$5M Fraud Case: How Fake Remote Workers Cleared Payroll and AP Controls 

Two U.S. nationals were sentenced for their roles in facilitating North Korean remote IT workers posing as U.S. residents to obtain work at more than 100 U.S. companies, the U.S. Department of Justice (DOJ) announced.

The fraud scheme generated more than $5 million in illicit payments while costing firms at least $3 million in losses and remediation. It exposed a breakdown in payment controls, as companies wired wages and contractor fees to impostors. 

Fraud Sentencing and the Financial Impact 

On December 12, 2024, a federal court in St. Louis indicted 14 North Korean nationals for using fake identities to obtain IT jobs with U.S.-based companies. According to the indictment, some of the North Korean nationals also extorted their employers by threatening to post – or actually posting – company info on the dark web unless they received payment. 

Two U.S. nationals have pleaded guilty for their role in the fraud: 

• Kejia Wang, of Edison, New Jersey, was sentenced to 108 months in prison. He pleaded guilty to conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. 
• Zhenxing Wang, of New Brunswick, New Jersey, was sentenced to 92 months in prison. He pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit money laundering.

The defendants were also ordered to forfeit $600,000 that was paid to them for facilitating the North Koreans. As of April 2026, the U.S. has already received $400,000 of that amount. The court also ordered Kejia Wang to pay $29,236.03 in restitution.

How the Scheme Worked

Between 2021 and 2024, the defendants and their co-conspirators used stolen or fabricated U.S. identities to apply for remote IT jobs online. 

Posing as legitimate contractors and/or full-time developers, they cleared initial screens by submitting fake credentials, resumes and even video interviews using deepfake technology or stand-ins. They were hired for remote positions at over 100 U.S. companies, including Fortune 500s. Companies paid these workers through direct deposit, wire transfers or gig platforms, with payments running through payroll and vendor cycles as routine transactions.   

Acting as U.S. facilitators, the defendants managed and operated “laptop farms,” meaning they stored hundreds of computers owned by U.S. company-victims in their homes. They also connected hardware that enabled overseas IT workers to access the laptops remotely, deceiving the companies into believing that the work was being performed in the U.S.

According to the DOJ, the defendants also created shell companies with corresponding financial accounts to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses. The financial accounts of these shell companies received millions from victimized U.S. companies, much of which was subsequently transferred to overseas co-conspirators. In exchange for their services, Kejia Wang and Zhenxing Wang received about $600,000 for their respective roles in the scheme.

Where Payment Controls Broke Down 

Payments were issued through standard processes, including payroll runs for employees and contractor payments through accounts payable (AP) or gig platforms. Once workers were set up in payroll or vendor systems, those payments were treated as routine transactions. 

Direct losses came from ongoing payments – once set up, fake workers were paid continuously as if they were legitimate employees or contractors. Indirect costs also mounted, with companies suffering more than $3 million in damages from network breaches that led to data theft, password resets, forensic audits and legal fees. 

Tax reporting issues followed. Firms issued W-2s and 1099s tied to false identities, triggering IRS scrutiny and potential penalties for inaccurate reporting. Anti-money laundering (AML) teams flagged suspicious wires after funds had already moved to crypto wallets or overseas accounts, evading know-your-customer (KYC) rules.

The deeper problem is structural. Transaction monitoring systems are built to watch how money moves — not to determine whether the recipient is real. By the time anything looks suspicious, multiple payment cycles have already cleared. The breakdown is also organizational: HR handles onboarding, and Finance handles payment execution, but in most organizations, nobody is explicitly responsible for validating that the two align. Closing that divide requires coordination between hiring and payment functions — neither can catch this alone.

“Protect your business by thoroughly vetting fully remote IT workers. One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote,” said Ashley T. Johnson, Special Agent in Charge of the FBI’s St. Louis Field Office.

Finance teams can support this by tying first payment approval to verified worker identity. 

Controls to review include: 

• Bank account verification before first payment (ownership match or micro-deposit validation)
• First-payment flags for new employees and vendors
• Separation between onboarding approval and payment authorization
• Periodic revalidation of active payees receiving ongoing payments

Why This Risk Isn’t Going Away

This fraud scheme reflects a broader payment risk. North Korean IT fraud has targeted U.S. firms since 2020, with losses exceeding $100 million across cases. 

In one recent notable case costing upwards of $17 million, an Arizona woman was sentenced to 102 months in prison for her role as a U.S. facilitator, hosting laptop farms for North Korean IT workers posing as U.S. citizens. In response, FBI Phoenix issued guidance on detecting North Korean IT workers.

In 2022, the FBI, the State Department and the Treasury issued a joint advisory warning the public of the threat posed by North Korean IT workers posing as U.S. citizens.

The warning lists these finance-specific red flags to be wary of:  

• If a freelance software development website or payment platform account has been shut down or the worker contacts the employer requesting use of a different account, especially if registered to a different name 
• Use of digital payment services, especially services linked to the People’s Republic of China
• Seeking payment in virtual currency in an effort to evade KYC/AML measures and use of the formal financial system, and
• Requesting payment for contracts without meeting production benchmarks or check-ins.

Organizations should review payment controls tied to newly onboarded workers. Once a fake identity is set up in payroll or AP, payments then move with the same trust as any legitimate payee. 

Finance controls need to focus on payment execution: validating payees before the first payment and treating new or changed payment details as high-risk events.