Nine Charged with Alleged Scheme to Generate Revenue for North Korean Government and Its Weapons of Mass Destruction Program

UPDATE: This press release was revised on July 3, 2025 to reflect that a 10th individual was charged in a separate charging document that was unsealed on July 2, 2025. 

BOSTON – Nine individuals have been indicted in Boston, Mass. including one New Jersey man and eight overseas actors from China and Taiwan in connection with an alleged scheme to generate revenue for the Democratic People’s Republic of Korea (DPRK) weapons of mass destruction (WMD) programs. The alleged scheme involved the dispatchment of skilled information technology (IT) workers who, using stolen identities of U.S. persons, posed as domestic workers to obtain remote IT jobs with U.S. companies, including several Fortune 500 companies and a defense contractor.

The following defendants have been indicted for their roles in the scheme, which generated at least $5 million in revenue for North Korea:  

1. U.S. national Zhenxing “Danny” Wang of New Jersey;
2. Chinese national Jing Bin Huang (靖斌 黄);
3. Chinese national Baoyu Zhou (周宝玉);
4. Chinese national Tong Yuze (佟雨泽);
5. Chinese national Yongzhe Xu (徐勇哲 andيونجزهي أكسو), currently residing in the United Arab Emirates;
6. Chinese national Ziyou Yuan (زيو), currently residing in the United Arab Emirates;
7. Chinese national Zhenbang Zhou (周震邦);
8. Taiwanese national Mengting Liu (劉 孟婷); and
9. Taiwanese national Enchia Liu (刘恩)

Zhenxing Wang was arrested earlier today in New Jersey. He will appear in federal court in Boston at a later date. A second U.S. national, Kejia “Tony” Wang of New Jersey, has also been charged in a separate charging document for his role in the scheme and has agreed to plead guilty.

As alleged in court documents, in response to U.S. and U.N. sanctions, the DPRK government has dispatched thousands of skilled IT workers around the world, who stole identities of U.S. persons and posed as domestic workers to obtain remote IT jobs with U.S. companies and generate revenue for DPRK weapons of mass destruction WMD programs. The DPRK IT workers’ scheme involved the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, and third-party enablers in the United States and abroad. According to the court documents the IT workers employed under this scheme also gained access to sensitive employer data and source code, including International Traffic in Arms Regulations data from a California-based defense contractor that develops artificial intelligence-powered equipment and technologies

“The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies,” said United States Attorney Leah B. Foley. “We will continue to work relentlessly to protect U.S. businesses and ensure they are not inadvertently fueling the DPRK’s unlawful and dangerous ambitions.”

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said John A. Eisenberg, Assistant Attorney General for the Department’s National Security Division. “The Justice Department, along with our law enforcement, private sector, and international partners, will persistently pursue and dismantle these cyber-enabled revenue generation networks.”

“The FBI will continue to work with our partners to expose and mitigate these fraudulent IT schemes and provide unwavering support to victims of North Korean cyber actors. While we have disrupted this group, this is merely the initial phase of the problem. The government of North Korea has trained and deployed thousands of IT workers to carry out similar schemes against U.S. companies daily. Protect your business by thoroughly vetting fully remote workers. The FBI strongly advises organizations to closely monitor their data, strengthen their remote hiring processes, and report any suspicious activity or fraud to the FBI,” said Rafik Mattar, Acting Special Agent in Charge of the Federal Bureau of Investigation (FBI), Las Vegas Division.

“These Indictments should act as a deterrent for individuals and foreign entities attempting to illegally export critical defense information,” said John E. Helsing, Acting Special Agent in Charge for the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS) Western Field Office. “DCIS will continue to work aggressively with our law enforcement partners and the Department of Justice to investigate and prosecute those who threaten our National Security and America’s Warfighters.”

“This multiagency case demonstrates the power of law enforcement agencies collaborating to dismantle international fraudulent schemes involving technology,” said Shawn Gibson, Special Agent in Charge for Homeland Security Investigations (HSI) in San Diego. “Let this investigation prove that HSI will aggressively identify and bring to justice those who seek to steal intellectual property through illegal access to computer networks in order to financially profit and jeopardize U.S.-based businesses who have fallen victim to these actors.”

