IT Worker Infiltration (Laptop Farms)

IT Worker Infiltration is a North Korean state-sponsored operation in which operatives use stolen or synthetically constructed identities to fraudulently obtain remote employment as software developers, DevOps engineers, and IT contractors at Western technology and cryptocurrency companies. To disguise their true location in North Korea or China, operators route their internet activity through US-based 'laptop farms' — physical locations hosting dozens to hundreds of proxy computers, each appearing to be a legitimate American worker's device. This grants the operatives long-lived, insider-level access to sensitive corporate systems, codebases, and virtual-currency infrastructure that external attacks would require months of exploitation to reach. The operation serves a dual purpose: generating legitimate salary income in hard currency for the regime (estimated to produce tens of millions of dollars annually) while simultaneously positioning operatives to execute devastating internal sabotage, intellectual-property theft, or wallet credential extraction at a moment of the regime's choosing. The FBI, CISA, and the US Department of State issued joint advisories in 2022 and 2024 warning that thousands of North Korean IT workers may have infiltrated Western firms, including crypto companies. Example: A Web3 protocol hired a 'US-based' senior Solidity developer through a standard job board; over six months the operative committed legitimate code while simultaneously mapping the organisation's cloud infrastructure and key management systems. The company discovered the infiltration only after a routine background-check audit flagged inconsistencies in the employee's identity documents. Why it matters for compliance: IT Worker Infiltration means that a crypto firm's greatest threat may be on its own payroll. Effective countermeasures include video-verified identity checks against government-issued documents, background-check providers with liveness detection, hardware key requirements for all production access, and code-review policies that prevent any single contributor from having unreviewed access to signing infrastructure.

Category: compliance, regulatory frameworks, wallets security

Explore the full Web3 Glossary — 2,062+ expert-curated definitions. Need guidance? Talk to our consultants.