The expansion of remote work fundamentally altered enterprise security models. Organizations that once relied on tightly controlled office environments suddenly began shipping pre-configured corporate laptops to workers they would never physically meet. VPN enrollment, SaaS identity platforms, remote onboarding systems, and cloud collaboration tools rapidly became the new trust perimeter.

Criminal organizations and state-sponsored operators quickly recognized that the same infrastructure enabling legitimate distributed workforces could also be weaponized.

Among the most sophisticated examples uncovered publicly are the North Korean remote IT worker operations that U.S. authorities say infiltrated American companies through networks of so-called “laptop farms” — residential locations where company-issued laptops were physically hosted in the United States while being remotely operated from overseas.

Recent Department of Justice prosecutions and FBI investigations have exposed how these operations combined:

• fraudulent remote hiring
• forged identity documents
• residential geolocation laundering
• remote desktop infrastructure
• shell staffing companies
• financial laundering networks
• and covert enterprise access.

The result was a hybrid ecosystem blending insider threat operations, sanctions evasion, and cyber-enabled revenue generation into a scalable operational model capable of embedding foreign operators inside trusted corporate environments for years.

What a Laptop Farm Actually Is

A laptop farm is a physical location where multiple company-issued laptops are stored, powered on, connected to residential internet connections, and remotely accessed by operators located elsewhere.

Operationally, laptop farms function similarly to residential proxy infrastructure, except the systems involved are not compromised consumer devices infected with malware. Instead, they are legitimate corporate endpoints voluntarily shipped by victim organizations to what they believe are trusted employees or contractors.

In most documented cases, the laptops are delivered to:

• suburban homes
• rented apartments
• storage units
• coworking spaces
• or residences operated by facilitators.

Once the device arrives, the facilitator:

• powers on the system
• connects it to local Wi-Fi
• completes onboarding procedures
• enrolls authentication tokens
• installs remote access software
• and enables overseas operators to control the machine remotely.

To the employer, the laptop appears to belong to a normal U.S.-based remote worker.

In reality, the keyboard and mouse activity may originate from another country entirely.

Geolocation Laundering Through Residential Infrastructure

The primary purpose of a laptop farm is geolocation laundering.

Modern enterprises increasingly monitor for:

• foreign authentication attempts
• impossible-travel events
• cloud-hosted VPN infrastructure
• suspicious autonomous system numbers (ASNs)
• and anomalous login patterns.

If an employee account suddenly authenticates from:

• North Korea
• China
• Russia
• or other high-risk jurisdictions,

security systems may trigger:

• account lockouts
• risk-based authentication
• insider-threat investigations
• or sanctions-related compliance reviews.

Laptop farms bypass these controls by ensuring corporate activity appears to originate from legitimate domestic residential internet connections.

Instead of a direct connection path such as:

China → Corporate VPN

the operational flow becomes:

Foreign operator → Remote desktop tunnel → U.S. residential laptop → Corporate systems

The employer only sees the second half of the chain.

As a result:

• the IP address appears domestic
• the hardware is legitimate
• endpoint certificates are valid
• browser fingerprints remain stable
• and activity originates from trusted residential ISPs.

The laptop effectively becomes a human-operated proxy node.

The Remote Desktop Infrastructure Behind Laptop Farms

The core enabling technology behind laptop farms is remote access infrastructure.

In one of the most detailed DOJ indictments released publicly, prosecutors alleged that North Korean operators and U.S.-based facilitators used:

• AnyDesk
• TeamViewer

to remotely access company-issued laptops hosted inside the United States.

According to the indictment, facilitators physically received victim company laptops at residential addresses, logged into the systems, and installed remote desktop software enabling North Korean IT workers operating from China to remotely perform software development work while appearing U.S.-based.

The filing specifically describes incidents where:

• AnyDesk was installed onto laptops associated with a fraudulent “Glaus Li” identity
• and TeamViewer was later installed onto systems associated with another persona called “K. Bane.”

The broader remote worker ecosystem has also been associated by security researchers with other remote monitoring and management (RMM) platforms commonly abused in covert access operations, including:

• RustDesk
• Chrome Remote Desktop
• Splashtop
• Remote Utilities
• MeshCentral
• Microsoft Remote Desktop Protocol (RDP)
• reverse proxy tunnels
• and self-hosted relay infrastructure.

However, only AnyDesk and TeamViewer are explicitly identified in the Florida indictment itself.

Many of these tools are attractive because they support:

• encrypted outbound sessions
• unattended access
• portable execution
• user-level installation
• and operation without requiring inbound firewall exposure.

Open-source platforms such as RustDesk and MeshCentral are especially attractive in covert operations because operators can self-host relay infrastructure, reducing visibility into traffic patterns associated with commercial remote desktop providers.

In more sophisticated environments, operators may chain multiple technologies together:

Foreign operator
        ↓
VPN or VPS infrastructure
        ↓
Encrypted remote desktop session
        ↓
U.S.-based laptop node
        ↓
Corporate VPN
        ↓
Internal enterprise systems

This layered architecture complicates attribution and significantly reduces geolocation-based detection opportunities.

How Laptop Farms Generate Revenue

Laptop farms primarily generate revenue through fraudulent remote employment.