According to the indictment, from approximately 2021 through October 2024, the defendants and other co-conspirators perpetuated a massive fraud scheme resulting in the transmission of false and misleading information to dozens of U.S. companies, financial institutions, and government agencies, including the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), and the Social Security Administration (SSA). Specifically, these defendants and their co-conspirators allegedly compromised the identities of more than 80 U.S. persons; fraudulently obtained remote jobs at more than 100 U.S. companies, including several Fortune 500 companies and a cleared defense contractor; received laptops and other hardware from U.S. companies; accessed, without authorization, the internal systems of these U.S. companies, including sensitive employer data and source code; generated at least $5 million in revenue for the overseas IT workers; and caused U.S. victim companies to incur legal fees, computer network remediation costs, and other damages and losses of at least $3 million.  

The overseas IT workers were allegedly assisted in this scheme by Kejia Wang, Zhenxing Wang, and at least four other identified U.S. facilitators. These facilitators allegedly received and/or hosted laptops belonging to U.S. victim companies at their residences to deceive the U.S. companies into believing the IT workers were in the United States. It is further alleged that they facilitated remote access to the computers for the overseas IT workers through illicit means, including downloading software to the computers without authorization from the U.S. companies, connecting the U.S. companies’ computers to internet-connected KVM switches, and creating shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC and Independent Lab LLC to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses. These facilitators also allegedly established accounts at U.S. financial institutions and online money transfer services to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co-conspirators. In exchange for their services, it is alleged that Kejia Wang, Zhenxing Wang, and the other U.S. facilitators collected at least $696,000 in fees.  

According to court documents, in October 2024, seven locations in New York, New Jersey and California were searched and voluntary interviews at so-called “laptop farms” were conducted (that is, premises used to host U.S company laptop computers used in furtherance of the scheme), resulting in the recovery of more than 70 victim company devices. Additionally, 21 fraudulent web domains used to facilitate North Korean IT work have been seized, and 29 financial accounts, holding tens of thousands of dollars in funds, used to launder revenue for the North Korean regime through remote IT work.

Also today, the Northern District of Georgia unsealed an indictment charging four North Korean nationals with a scheme to steal virtual currency held by two victim companies valued at over $750,000 and laundering the proceeds overseas. Unlike traditional North Korean IT workers, who usually seek employment with the goal of remitting their salaries back to North Korea, the defendants charged by the Northern District of Georgia allegedly sought employment with virtual currency-related businesses to earn the trust of those businesses and then stole those businesses’ virtual assets.

Today’s announcement is the culmination of a multi-year investigation by federal law enforcement agencies and is one of several announced today as part of the Justice Department’s initiative, DPRK: Domestic Enabler. Under the initiative, Department prosecutors and agents continue to prioritize high-impact, strategic, and unified enforcement and disruption operations targeting DPRK’s illicit revenue generation efforts through remote IT workers, and the U.S.-based individuals who enable them.

The U.S. Department of State has offered potential rewards for up to $5 million in support of international efforts to disrupt North Korea’s illicit financial activities, including for certain information related to individuals who are sent outside of North Korea to work to generate money for the North Korean government or who facilitate the activities of such North Korean nationals.

The charges of conspiracy to commit mail and wire fraud, conspiracy to commit money laundering and conspiracy to violate the International Emergency Economic Powers Act (IEEPA) each provide for a sentence of up to 20 years in prison, three years of supervised release and a fine of $250,000. The charge of conspiracy to cause damage to a protected computer provides for a sentence of up to 15 years in prison, three years of supervised release and a $250,000 fine. The charge of conspiracy to commit identity theft provides for a sentence of up to five years in prison, three years of supervised release and a $250,000 fine. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.

U.S. Attorney Foley; AAG Eisenberg; FBI Las Vegas Acting SAC Mattar; DCIS San Diego Acting SAC Helsing; and HSI San Diego SAC Shawn Gibson made the announcement today. Assistant U.S. Attorney Jason Casey of the National Security Unit is prosecuting the case along with Trial Attorney Gregory J. Nicosia, Jr. of the National Security Division’s National Security Cyber Section. Valuable assistance was provided by FBI New York, Newark and San Diego Field Offices; HSI Newark Field Office; United States Postal Inspection Service’s San Diego Field Office; and the U.S. Attorney’s Offices for the District of New Jersey, the Eastern District of New York and the Southern District of California.

The details contained in the charging document are allegations. The defendants are presumed to be innocent unless and until proven guilty beyond a reasonable doubt in the court of law.