Sectors
Labor & Employment Law Perspectives

Laptop Farms Highlight Identity Fraud Risks Of Remote Work

On April 15, the U.S. Department of Justice announced the sentencing of two U.S. nationals in U.S. v. Wang in the U.S. District Court for the District of Massachusetts for operating so-called laptop farms that enabled North Korean operatives to obtain remote information technology jobs at more than 100 U.S. companies using stolen American identities.[1]

The scheme, which shuffled at least 80 stolen American identities through fraudulent employment at these companies over several years, generated over $5 million in illicit revenue and exposed the employing companies to cybersecurity breaches, export control violations and reputational harm.

While the facts are striking, the broader lesson for U.S. employers is more consequential: Identity fraud in hiring, especially in remote environments, is no longer hypothetical — it is an active and evolving threat.

This article examines why virtual hiring is particularly vulnerable to fraudulent activity by wrongdoers who are posing as prospective employees, discusses common warning signs that employers miss and offers practical steps to mitigate risk.

How Remote Work Eliminates Traditional Verification Controls

Remote hiring removes in-person touchpoints that historically served as informal verification mechanisms, such as physical presence and in-office onboarding. Without these in-person hallmarks, fraudsters are able to exploit:

  • Digital-only identity verification processes;
  • Reliance on scanned or uploaded identification;
  • Limited ability to validate location or work environment; and
  • Limited ability to interact with the person to see firsthand how they conduct themselves.

In the DOJ’s case against the U.S. nationals, victim employers shipped corporate laptops to U.S.-based addresses that were controlled by fraud facilitators who then provided remote access to overseas operatives, creating the illusion of legitimate domestic employment.

How Laptop Farm Schemes Enable Scalable, Low-Cost Deception

These schemes are highly scalable, often relying on dozens of stolen U.S. identities and enabling bad actors to infiltrate large numbers of companies at once. A single identity and a single company-issued device can be reused, remotely accessed and redeployed acrossmultiple roles and companies simultaneously, allowing relatively minimal infrastructure to support dozens or even hundreds of fraudulent positions.

For example, an Arizona woman was sentenced in a similar plot in July 2025 in the U.S. District Court for the District of Columbia for her role in operating a laptop farm from her home that helped North Korean workers obtain jobs at over 300 U.S. companies and generated more than $17 million in illicit revenue.[2]

The scheme in U.S. v. Chapman — which also involved falsely reporting millions in income under the names of stolen U.S. identities to the IRS and the U.S. Social Security Administration, as well as more traditional check forgery — further demonstrates the ease and exponential potential of these tactics.

At the same time, emerging technologies — including identities generated by artificial intelligence, deepfake video interviews and synthetic credentials — are lowering the cost of entry while increasing the sophistication and credibility of fraudulent applications.

Why Incentives Extend Beyond Compensation Fraud

Unlike traditional employment fraud, where fraudsters simply seek to loot salary from their employer, these schemes often implicate:

  • International trade sanctions evasion, such as funneling wages to prohibited jurisdictions;
  • Data exfiltration and theft of intellectual property; and
  • Network compromise and extortion risks.

Accordingly, the risk profile extends well beyond payroll loss into regulatory, national security and enterprise risk domains.

Warning Signs Employers Often Miss

Despite the scale of the problem, many schemes succeed because supervisors often fail to devote sufficient attention to monitoring the activities of their remote workers, or because warning signs are subtle or misinterpreted as benign quirks of remote work. Thus, employers need to be hypervigilant in this new environment and consider some of the following less obvious indications that fraud may be afoot.

Inconsistent Identity Signals

Before the interview even starts, there may be initial signs that employers are dealing with a fraudulent employment candidate. These signs may include:

  • Mismatched or recycled resumes across multiple applicants, such as identical or near-identical resumes submitted under different names;
  • Contact information inconsistencies, such as candidates using the same phone number, email domain or physical address; email addresses that don’t match the candidate’s name; IP address geolocation or area codes that don’t align with the

stated location; or physical addresses that can’t be verified or are linked to forwarding services; and

  • Difficulty validating social media or professional presence, such as LinkedIn profiles with sparse connections; profiles with stock or AI-generated photos; employment histories that don’t align with the resume; lack of any broader digital footprint; or inconsistencies in employment history across different platforms.

