# Two North Korean IT Worker Scheme Facilitators Sentenced in Major Identity Theft Case


Kejia Wang and Zhenxing Wang, two individuals who facilitated a sophisticated scheme to infiltrate American companies using stolen identities, have been sentenced to prison following a federal investigation. The case represents one of the most significant prosecutions involving North Korean state-sponsored employment fraud, highlighting a growing threat to US corporate security and national defense.


## The Scheme and Arrests


The two defendants orchestrated an extensive identity theft operation that compromised dozens of US citizens' personal information to create fake credentials and employment backgrounds. These fraudulent identities were then used to secure positions at over 100 American companies, potentially exposing sensitive data, intellectual property, and critical infrastructure to unauthorized access and surveillance.


Key Facts:

  • Scope: Identity information from dozens of US persons was stolen and repurposed
  • Scale: Jobs secured at 100+ companies across multiple sectors
  • Duration: The operation spanned several years before detection and dismantling
  • Outcome: Both defendants were convicted and sentenced to federal prison

    • The prosecution culminated in federal convictions that demonstrate law enforcement's ability to identify and prosecute operatives involved in state-sponsored cyber-enabled employment fraud schemes.


    ## Background and Context


    North Korea has long been identified as an active threat actor in cyberspace, with multiple government agencies attributing financially motivated and espionage-driven cyber operations to Pyongyang. However, this case reveals a distinct methodology: rather than relying solely on remote hacking, North Korean operatives sought to place individuals directly inside American organizations under false pretenses.


    Historical Context:

    The North Korean regime faces severe international sanctions and economic isolation, creating motivation to fund government operations and military development through alternative means. Cybercrime and intellectual property theft are known revenue streams for the regime, generating millions in hard currency while simultaneously advancing espionage objectives.


    Previous investigations have linked North Korea to:

  • The Sony Pictures attack (2014) - a destructive campaign attributed to the Lazarus Group
  • WannaCry ransomware (2017) - widespread malware used for financial extortion
  • Cryptocurrency theft - multiple exchange hacks netting hundreds of millions of dollars
  • Healthcare ransomware campaigns - targeting hospitals and medical infrastructure globally

    • This identity-based employment scheme represents an evolution in tactics—combining traditional identity fraud with state-sponsored objectives.


    ## Technical and Operational Details


    The defendants' operation relied on several key steps to successfully compromise the hiring process and gain access to sensitive environments:


    ### Identity Compromise and Creation

    The criminals obtained personal identifying information (PII) from US citizens through various means, including data breaches, phishing campaigns, or purchase from cybercriminal marketplaces. This information included:

  • Social Security numbers
  • Names and dates of birth
  • Employment history details
  • Educational credentials

    • ### Credential Fabrication

    Using stolen identities as foundations, the defendants created complete but fraudulent professional profiles, including:

  • Fake educational backgrounds and certifications
  • Fabricated employment histories
  • Doctored diplomas and credential documents
  • Artificial professional references

    • ### Placement and Access

    With these synthetic identities in place, the conspirators applied for positions at target companies. Once hired, they could:

  • Access internal networks and systems
  • Steal proprietary technical data
  • Monitor communications and security protocols
  • Identify additional vulnerabilities for exploitation

    • ## Implications for Organizations


    This prosecution underscores vulnerabilities in corporate hiring and vetting processes that extend beyond traditional cybersecurity concerns:


    ### Identity Verification Gaps

    Many organizations rely on:

  • Resume and credential verification through digital platforms that may not authenticate sources
  • Background checks that may not detect sophisticated document forgery
  • I-9 verification processes that depend on document authenticity
  • Social media profiling that can be spoofed or manipulated

    • ### Insider Threat Exposure

    Once employed, operatives with stolen identities can:

  • Access classified or sensitive technical information
  • Participate in research and development activities
  • Obtain details about corporate security infrastructure
  • Establish persistence mechanisms for long-term exploitation
  • Exfiltrate data to foreign entities

    • ### Supply Chain Risk

    Companies that were compromised may have become unwitting participants in supply chain attacks, potentially allowing North Korean entities to:

  • Gain access to downstream customers and partners
  • Understand critical infrastructure connections
  • Identify additional targets for exploitation
  • Develop targeted cyberattacks informed by insider knowledge

    • ## Sector-Specific Vulnerabilities


    Organizations in high-value sectors were likely targeted, including:

  • Defense contractors - for classified technology and procurement information
  • Technology companies - for artificial intelligence, semiconductor, and software IP
  • Energy companies - for critical infrastructure details
  • Financial institutions - for banking systems and transaction protocols
  • Telecommunications - for network infrastructure knowledge

    • ## Recommendations for Organizations


    ### Enhanced Hiring Verification


    Immediately implement:

  • Direct credential verification - contact educational institutions and prior employers directly
  • Document forensics - use professional services to authenticate diplomas and certificates
  • Enhanced background checks - employ specialized firms experienced in detecting synthetic identity fraud
  • Reference verification - conduct thorough interviews with listed professional references
  • Identity proofing - require government-issued ID verification during hiring

    • ### Access Control Improvements


    Establish multi-layered security:

  • Zero-trust architecture - verify all users and devices, not just perimeter security
  • Enhanced monitoring - flag unusual data access patterns, especially from new employees
  • Segregated access - limit initial access to non-sensitive systems during probationary periods
  • Activity logging - maintain detailed audit logs of employee system access
  • Multi-factor authentication - require MFA for all sensitive system access

    • ### Insider Threat Programs


    Develop proactive detection:

  • Behavioral analytics - monitor for anomalous user behavior that suggests compromise
  • Counterintelligence training - educate employees on social engineering and recruitment tactics
  • Secure communication channels - provide ways for employees to report suspicious colleagues confidentially
  • Regular vulnerability assessments - test security awareness and physical security controls

    • ### Reporting and Coordination


  • Report suspected cases - contact the FBI's Internet Crime Complaint Center (IC3) or local field office
  • Coordinate with peers - share intelligence with industry partners and information sharing organizations
  • Participate in government programs - engage with CISA and sector-specific ISACs for threat intelligence

    • ## Conclusion


    The sentencing of Kejia Wang and Zhenxing Wang demonstrates that federal law enforcement agencies are actively pursuing state-sponsored employment fraud schemes. However, the scale of the operation—affecting over 100 companies—suggests that many organizations remain vulnerable to this attack vector.


    Organizations must recognize that hiring security is national security, and that credential fraud represents a tangible insider threat. By implementing robust identity verification, enhancing access controls, and developing comprehensive insider threat programs, companies can significantly reduce exposure to state-sponsored employment-based intrusions.


    The case serves as a reminder that cybersecurity extends beyond network defenses to encompass every aspect of organizational security, including the people hired to work within those organizations.