Citizen Portal
Sign In

FBI highlights North Korean ‘laptop farms’ and remote‑worker schemes as growing national‑security risk

FBI Cyber Division (Ahead of the Threat podcast) · February 25, 2026

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The FBI and its cyber-intelligence branch warned that North Korean operatives placed in China to secure remote IT jobs for U.S. companies can generate large revenue streams for the regime and pose insider and espionage risks; law‑enforcement takedowns and industry reporting are both critical to disrupting the networks.

Brett Leatherman, assistant director of the FBI’s Cyber Division, and Mike Machtinger, the bureau’s deputy assistant director for cyber intelligence, told listeners that a Wall Street Journal account (Feb. 15) exposed an organized North Korean effort to place operatives in remote IT roles that target U.S. employers.

“The goal there, along with about 10 other operatives crowded into a 2 bedroom dormitory…was to fake their job, fake opportunities to get into remote IT jobs in The United States,” Leatherman said, summarizing the report. He and Machtinger described the operation as large-scale and profitable: Leatherman said partners estimate the scheme could “generate up to $800,000,000” for the regime in a single year and that the regime takes roughly 90% of that revenue.

Machtinger framed the schemes as insider threats, emphasizing that operatives may gain access to sensitive corporate and defense‑industry information. “What do these folks have access to? What can they exfiltrate back to DPRK or other, nefarious players?” he asked, warning the access could be “weaponized.”

Leatherman and Machtinger also reviewed recent law‑enforcement responses. Leatherman said a coordinated Justice Department action in June produced indictments and arrests, searches of 29 laptop farms, seizures of approximately 200 computers, 29 financial accounts and 21 fraudulent websites. The FBI called those disruptions important but incomplete: both officials urged industry to report suspected cases so investigators can connect incidents across companies.

Industry reporting, the bureau said, helps investigators identify operatives who may target multiple employers. “If that individual is working for your company…don’t let law enforcement know, you know, it's very possible that they're victimizing multiple other companies at the same time,” Machtinger said, adding that sharing information in ways comfortable to companies improves the bureau’s ability to find additional victims.

Why it matters: the speakers tied the revenue and access gained through these schemes to broader national‑security concerns, including espionage and the funding of regime priorities. They said law enforcement actions reduce the actors’ capabilities but that meaningful, sustained disruption requires both prosecutions and industry cooperation.

What’s next: the FBI recommended that organizations notify law enforcement when they suspect phantom remote workers, strengthen hiring verification where practical and follow FBI advisories on detection and reporting.