Employers should always cross-check identity data and resume duplication across applicants. For example, the FBI has published specific guidance detailing how China’s military intelligence services use online job platforms to gain access to the sensitive data of vulnerable target employers.[3]

Anomalies in the Interview Process

The remote interview itself can further inform whether the applicant is legitimate. Hints of a fraudulent interviewee can include camera malfunctions or reluctance to appear on video; delayed or scripted responses, potentially from proxy participants; and use of AI tools or face-swapping technologies.

Fraudulent applicants may also rely on third parties or technology to participate in interviews.

Logistics and Equipment Red Flags

Warning signs may also reveal themselves after an offer of employment is accepted. Troubling actions may involve:

  • Requests to ship equipment to addresses that are inconsistent with the candidate’s background;
  • Use of third-party residential addresses or forwarding arrangements; and
  • Multiple employees being associated with the same physical location.

In the DOJ case, laptop farms centralized company-issued devices to facilitate remote access by overseas workers.

Suspicious Network or Work Patterns Post-Hire

Employers should continue to monitor remote employees’ behavior after employment begins too. Suspicious activity during employment may include simultaneous logins from different locations, the installation of unauthorized remote access tools, and unusual data access or transfer activity.

Such activity may signal that the supposed employee is, in fact, a proxy for offshore actors.

Practical Steps to Strengthen Identity Verification and Workforce Controls

Given the regulatory and operational risks, employers should take the following proactive steps now, particularly those with distributed or remote workforces.

Enhance identity verification protocols.

Employers should treat identity verification as a continuous process, not a one-time onboarding step. As part of this approach, they should require multifactor identity verification during hiring and onboarding, and use live video verification with real-time ID validation to confirm candidates’ identities.

In addition, employers should cross-check identity data across internal and third-party systems to identify inconsistencies. Finally, they can leverage tools — such as E-Verify and the SSA’s Social Security number verification service, which are both free federal resources — to further validate employment eligibility and reduce fraud risk.

Tighten equipment and access controls.

Limiting the ability to proxy access through intermediaries is similarly critical. Employers should only ship devices to verified physical addresses that are tied to the employee, and implement zero-trust architecture and endpoint monitoring to track device activity.

They should also restrict the installation of remote access software without approval and monitor IP addresses to detect anomalies. In addition, prohibiting the use of virtual private networks on company equipment can help ensure visibility into where devices are actually being used.

Strengthen hiring and human resources practices.

Employers’ human resources teams serve as the first line of defense against this type of fraud and should be equipped accordingly. Employers should train recruiters and HR personnel to recognize common fraud indicators, conduct enhanced background checks for sensitive roles, and carefully scrutinize third-party staffing vendors and contract arrangements.

Outsourced or contract hiring channels often present heightened risks due to reduced oversight. When relying on third parties, employers should ensure that they fully understand and evaluate the safeguards and protections that vendors have in place to confirm that they meet the company’s standards.

Monitor for insider threat indicators.

The line between an external cyberthreat and an insider threat is increasingly blurred in these scenarios. As such, employers should train supervisors of remote workers to recognize potential fraud indicators, and should require regular and consistent communication with remote employees to help identify irregularities.

In addition, deploying behavioral analytics can help flag anomalous activity, while periodic audits of access to sensitive systems and data repositories can identify unauthorized or unusual patterns. Employers should also establish clear escalation protocols to ensure that potential security concerns are promptly reviewed and addressed.

Align with legal and compliance frameworks.

Failure to address these risks can result in regulatory exposure beyond the underlying fraud. Employers should evaluate potential obligations under export control laws, such as the International Traffic in Arms Regulations, particularly where sensitive data may be accessed remotely.

They should also consider sanctions compliance risks associated with foreign actors and ensure that any monitoring of employee activity is conducted in a manner that is consistent with applicable data privacy requirements.

Conclusion

The April DOJ action underscores a critical reality: Identity fraud in remote hiring is not a one-off case — it is an emerging systemic risk.

As remote and hybrid work models persist, employers must recalibrate their hiring, onboarding and workforce monitoring practices to address a threat landscape that blends employment fraud with cybersecurity and geopolitical risk.

Organizations that fail to adapt may find themselves to be not just victims of fraud, but also unwitting participants in schemes that expose them to significant legal, financial and reputational consequences.

This article was originally published in Law360 on July 10, 2026, and is republished here with permission.

Disclaimer