Operators obtain remote jobs using:

• forged documents
• stolen identities
• synthetic personas
• or cooperative intermediaries.

Once hired, they receive:

• salaries
• contractor payments
• software consulting fees
• stock compensation
• and access to enterprise systems.

According to FBI and Treasury advisories referenced in DOJ filings, North Korean IT workers individually generated hundreds of thousands of dollars annually, with teams collectively producing millions in revenue for the DPRK regime.

The operational model extends beyond payroll fraud.

Once embedded inside corporate environments, operators may gain access to:

• proprietary source code
• CI/CD infrastructure
• cloud administration systems
• API credentials
• internal collaboration platforms
• software signing workflows
• customer databases
• and blockchain infrastructure.

In several later FBI public service announcements and DOJ investigations related to the broader DPRK remote worker ecosystem, authorities alleged that some operators also engaged in:

• data theft
• extortion
• source code exfiltration
• and theft of sensitive proprietary information.

The FBI separately warned in 2024 and 2025 that North Korean remote workers increasingly leveraged insider access to steal corporate data and extort victim organizations after discovery.

The Florida Laptop Farm Indictment

One of the clearest public examples of a laptop farm operation emerged through a Southern District of Florida indictment unsealed in 2025.

The case involved:

• North Korean nationals JIN SUNG-IL and PAK JIN-SONG
• Mexican citizen PEDRO ERNESTO ALONSO DE LOS REYES
• and U.S.-based facilitators ERICK NTEKEREZE PRINCE and EMANUEL ASHTOR.

According to prosecutors, the conspirators used shell staffing firms including:

• Taggcar Inc.
• and Vali Tech Inc.

to obtain corporation-to-corporation contracts with American companies.

The operational structure was important because contractor ecosystems often receive less scrutiny than direct employment pipelines.

The indictment alleges that the conspirators targeted companies hiring remote:

• mobile developers
• software engineers
• Android developers
• and IT contractors.

To secure employment, the operators allegedly used:

• counterfeit U.S. passports
• fake TN visas
• fraudulent Social Security cards
• altered identity documents
• and stolen personally identifiable information.

Importantly, PEDRO ERNESTO ALONSO DE LOS REYES was not described as a fake synthetic persona. He was a real named co-defendant whose identity prosecutors say was used with his consent by JIN SUNG-IL during fraudulent employment applications.

The indictment further alleges that victim companies shipped corporate laptops directly to residences controlled by the facilitators in New York and North Carolina.

Once received, the facilitators allegedly:

• powered on the devices
• connected them to residential Wi-Fi
• installed AnyDesk and TeamViewer
• logged into corporate systems
• and enabled remote access from China.

In one documented sequence, prosecutors allege that:

• a fraudulent “Glaus Li” identity secured a developer role
• a laptop was shipped to a New York residence
• AnyDesk was installed onto the system
• and the device was later remotely accessed from China.

The indictment states the conspiracy targeted at least 64 U.S. companies and generated approximately $866,255 in payments tied directly to the scheme.

The filing also alleges that several victim organizations incurred remediation and legal expenses exceeding $1 million.

The Larger DPRK Remote Worker Ecosystem

The Florida indictment represents only one component of a much broader federal investigation into DPRK remote worker operations.

Separate DOJ cases later exposed additional laptop farm infrastructure operating in:

• Tennessee
• New Jersey
• and multiple other U.S. states.

In one related case, Matthew Knoot operated a laptop farm from Nashville, Tennessee, where prosecutors said corporate laptops were shipped to support fraudulent employment under the identity “Andrew M.” Authorities alleged Knoot installed remote desktop applications enabling North Korean operators in China to remotely work while appearing physically located in Nashville.

Another major federal case charged Zhenxing “Danny” Wang, Kejia “Tony” Wang, and multiple Chinese and Taiwanese nationals in a scheme that allegedly generated more than $5 million in revenue while compromising the identities of more than 80 U.S. persons.

The broader DOJ initiative — referred to publicly as the “DPRK RevGen: Domestic Enabler Initiative” — involved:

• searches across 16 states
• investigations into 29 suspected laptop farms
• seizure of financial accounts
• and disruption of fraudulent infrastructure.

Authorities additionally disclosed that some remote workers gained access to export-controlled technical information, including ITAR-restricted defense-related data associated with a California defense contractor.

That detail significantly elevates the national security implications of laptop farm operations beyond employment fraud or sanctions evasion.

Remote Hiring as an Intrusion Vector

Historically, enterprise intrusions typically began with:

• phishing
• malware delivery
• software exploitation
• or credential theft.

Laptop farms invert that model entirely.

The victim organization itself provides:

• the hardware
• the VPN access
• the trusted endpoint
• the cloud identity enrollment
• and the internal network connectivity.

The attack vector becomes the hiring process itself.

This fundamentally changes the insider threat landscape because the operator enters the environment as:

• an authenticated employee
• using legitimate credentials
• from a trusted device
• operating from apparently normal residential infrastructure.

The North Korean operations uncovered by U.S. authorities demonstrate how remote work ecosystems can be transformed into long-term covert access infrastructure capable of embedding foreign operators directly inside enterprise environments while remaining operationally indistinguishable from ordinary distributed work activity.