 financial accounts used for illicit money laundering and 21 fraudulent websites. According to the Department of Justice, from 2021 through October of last year, North Korean IT workers—assisted by facilitators in the United States, China, the United Arab Emirates (UAE), and Taiwan—stole more than 80 U.S. identities to gain employment at over 100 U.S. companies. Losses suffered by victim firms—including legal expenses and computer-network restoration costs—were estimated at a minimum of $3 million.

Targeting Remote Work Through Contract and Outsourced Hiring

The problem is that North Korea’s disguised employment is not merely the misconduct of individual workers; it is taking on the characteristics of a structured network crime centered on specific organizations. U.S. security firm Mandiant has identified UNC5267 as a core group behind this activity. Rather than a tightly centralized hacking unit, UNC5267 is assessed as a loosely connected constellation of IT personnel linked to the North Korean government, primarily infiltrating remote-work roles at Western companies to generate hard currency.

UNC5267 personnel typically targeted positions that could be performed 100% remotely, entering companies through contract roles or outsourced arrangements. They concealed their true identities by using front companies and relied on facilitators—often non–North Korean nationals—to obtain and maintain employment. In this process, facilitators played critical roles: providing stolen U.S. identities, handling employment-verification procedures on their behalf, and receiving and storing company-issued laptops at their own residences.

After securing employment, some cases were found in which they obtained internal access by gaining authority over code changes or system administration privileges. Investigations also found it was common for the same individual to hold concurrent employment at multiple companies and draw multiple paychecks. Wages were routed through facilitators, laundered, and then delivered to North Korean personnel based overseas, with portions believed to have been remitted onward to Pyongyang. Mandiant noted the possibility that the group was operating with an eye not only to short-term revenue but also to securing longer-term access privileges.

This collaborative structure was not limited to isolated incidents. U.S. investigators found that one U.S.-based facilitator linked to UNC5267 stole the identities of more than 60 Americans and placed North Korean personnel into jobs at more than 300 U.S. companies. The minimum proceeds generated over three years from October 2020 totaled $6.8 million. This raises the possibility that the network came into contact with numerous companies simultaneously, rather than inflicting one-off damage limited to a single firm.

Developer-Centered Privilege Concentration Could Amplify System Damage

More recently, North Korea’s disguised-employment activity has evolved beyond serving as a channel for earning wages and delivering hard currency to Pyongyang, reaching a stage where it can degrade corporate systems or execute malicious programs. This threat is not confined to the United States. Similar cases have been detected in Europe and Asia, exploiting remote development environments. As the issue can function as a potential pathway for internal attacks—beyond hiring risk at individual firms or management failures in a specific country—a recognition is spreading that it constitutes a shared risk across the global IT ecosystem.

In the IT sector, North Korea’s infiltration and threat are no longer simply a national-security issue; they are shaking the foundations of the “developer trust model” that the global IT industry has long taken for granted. Executives have traditionally viewed developers not as internal threats but as key actors who design and maintain stable systems and resolve problems across the information-technology function. Yet as remote development and work-from-home arrangements have become mainstream since the pandemic, control mechanisms rooted in physical space and time have weakened sharply, and the tacit trust embedded in legacy organizational culture is increasingly seen as untenable as an automatic premise.

As a result, the locus of debate is shifting away from North Korea’s security threat per se or the loose management controls of remote-work systems, toward the allocation of privileges and the design of job structures. In environments where source-code access, server and network administration rights, and authority over the use and distribution of information are concentrated at the individual level, the insertion of malicious intent can allow a single developer to inflict severe damage across an entire system. This does more than underscore a state-backed cyber threat; it poses a fundamental question about how developer privileges have been architected in remote development environments.