DOJ Announces Major Enforcement Actions Targeting North Korean Remote IT Worker Schemes

On November 14, 2025, the U.S. Department of Justice (DOJ) announced a sweeping series of enforcement actions, including four guilty pleas and more than $15 million in civil forfeitures against the  Democratic People’s Republic of Korea (DPRK or North Korea) for remote information technology (IT) worker schemes. These actions underscore the federal government’s escalating focus on the exposure of U.S. companies to North Korean IT worker infiltration, following a series of U.S. Government action against the DPRK.

According to FBI Public Service Announcements released in May 2024 and January 2025, remote IT workers from North Korea have impersonated legitimate IT professionals to carry out data extortion and steal proprietary and sensitive information from U.S. companies. North Korean agents pose as candidates for remote IT positions offered by US companies across an array of industries. These schemes routinely utilize AI , stolen identities, alias email addresses, social media accounts, online cross-border payment platforms, job site profiles, fraudulent websites and proxy computers to convince prospective employers that the candidate is viable.  Once hired, the North Korean actors may gain access to employer systems with sensitive data, including personal data, financial information, and intellectual property (IP) and trade secret information.

These actions come after DOJ enforcement actions announced on June 30, 2025, and after the Office of Foreign Assets Control imposed sanctions on individuals and entities facilitating North Korea’s remote IT worker schemes earlier this year, on July 8, July 24, and August 27, 2025.

Crowell & Moring LLP continues to follow these developments, as these schemes carry substantial operational, reputational, financial, and legal risks for target companies, illustrating the importance of comprehensive cybersecurity governance.

Key Takeaways

• North Korean “Remote IT Worker” Threat Continues to Escalate. In its November 14 announcement, the DOJ revealed that facilitators in the United States and Ukraine helped DPRK IT workers fraudulently obtain remote work with more than 136 U.S. victim companies, using stolen or synthetic identities and U.S.-based proxy hosts for company-issued devices. These defendants compromised the identities of more than 18 U.S. persons and generated more than $2.2 million in revenue for the North Korean government. Companies are being urged by the FBI to strengthen identity verification, device-control procedures, and remote-work vetting, as DPRK IT workers have, according to the DOJ announcement, engaged in data exfiltration, extortion, and compromise of proprietary systems once hired.
• Cryptocurrency Platforms Remain High-Value Targets. The DOJ also filed two civil forfeiture actions against Advanced Persistent Threat 38 (APT38), a North Korean military hacking unit implicated in such schemes. The first is worth over $15 million in USDT, a virtual currency pegged to the U.S. Dollar, and the second is related to four heists committed in 2023 for $37 million, $100 million, $138 million, and $107 million in virtual currency across platforms in Estonia, Panama, and Seychelles.
• Expanding Criminal Liability from Domestic Facilitators. The guilty pleas span conduct including providing or selling stolen U.S. identities to overseas IT workers; hosting company laptops to spoof U.S.-based employment; defeating or circumventing employer vetting (including drug testing); and placing workers with falsified credentials into U.S. companies via staffing platforms. The DOJ signaled that these cases are part of a larger “DPRK RevGen: Domestic Enabler initiative,” meaning U.S. individuals and entities—knowingly or unknowingly—assisting DPRK operations will face heightened scrutiny. The Department previously announced other actions pursuant to the initiative, including in January and June 2025.

Recommended Actions

• Enhance identity verification processes for remote hires, with a special focus on contractors, short-term roles, and gig-based IT positions.
• Review and strengthen remote-access security controls, such as geolocation tracking, device binding, mandatory multi-factor authentication (MFA), and restrictions on remote desktop tunneling.
• Review and update procurement procedures and vendor due diligence, especially with staffing agencies and talent marketplaces.
• Conduct internal reviews for anomalous login activity, improbable travel patterns, and simultaneous use of multiple devices, which could suggest "proxy hosting."
• Implement sanctions screening and reviews of vendors and third parties to detect the use of aliases, questionable parent or subsidiary organizations, and to map payments for confirmation of destination.
• Conduct forensic analysis of systems accessed by suspicious users and evaluate whether information subject to ITAR or EAR controls may have been compromised.

Conclusion

Crowell & Moring LLP remains well positioned to serve clients who may be at risk and/or concerned with such schemes. With decades of collective experience in senior positions at key federal agencies and private-sector firms, as well as extensive work supporting clients across industries and sectors, we offer expertise in investigations, sanctions, and export controls. Our team delivers coordinated and knowledgeable strategies designed to address these challenges while minimizing legal risk and preserving privilege. We assist companies throughout every phase of these matters—from conducting risk assessments and internal investigations to remediation, regulatory disclosures, and both civil and criminal defense.