What Is A 'Laptop Farm' & What Is One Used For?

International cyber hackers have infiltrated the U.S. workforce. That was the implication when a U.S. District Court sentenced Arizona resident Christina Chapman to eight years in prison for her role in a scheme that duped more than 300 U.S. companies into unwittingly funding the Democratic Republic of North Korea. The scam used a method known as 'laptop farming,' in which local computers spoof the geographic location of North Korean workers, allowing them to execute work tasks remotely. The practice has netted hundreds of millions of dollars for the North Korean regime alone.

It is also a tool for corporate espionage, enabling foreign operatives to exfiltrate data from within a company's network. Some remote workers even hit their companies with malware and evolved ransomware attacks. One of several such schemes uncovered by U.S. authorities in recent years exemplifies criminals' creative methods to evade international sanctions laws. It also typifies how the global economy has become increasingly exposed to international security threats, soliciting domestic companies into schemes to fund illicit activity previously thought reserved for spy novels and movie screens.

These networks are vast, complex, and multinational. In one June 2025 enforcement action, authorities seized 29 laptop farms across 16 states, operating over 200 laptops targeting over 100 U.S. companies. According to the Justice Department, DPRK facilitators in the U.S., China, UAE, and Taiwan helped launder funds through at least 29 bank accounts and 21 fraudulent websites. This reflects a broader trend in which the rate and scale of laptop farming schemes have expanded, spurred by advancements in artificial intelligence, widely available remote-work positions, easily laundered virtual currencies, and a general dearth of IT security professionals.

Typically, laptop farms con companies into unwittingly employing foreign workers through elaborate hoaxes of identity theft, bank fraud, and money laundering, often to fund sanctioned activities like North Korea's ballistic missile development program. These schemes operate according to a fairly straightforward structure. First, trained cyber operatives, often placed outside their home country, acquire fake identities, either of unwitting victims or willing participants who volunteer their identity in a practice called muling.

Operatives then flesh out their characters with resumes, LinkedIn profiles, work portfolios, cover letters, identification cards, and other corroborating documents, providing a digital paper trail for prospective employers. Hackers then apply for and obtain remote work from Western companies, sometimes even using advanced AI tools to conduct online interviews with prospective employers. Once a position is secured, American proxies set up the physical 'laptop farm,' where computers loaded with remote access software enable foreign-based IT workers to connect to the victim company's networks and execute tasks from thousands of miles away.

Oftentimes, these proxies will maintain dozens of computers at a time for multiple hackers, some sent by the employers. While some proxies are contacted directly, laptop farm schemes have been known to openly advertise these "hardware custodian" gigs on job boards. Finally, paychecks are deposited into falsely acquired bank accounts — often set up by the local facilitator — and funneled to North Korean accounts via international transfer apps or crypto trading platforms. Funds are then used to fund a series of projects sanctioned by the United States, including North Korea's WMD program. 

These schemes have become a pervasive problem for employers and law enforcement, raising hundreds of millions of dollars for Pyongyang. While authorities have warned against the practice since at least 2022, when the State Department (PDF), FBI, and Treasury Department released a joint advisory. Cybersecurity professionals, however, trace the practice to the early 2010s. Since then, their scale, sophistication, and geographic scope have increased at unprecedented rates, putting both small and Fortune 500 companies in the crosshairs.

Known victims include Google, Nvidia, Nike, NBC Universal, and Amazon. Crypto companies have also been major targets. Although initially focused on the U.S., the scams have spread to Europe, South America, Australia, South Asia, the U.K., and elsewhere. Many companies have become inundated by an influx of job applications associated with the schemes. One cybersecurity firm, SentinelOne, received at least 1,000 job applications from 360 fake identities from the DPRK. The rise of laptop farming results from a perfect storm of technological and situational factors.

Spurred by the growth of remote work in the post-COVID job market, operatives of Pyongyang's Department 53, the group responsible for the scheme, have capitalized on a lack of homegrown coding talent to gain a foothold in the marketplace. The increasing sophistication of AI deepfakes has only worsened the problem, as operatives can better create social media profiles, forge identification documents, and impersonate characters during video calls. AI productivity tools, like Vibe Coding, could also enable scammers to work for multiple companies. These incidents are part of a broader trend in which nation-states advance national security interests through advanced cyber hacking techniques, often at the expense of corporations, local governments, and private citizens.