A serving US soldier with “secret” clearance took money from North Korea to host computers controlled by its government in their California home.

That's according to a federal investigation that said a defense contractor and semiconductor distributor were among the victims of the IT scam.

The Department of Justice (DoJ) said the unnamed soldier was part of a group of US and Chinese citizens who used stolen identities and US-based laptop farms to help North Koreans take on remote IT work in over 100 US companies.

They used their access to steal "sensitive documents and computer files" from a California-based defense contractor, a DOJ indictment showed.

Assistant Attorney General John Eisenberg of the DoJ’s National Security Division said: “These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs.”

Hundreds of victims

The soldier’s involvement came to light in June 26 indictment against nine US, Chinese and Taiwanese citizens on charges including conspiracy to commit money laundering, identify theft and wire fraud as part of an alleged multi-year scheme that as well as resulting in data theft saw the staff earn $5 million from US businesses, including Fortune 500 members.

Among those victims were software companies, chip manufacturers, and a California defence company developing AI-powered equipment, which unwittingly hired multiple North Korean workers and sent out corporate laptops equipped with remote access software allowing the operation of laptop farms.

The DoJ said around 200 computers, 29 financial accounts, and 21 fraudulent websites had been seized as part of the investigation, coordinated with the FBI and local investigators in 16 states.

See also: “It happened to me” - North Koreans using fake profiles turn to Europe

The remote worker scam has been known to authorities in North America and Europe since at least 2020, with repeated warnings from intelligence teams including Google’s Mandiant, which flagged fake contractors in September 2024, and detected increased activity around the scam in Europe in April 2025.

An FBI public advisory in 2022 said workers were earning more than $300,000 each through the scam, and the DoJ has previously made hundreds of charges against participants, including the indictment in January of two North Koreans and three facilitators it said had also duped US companies with the use of laptop farms.

At the same time as the DoJ’s newest indictment, Microsoft Threat Intelligence also highlighted new tactics used in the scam, tracked as Jasper Sleet, including the use of AI tools to change images on stolen documents and disguise voices.

It said Microsoft had also suspended 3,000 accounts created by North Korean IT workers and was now using machine learning to detect suspect accounts and warn customers through its Entra ID Protection and Defender XDR services.

The link has been copied!