Nail salon employee pleads guilty after holding 13 remote IT jobs worked by developers in China

Yahoo

27-04-2025

Minh Phuong Ngoc Vong, 40, of Bowie, Maryland will be sentenced in August after he pleaded guilty to conspiracy to commit wire fraud this month. Vong's guilty plea is the latest intrigue in what authorities say is a vast fake IT worker scheme that funds North Korea's illegal nuclear weapons and ballistic missile program. Authorities alleged Vong essentially rented out his U.S. identity to developers based in China who used it to get more than a dozen remote tech jobs, some of which involved contract work for sensitive government agencies.
A 40-year-old Maryland man is facing decades in prison after he allegedly worked with foreign nationals in China to get remote work IT jobs with at least 13 different U.S. companies between 2021 and 2024. The jobs paid him more than $970,000 in salary for software development tasks that were actually performed by operatives authorities allege are North Korean and working out of a post in Shenyang, China, according to the Department of Justice.
The China-based developers used the company IT jobs, some of which involved contracting out software services to U.S. government agencies like the Federal Aviation Administration, to get access to highly sensitive government systems that they logged into from overseas, authorities said. According to the Department of Justice, the Maryland man's scheme is part of a vast fraud operation in which trained North Korean nationals work with American facilitators to fraudulently obtain remote-work IT jobs under various identities, do the work from Russia or China, and then illegally remit their salaries to Kim Jong Un, authoritarian leader of the Democratic People's Republic of Korea (DPRK).
There have been dozens of indictments in the conspiracy, including Americans who have pleaded guilty to hosting computer farms, where they keep dozens of company-issued laptops in their homes for a fee so that it appears the work is being done in the U.S. The UN has estimated the scheme generates revenues between $250 million and $600 million each year and funds North Korea's illegal nuclear weapons program. The FBI, State Department, and Department of Justice say thousands of DPRK IT workers have been hired for positions at hundreds of Fortune 500 companies in recent years.
In the case involving Maryland man Minh Phuong Ngoc Vong, the DOJ claims he worked in league with developers in China, including one who called himself 'William James.' Court records show authorities believed James and other John Does in the scheme are natives of North Korea. Vong allegedly told an FBI agent 'William' approached him through a cell phone video game app and told Vong he could 'legally' make money by getting development jobs and then giving William his computer access credentials.
According to the DOJ and court documents, Vong allegedly let James and the other unnamed conspirators draw up a fraudulent resume for him saying he had a degree from the University of Hawaii, 16 years of experience as a software developer, and had previously maintained a secret-level security clearance. The DOJ said Vong, who worked in a nail and spa salon, had neither a degree nor did he have experience in development.
At one of the 13 jobs, someone who identified himself as Vong allegedly joined an online interview with a senior software developer who recommended he get the job and took a screenshot of him during the meeting. The CEO of the Virginia-based company later hired him after a successful final interview in which Vong allegedly showed his Maryland driver's license and U.S. passport to confirm his identity, and the company screenshotted Vong a second time holding up the documents. (Court records show authorities believe these screen grabs are of two different people—one who is allegedly a North Korean IT worker posing as Vong, and another who is the real Vong from Maryland holding his license and passport.)
The company set Vong to work on an FAA contract that involved an application monitoring aviation assets in flight in the U.S, according to court records. The software is used by government agencies such as the Department of Defense, Department of Homeland Security, and Secret Service. The Virginia company shipped Vong a MacBook Pro laptop with administrative rights to download software and the FAA let Vong have a Personal Identity Verification card to get him into government facilities and systems, court records show. Vong allegedly installed remote access software on the company device so that James and his cohort could use it from China.
Between March and July in 2023, the Virginia company paid Vong more than $28,000 while the work was performed by James and other unknown people, the DOJ said. During his time there, someone known as Vong attended Zoom meetings for work and spoke to his team about his task list at a daily meeting. As part of his guilty plea, Vong admitted the Virginia job was only one among 13 different companies that hired him between 2021 and 2024. Several did contract work for the U.S. government, in addition to the FAA. Vong got fired by the Virginia company after it submitted his information to the Defense Counterintelligence and Security Agency for a secret clearance and found out he might have another job.
After he was fired, the CEO showed Vong's picture to the senior developer who initially recommended him. The developer told the CEO that the individual he called "Vong" in the photo wasn't the same "Vong" he had initially interviewed and screenshotted. He also wasn't the person who participated in daily virtual meetings and did work.
Vong pleaded guilty to conspiracy to commit wire fraud and is facing 20 years in prison. Reached by phone, Vong declined to comment.
Michael "Barni" Barnhart, principal insider risk investigator at Dtex Systems, told Fortune in a statement the continued efforts by U.S. law enforcement to expose and disrupt the North Korean IT worker operations and the facilitators who enable them are positive advancements.
"These indictments are another critical step in thwarting adversarial operations," said Barnhart in the statement. Still, Barnhart said his group has directly observed IT workers trying to get other highly sensitive jobs, including positions with clearance within the U.S. government and third-party contractors for federal agencies.
Furthermore, in a report published this month, Google's Threat Intelligence Group revealed the scheme is expanding, and one DPRK worker late last year operated at least 12 personas across Europe and the U.S., and was looking for more jobs in European defense and with government contractors. Other investigations found fake IT worker identities seeking jobs in Germany and Portugal, according to the latest report.
'Even if these actors are primarily financially motivated, the risk they pose to critical infrastructure is enormous,' John Hultquist, chief analyst at Google's Threat Intelligence Group, told Fortune. 'This scheme has become so widespread that targeting of these organizations is almost inevitable. Given their connection to the intelligence services, that kind of access could be a nightmare.'
The FBI's Baltimore office is investigating the case.
This story was originally featured on Fortune.com