The Rabbit Hole: A 600 Million Dollar Heist

Editor’s note: Between the rise of overseas customer service centers and shrinking job pool of qualified Americans for certain techincal technical jobs, U.S. companies have tried to outsource their processes to cheaper labor overseas. But what happens when you inadvertently outsource to a tyrannical regime? In this week’s The Rabbit Hole, reporter Peter Beck looks at the Hermit Kingdom’s cadre of remote workers. -Seamus

Like so many Americans struggling under the weight of trying to make ends meet, Minh Vong had a few side hustles. First and foremost, he was a nail technician at a spa in Maryland. But he also had a dozen other simultaneous jobs as a software engineer for U.S. companies across the country. Despite the herculean workload, by all accounts, he was thriving at all of his various jobs at the same time. It helped that he wasn’t actually doing the work. Instead, he was being supported by a team of computer whizzes overseas masquerading as Vong. 

This is the story of deception, shady online figures, sensitive U.S. government contracts, and a 600 million dollar heist. 

In 2023, the CEO of a Virginia software company joined a Zoom meeting to interview a prospective new hire. Vong had already passed through a previous interview round conducted by a senior developer with flying colors. He had a computer science degree, 16 years coding experience, and, crucially, a security clearance to access sensitive U.S. government materials. The CEO was ready to pull the trigger, and had the new hire show his Maryland Driver’s license and U.S. passport to complete an I-9, a standard form used by employers to verify that a job applicant is able to work in the U.S.

With the I-9 checked out, Vong started at the company with his first assignment working on a contract with the Federal Aviation Administration to build a software to monitor aviation for flights in the United States. Like many employees in the wake of the pandemic, Vong worked remotely, so the company shipped him a laptop. The work team that Vong was on would meet over Zoom most days for everyone to check in. Vong never had his camera on, but he would always turn on his mic to chime in about what he was working on. Some of the other coders wouldn’t turn their cameras on either.

A few months passed, until July 2023, when the software company applied on behalf of Vong to the Defense Counterintelligence and Security Agency for a secret security clearance. To their surprise, another U.S. company had recently submitted Vong’s name for a secret clearance. The company concluded that Vong must have been double-dipping by working two jobs and fired him on July 14, 2023. Then the CEO and the senior developer who interviewed Vong sat down to figure out what had happened. They had both taken screenshots of Vong during their Zoom meets; the CEO had done one in order to complete the I-9 form, and the software developer for inexplicable reasons other than common sense. The screenshots showed two different people.

Vong, according to a criminal complaint in his case, was not the coder he made himself out to be. Not only did he not have a security clearance, but he had also never attended college, much less for a computer science degree. Instead, Vong was a nail tech at a spa in Maryland, where he earned roughly $30,000 a year. Then in 2022, his annual income shot up to over $400,000, with 15 other salaries from IT services and government contractors supplementing his paychecks from the spa. 

The man posing as Vong, who the FBI has never publicly identified, was actually located in China, where he used a computer application to access the Macbook Pro given to Vong, in an effort to spoof his location to be in the U.S. During an interrogation, Vong told FBI agents that he had been contacted by the man, who said his name was “William,” through a game app on his phone. “William” reportedly promised Vong that he knew a way for him to make money legally, and that all he had to do was to apply for jobs as a software developer and then give “William” remote computer access. In return, “William” would do all of the work while Vong took a 30% cut of the salary. 

For four years, Vong and “William” kept up their scheme, bringing in other IT workers living in China to do the other jobs. The two became friendly, messaging each other over Skype about global politics. “William” also messaged other users on Skype about plans to visit “PY,” which the FBI later wrote was short for Pyongyang, the North Korean capital, and a ski resort-based in North Korea. Vong would later deny ever knowing that William was a North Korean operative.

The Democratic People’s Republic of Korea, or as most people call it, North Korea, is arguably the most walled-off country in the world. Many are familiar with the intense security around the demilitarized zone and the harrowing stories of defectors, or the brutal rule of its dictatorial leader. But beneath the extreme lengths that the regime takes to keep the country insulated are also an invisible network of economic sanctions that have, in turn, closed its access off from the rest of the world, except for several countries that are mostly outcasts on the international stage, such as Iran and Russia. Subsequently, North Korea is severely impoverished, with little trade, industry, and next to zero opportunities for development. 

All the while, the regime keeps up its massive military and oppressive security state. So its money has to come from somewhere. North Korean government actors turn to schemes as a solution, targeting the companies and governments of more affluent nations that have cut it off from the global economy. Like Iran, North Korea uses shell corporations and businesspeople to keep up a shadow fleet of cargo ships and oil tankers. It also employs teams of hackers to steal information and conduct ransomware attacks, including on U.S. hospitals and other civilian infrastructure. But one particularly creative way in which the North Korean government has tried to earn money is by having North Korean citizens work remotely for U.S. companies.

Besides the FAA contract, 13 U.S. companies and the departments of Interior, Agriculture, and Commerce used the IT workers posing as Vong, who earned almost $1 million altogether. The other 70% to 80% of the earnings went to the North Korean government, directly from the U.S. Treasury’s coffers. Vong pleaded guilty to wire fraud conspiracy in April 2025, and is currently set for release in February 2027.

According to federal court records filed by the Department of Justice, the North Korean government has sent an estimated 3,000 IT workers abroad, with another 1,000 workers back in North Korea, to pose as Western employees. The abroad workers are permitted to leave the tight grip of the North Korean state to participate in the scheme, earning a roughly 10% cut of the annual salary for the jobs they’re working. As with Vong, their U.S.-based co-conspirators take another cut of the salary, ranging from just several thousand dollars to millions. The rest of the salary goes to the North Korean government. 

