WHY THIS MATTERS IN BRIEF
You hired a remote worker from the US, but they turn out to be a North Korean spy … whoops.
Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trends, connect, watch a keynote, or browse my blog.
The US Department of Justice (DOJ) has unsealed several court documents focused on identity theft and other crimes linked to the Democratic People’s Republic of Korea (DPRK or North Korea). Prosecutors, who allege that North Korean IT workers have been infiltrating and defrauding US companies, called it the largest case ever charged involving this type of scheme.
According to court documents, North Korea sent thousands of skilled IT workers around the world with stolen or borrowed identities to infiltrate US companies’ networks, and raise money to contribute to the North Korean weapons program in violation of US and UN sanctions. The schemes involved defrauding more than 300 US companies, including many well-known large companies, using US payment platforms and online job site accounts, proxy computers located in the US, and US persons and entities (some of which didn’t realize that they were helping to commit fraud).
Prosecutors claim the scheme began early in 2020 when a group of overseas IT workers began performing services remotely for US companies. To get the jobs, the workers stole the identities of US nationals and applied for remote jobs in the US Once they had obtained jobs in the US —sometimes through the use of staffing companies — they were able to access the internal systems of US companies. Not only did they steal data and money, they were paid millions of dollars for their work, and falsely reported that information to the IRS.
One of those charged is Christina Marie Chapman, a US citizen who was arrested in Litchfield Park, Arizona, alongside her co-conspirators (referred to in the indictment as John Does 1-3, using the aliases Jiho Han, Haoran Xu, and Chunji Jin).
Chapman is accused of assisting the IT workers in validating stolen identity information so that they could pose as US citizens. The overseas IT workers gained employment at US companies, including a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a US hallmark media and entertainment company (referred to in the indictment as “one of the most recognizable media and entertainment companies in the world”), all of which were Fortune 500 companies. Prosecutors say the overseas IT workers also exfiltrated (a fancy tech word for stole) data from at least two US companies, including a multinational restaurant chain and an American clothing brand.
The overseas IT workers also attempted to gain employment and access to information at two different US government agencies on three other occasions, although these efforts were generally unsuccessful.
The FBI also executed search warrants for US based “laptop farms.” Laptop farms are residences that host laptops for overseas IT workers, so the IT workers appear to be operating inside the US.
Chapman’s residence was among those searched in October 2023 under a warrant issued in the District of Arizona. She is accused of hosting a laptop farm in her home to assist in the scheme. Prosecutors also allege that she received and forged payroll checks and received direct deposits of the overseas IT workers’ wages from the US companies into her US financial accounts.
“Using the stolen identities of US citizens is a crime by itself, but when you use those identities to procure employment for foreign nationals with ties to North Korea at hundreds of US companies, you have compromised the national security of an entire nation,” said Chief Guy Ficco of IRS-CI. “For more than 100 years, IRS Criminal Investigation special agents have been following the money, and their financial expertise has once again stopped criminals in their tracks.”
Prosecutors claim that Chapman was initially approached to participate in the scheme on LinkedIn, where she was asked to be the “US face” of a company.
Now, Chapman is specifically charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money-transmitting business, and unlawful employment of aliens. The John Does are charged with conspiracy to commit money laundering.
Chapman has been indicted, and has not yet entered a plea. If convicted, Chapman faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years on the aggravated identity theft count.
According to court documents, Chapman is currently represented by a federal public defender.
The John Does are still at large however and the US Department of State has announced a reward of up to $5 million for information related to Chapman’s co-conspirators.
Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, said: “The charges in this case should be a wakeup call for American companies and government agencies that employ remote IT workers. These crimes benefitted the North Korean government, giving it a revenue stream and, in some instances, proprietary information stolen by the co-conspirators. The Criminal Division remains firm in its commitment to prosecute complex criminal schemes like this one.”
A criminal complaint was also unsealed in the District of Columbia, charging Oleksandr Didenko, of Kyiv, Ukraine, with a separate scheme to create fake accounts at US IT job search platforms and with US based money service transmitters.
According to the criminal complaint, Didenko ran a website, upworksell.com, that purports to provide services to remote IT workers. According to the affidavit supporting the complaint provided by the Special Agent with the FBI, who reviewed the website, the site advertised the ability for remote IT workers to buy or rent accounts in the name of identities other than their own. The site also advertised “Credit Card Rental” in the European Union and the US and SIM card rental for cell phones – customers sent money to be loaded onto the card, and Didenko provided the card information to the customer after taking a fee.
Didenko allegedly provided a variety of options to pay him, including in USDT (Tether stablecoin cryptocurrency), BUSD (Binance stablecoin cryptocurrency), USDC (USD Coin stablecoin cryptocurrency), and via US Money Service Transmitter (MST) accounts.
Prosecutors allege that these were part of a “full array of services” that also included bogus interviews to allow individuals to pose under a false identity and market themselves for remote IT work with unsuspecting companies.
According to the affidavit supporting the complaint, Didenko managed as many as approximately 871 “proxy” identities, provided proxy accounts for three freelance US IT hiring platforms, and provided proxy accounts for three different US based money service transmitters. In coordination with his co-conspirators, Didenko facilitated the operation of at least three US based laptop farms, at one point hosting approximately 79 computers.
Prosecutors allege that Didenko acknowledged in messages that he believed he was assisting North Korean IT workers. In addition, in November of 2023, a US cybersecurity firm discovered documents in an online storage platform related to North Korean IT workers’ attempts to obtain employment as remote workers. According to court documents, the firm assessed with “high confidence” that these documents could be attributed to an espionage group tied to North Korea. The firm stated, “Several of the documents we discovered contained information that more definitively points to North Korea. Many of the passwords associated with these documents were made through Korean language typed on a US keyboard, and some passwords include words only used in North Korea. Furthermore, Korean keyboard language settings were found on computers used by threat actors behind these campaigns.”
The documents included guides and tips on securing employment, writing a cover letter, building a resume, sample resumes of purported IT workers, and interview scripts. Several documents were related to online job postings seeking employees that North Korean IT workers secured, including jobs with US employers that were later tied through business records to the computers found in Chapman’s residence (prosecutors allege that Didenko and Chapman’s activities were connected).
One of Didenko’s overseas IT worker customers also requested that a laptop be sent from one of Didenko’s US laptop farms to Chapman’s laptop farm, showing the interconnectivity of these cells within the North Korean overseas IT worker network. Search warrants for four US residences associated with laptop farms controlled by Didenko were issued in the Southern District of California, Eastern District of Tennessee, and Eastern District of Virginia.
If convicted, Didenko faces a maximum penalty of 67.5 years in prison, including a mandatory minimum of two years on the aggravated identity theft count. Polish authorities arrested Didenko on May 6 at the request of the US, which is seeking Didenko’s extradition from Poland.
Court documents have not identified whether Didenko has obtained US legal representation.
In 2022, the FBI and the Departments of State and Treasury issued an advisory to alert the international community, private sector, and public about the North Korean IT worker threat. The 16-page guide provided detailed information on how North Korean IT workers operate, red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify those workers; and general mitigation measures for companies to better protect against inadvertently hiring or facilitating the operations of such workers.
The United States and the Republic of Korea (South Korea) issued updated guidance in October 2023. It includes new indicators to watch for that are consistent with North Korean IT worker fraud and additional due diligence measures the international community, private sector, and public can take to prevent the hiring of North Korean IT workers.
The FBI encourages US companies to report suspicious activities, including any suspected North Korean IT worker activities, to local field offices.