Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US FBI Busts North Korean IT Worker Employment Scams

Law Enforcment Arrests an Arizona Woman and a Ukrainian National
US FBI Busts North Korean IT Worker Employment Scams
Contract IT workers might actually be from Pyongyang, North Korea. (Image: Shutterstock)

U.S. federal prosecutors said an Arizona woman helped North Korea circumvent sanctions by helping its nationals obtain IT work for U.S. Fortune 500 companies - where in some cases they also spied for the secretive Pyongyang government.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Prosecutors unsealed Thursday an indictment against the woman, Christina Marie Chapman, 49, the same day they unsealed charges against a Ukrainian national who also facilitated remote work for North Korean IT workers, including contractors hired by a staffing agency to perform work at an unnamed American cybersecurity firm.

Polish authorities arrested the man, Oleksandr Didenko, 27, of Kyiv, on May 7; the U.S. seeks his extradition. Chapman, 49, was arrested on May 15.

Prosecutors also named the aliases of four North Korean IT workers. The Department of State is offering up to $5 million for information about them: Jiho Han, Chunji Jin, Haoran Xu and a manager known as Zhonghua.

Chapman netted at least $6.8 million for North Korea between October 2020 and October 2023. North Korea is under tight international economic sanctions and desperate for hard currency, including to fund development of weapons of mass destruction. The false workers come under the aegis of the Munitions Industry Department - a Pyongyang agency that oversees the development of ballistic missiles and weapons production.

The country, the world's only hereditary Communist monarchy, has a well-established history of hacking financial institutions and cryptocurrency wallets while also looking to earn money through less conventional means (see: Breach Roundup: Cloud Error Reveals DPRK Sanctions Busting).

Often finding employment through an intermediary staffing agency, North Koreans performed work for a Detroit car maker, "a premier Silicon Valley technology company," one "of the most recognizable media and entertainment companies and the world," a Silicon Valley tech company and an aerospace and defense manufacturer, prosecutors said. They stole data from at least two companies - a "multinational restaurant chain and a classic American clothing brand." They attempted more than once to find employment with governmental agencies but were thwarted by due diligence.

Didenko allegedly filtered about $920,000 back to North Korea through money transfer services since 2018. He ran a now-seized platform called UpWorkShell on the open internet that advertised the ability for remote IT workers to buy or rent accounts in the name of other identities. Prosecutors said he managed up to 871 proxy identities. The FBI said UpWorkShell also advertised "credit card rental," as well as rentals for cell phone SIM cards and accounts at money service transmitters.

Both criminal suspects operated "laptop farms" at residences inside the United States used to host computers sent by companies to their putative American workers through which remote workers would connect from abroad. Chapman's activities allegedly affected more than 300 U.S. companies and the identities of 60 U.S. persons used to cover the real person performing the work.

An Oct. 27 FBI raid on her Arizona home discovered more than 90 computers, each with a note attached naming a U.S. company and a putative U.S. identity. At least three of those laptops belonged to the unnamed U.S. cybersecurity firm. Prosecutors said the firm received in September a tip that a former contractor who worked for about five months through a staffing agency updated the associated LinkedIn profile using an IP address associated with a Pyongyang espionage group. An investigation identified eight additional former contractors who exhibited similar behavior - namely, remote control web browser extensions to provide remote access through a proxy service and using VPNs.

The same cybersecurity firm in November discovered a stash of documents in an online storage platform detailing North Korean IT workers' attempts to gain employment. They included guides about writing cover letters and building a resume and scripts for interviews. The firm assessed with high confidence that the documents belong to the same cyberespionage group as the former contractor.

Court documents show Didenko once came into virtual contact with Chapman. At one point, a customer of Didenko's allegedly complained that a laptop wasn't being set up at a Virginia laptop farm quickly enough and directed him to reship the laptop to Chapman.

As part of law enforcement operations against remote North Korean IT workers, the FBI also conducted raids on alleged laptop farm locations set up by Didenko in a San Diego apartment, two houses in Jefferson City, Tennessee, and a house in Virginia Beach, Virginia.

Chapman faces up to 97 and a half years in prison while Didenko could face a 67-and-half-year sentence. The unidentified North Korean IT workers could each face 20 years, if their real identities are ever discovered and they're arrested in a jurisdiction with a U.S. extradition treaty.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.