Prosecutors wrote that these coveted technology positions in the U.S. can earn North Korean workers more than $300,000 a year, and teams of workers can collectively earn more than $3 million annually, though the overwhelming bulk of it goes to fund the North Korean government. All told, the scheme reportedly generates somewhere between $250 to $600 million a year. 

Some of the most prominent U.S. companies have fallen victim to the scheme. In one case alone that sent $6.8 million overseas, more than 300 companies were impacted, including a top-5 television network, a Silicon Valley tech company, aerospace and defense contractors, and a car manufacturer that prosecutors called an American icon. It’s likely that North Korean IT workers have been employed by a surprising number of companies that are household names. 

The companies that North Korean workers tend to target also often have contracts with the government. It was not a coincidence that two of the workers posing as Vong had applied to roles requiring a classified security clearance but a larger pattern of infiltration that suggests North Korea has other motivations for the scheme besides money: espionage and spying.

One of the more nefarious elements of the scheme is that it requires U.S. workers to be complicit. Many may not be aware that the contacts who they communicate with are essentially forced laborers, earning very little of their entire salary, and that the money they help facilitate goes to North Korea. Several cases of U.S. co-conspirators have assumed that the people on the other end of the computer were simply Chinese workers trying to get ahead. But greed and likely convenient ignorance turns these Americans—willing or not—into covert operatives of the North Korean government.

This piece is part of our weekly Sunday Series we call The Rabbit Hole where we choose a single federal court docket, filing, or topic and dive deep into the details. You can read past issues on topics ranging from news deserts to the lack of consistent funding for court-appointed defense attorneys on our site. Normally, these Rabbit Hole pieces are behind a paywall to reflect the time and expense associated with their reporting. However, we made an exception to that rule so that the influx of new subscribers this week can get a sense of the Sunday series. If you are not currently a paying member but you’d like to support independent journalism like this, please consider becoming a paid subscriber or making a one-time donation.

In 2024, the FBI arrested a 24 year old who was a Ukrainian asylum seeker and a graduate student at Carson Newman University after discovering a so-called laptop farm of 79 computers in his apartment. The farm allowed North Korean-aligned fraudsters to appear as if they were located in the U.S. while working for American companies and transfer almost a million dollars. 

Last summer, a Californian woman was sentenced to 102 months in federal prison for running a similar operation that earned her hundreds of thousands of dollars. She had been contacted in March 2020 by an unknown person on LinkedIn about being the “U.S. face” of a company. As the “face,” she ended up helping the China-based IT workers get hired at U.S. companies, came up with cover stories for their backgrounds, signed paperwork on their behalf, and helped the workers fill out IRS paperwork. She was charged with conveying false information to the Department of Homeland Security more than 100 times and creating false tax liabilities for 35 people, among other crimes.

One method that the conspirators use to infiltrate U.S. based companies is by posing as legitimate American subcontractors for technology-related services. Last year, a grand jury in Western North Carolina indicted two U.S. citizens, two North Koreans living China, and a Mexican man for running Taggcar, a purported front company for North Korean remote worker contracts. The men operating Taggcar would allegedly have the North Korean teams work on their contracts with major U.S. companies, shipping company-owned laptops to China, and while funneling hundreds of thousands of dollars as payment to the North Korean state. Just that scheme netted almost a million dollars from 10 separate U.S. companies.

The scheme also targets Americans in more subtle ways to help facilitate tasks that the North Koreans are unable to do from outside of the U.S. In May 2024, the FBI targeted a host of websites advertising companies such as “Blackish Tech,” “Culture Box,” and “Purpleish Tech.” The websites featured glossy designs and rave reviews, boasting about 99% positive feedback, “300+ completed projects,” and “9000+ Coffee Cups Drank.” 

In reality, however, the FBI wrote the websites served as fronts for the North Korean operatives to post jobs for “virtual assistants” in the U.S. These assistants would then perform menial tasks on behalf of the North Koreans, including receiving laptops from the hoaxed U.S. companies and shipping them to China for their use in the scheme. Court records describe how the North Koreans could then access sensitive proprietary business and U.S. government materials from within China.

In one sense, the IT scam feels somewhat harmless. Shadow fleets of oil tankers, ransomware attacks on hospitals, and arms sales present more of an obvious threat to U.S. national security. The IT workers, meanwhile, are working jobs they could never dream of in North Korea and it’s unclear in most cases that they acted in a deliberately malicious way to undermine the victim companies. The scheme mostly appeared to be driven by the need to fund North Korea’s government, rather than hacking the companies or stealing trade secrets.

From a fuller perspective, however, the scheme represents a brazen attempt at undermining U.S. sanctions: North Koreans being paid by U.S. companies and, in some cases, American taxpayers to prop up their totalitarian regime. The hundreds of millions of dollars earned from the IT worker scheme will undoubtedly fund human rights abuses and arm the same military that semi-regularly threatens all-out war against the U.S. and its allies.  

It’s also tricky to know the full scope of the scheme. Court records indicate that Vong was caught by pure coincidence. With remote work as a mainstay in the U.S. labor force, we may never understand the size and scale of the companies impacted or the number of U.S. citizens helping North Korea pay to keep afloat its tyrannical government. 

-30-

This piece was part of our weekly Sunday Series we call The Rabbit Hole where we choose a single federal court docket, filing, or topic and dive deep into the details. You can read past issues on topics ranging from news deserts to the lack of consistent funding for court-appointed defense attorneys on our site.

If you are reading Court Watch for the first time here because you were forwarded the piece, you can subscribe here to get our free weekly Friday roundup of federal court documents in your inbox and our member-supported Rabbit Hole every Sunday.

Finally, if you’d like to support independent journalism like this, please consider becoming a paid subscriber or making a one-time donation.