Massive North Korean Fraud Planted Tech Workers, Hit 300 U.S. Companies

News Room
13 Min Read

Think that your data is safe thanks to your information technology (IT) department? Think again.

The Department of Justice (DOJ) has unsealed several court documents focused on identity theft and other crimes linked to the Democratic People’s Republic of Korea (DPRK or North Korea). Prosecutors, who allege that North Korean IT workers have been infiltrating and defrauding U.S. companies, called it the largest case ever charged involving this type of scheme.

The Scheme

According to court documents, North Korea sent thousands of skilled IT workers around the world with stolen or borrowed identities to infiltrate U.S. companies’ networks, and raise money to contribute to the North Korean weapons program in violation of U.S. and U.N. sanctions. The schemes involved defrauding more than 300 U.S. companies, including many well-known large companies, using U.S. payment platforms and online job site accounts, proxy computers located in the U.S., and U.S. persons and entities (some of which didn’t realize that they were helping to commit fraud).

Prosecutors claim the scheme began early in 2020 when a group of overseas IT workers began performing services remotely for U.S. companies. To get the jobs, the workers stole the identities of U.S. nationals and applied for remote jobs in the U.S. Once they had obtained jobs in the U.S.—sometimes through the use of staffing companies—they were able to access the internal systems of U.S. companies. Not only did they steal data and money, they were paid millions of dollars for their work, and falsely reported that information to the IRS.

Christina Marie Chapman

One of those charged is Christina Marie Chapman, a U.S. citizen who was arrested in Litchfield Park, Arizona, alongside her co-conspirators (referred to in the indictment as John Does 1-3, using the aliases Jiho Han, Haoran Xu, and Chunji Jin).

Chapman is accused of assisting the IT workers in validating stolen identity information so that they could pose as U.S. citizens. The overseas IT workers gained employment at U.S. companies, including a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company (referred to in the indictment as “one of the most recognizable media and entertainment companies in the world”), all of which were Fortune 500 companies. Prosecutors say the overseas IT workers also exfiltrated (a fancy tech word for stole) data from at least two U.S. companies, including a multinational restaurant chain and an American clothing brand.

(The overseas IT workers also attempted to gain employment and access to information at two different U.S. government agencies on three other occasions, although these efforts were generally unsuccessful.)

The FBI also executed search warrants for U.S.-based “laptop farms.” Laptop farms are residences that host laptops for overseas IT workers, so the IT workers appear to be operating inside the U.S.

Chapman’s residence was among those searched in October 2023 under a warrant issued in the District of Arizona. She is accused of hosting a laptop farm in her home to assist in the scheme. Prosecutors also allege that she received and forged payroll checks and received direct deposits of the overseas IT workers’ wages from the U.S. companies into her U.S. financial accounts.

“Using the stolen identities of U.S. citizens is a crime by itself, but when you use those identities to procure employment for foreign nationals with ties to North Korea at hundreds of U.S. companies, you have compromised the national security of an entire nation,” said Chief Guy Ficco of IRS-CI. “For more than 100 years, IRS Criminal Investigation special agents have been following the money, and their financial expertise has once again stopped criminals in their tracks.”

Prosecutors claim that Chapman was initially approached to participate in the scheme on LinkedIn, where she was asked to be the “U.S. face” of a company. (Her LinkedIn page appears to have been taken down.)

Now, Chapman is specifically charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money-transmitting business, and unlawful employment of aliens. The John Does are charged with conspiracy to commit money laundering.

Chapman has been indicted, and has not yet entered a plea. If convicted, Chapman faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years on the aggravated identity theft count.

According to court documents, Chapman is currently represented by a federal public defender.

The John Does are still at large. The U.S. Department of State has announced a reward of up to $5 million for information related to Chapman’s co-conspirators. The DOJ encourages anyone with information on Jiho Han, Haoran Xu, Chunji Jin, Zhonghua, associated individuals or entities, or their revenue-generating and money laundering activities to contact the Rewards for Justice office via its Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).

Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, said:“The charges in this case should be a wakeup call for American companies and government agencies that employ remote IT workers. These crimes benefitted the North Korean government, giving it a revenue stream and, in some instances, proprietary information stolen by the co-conspirators. The Criminal Division remains firm in its commitment to prosecute complex criminal schemes like this one.”

Oleksandr Didenko

A criminal complaint was also unsealed in the District of Columbia, charging Oleksandr Didenko, of Kyiv, Ukraine, with a separate scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters.

According to the criminal complaint, Didenko ran a website, upworksell.com, that purports to provide services to remote IT workers. According to the affidavit supporting the complaint provided by the Special Agent with the FBI, who reviewed the website, the site advertised the ability for remote IT workers to buy or rent accounts in the name of identities other than their own. The site also advertised “Credit Card Rental” in the European Union and the U.S. and SIM card rental for cell phones—customers sent money to be loaded onto the card, and Didenko provided the card information to the customer after taking a fee.

Didenko allegedly provided a variety of options to pay him, including in USDT (Tether
Tether
stablecoin cryptocurrency), BUSD (Binance stablecoin cryptocurrency), USDC
USDC
(USD Coin stablecoin cryptocurrency), and via U.S. Money Service Transmitter (MST) accounts.

Prosecutors allege that these were part of a “full array of services” that also included bogus interviews to allow individuals to pose under a false identity and market themselves for remote IT work with unsuspecting companies.

(The domain upworksell.com has since been seized by the DOJ under a court order, and all traffic was diverted to the FBI. A message advising that happened now appears on the site.)

According to the affidavit supporting the complaint, Didenko managed as many as approximately 871 “proxy” identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters. In coordination with his co-conspirators, Didenko facilitated the operation of at least three U.S.-based laptop farms, at one point hosting approximately 79 computers.

Prosecutors allege that Didenko acknowledged in messages that he believed he was assisting North Korean IT workers. In addition, in November of 2023, a U.S. cybersecurity firm discovered documents in an online storage platform related to North Korean IT workers’ attempts to obtain employment as remote workers. According to court documents, the firm assessed with “high confidence” that these documents could be attributed to an espionage group tied to North Korea. The firm stated, “Several of the documents we discovered contained information that more definitively points to North Korea. Many of the passwords associated with these documents were made through Korean language typed on a U.S. keyboard, and some passwords include words only used in North Korea. Furthermore, Korean keyboard language settings were found on computers used by threat actors behind these campaigns.”

The documents included guides and tips on securing employment, writing a cover letter, building a resume, sample resumes of purported IT workers, and interview scripts. Several documents were related to online job postings seeking employees that North Korean IT workers secured, including jobs with U.S. employers that were later tied through business records to the computers found in Chapman’s residence (prosecutors allege that Didenko and Chapman’s activities were connected).

One of Didenko’s overseas IT worker customers also requested that a laptop be sent from one of Didenko’s U.S. laptop farms to Chapman’s laptop farm, showing the interconnectivity of these cells within the North Korean overseas IT worker network. Search warrants for four U.S. residences associated with laptop farms controlled by Didenko were issued in the Southern District of California, Eastern District of Tennessee, and Eastern District of Virginia.

If convicted, Didenko faces a maximum penalty of 67.5 years in prison, including a mandatory minimum of two years on the aggravated identity theft count. Polish authorities arrested Didenko on May 6 at the request of the U.S., which is seeking Didenko’s extradition from Poland.

Court documents have not identified whether Didenko has obtained U.S. legal representation.

Alerts

In 2022, the FBI and the Departments of State and Treasury issued an advisory to alert the international community, private sector, and public about the North Korean IT worker threat. The 16-page guide provided detailed information on how North Korean IT workers operate, red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify those workers; and general mitigation measures for companies to better protect against inadvertently hiring or facilitating the operations of such workers.

The United States and the Republic of Korea (South Korea) issued updated guidance in October 2023. It includes new indicators to watch for that are consistent with North Korean IT worker fraud and additional due diligence measures the international community, private sector, and public can take to prevent the hiring of North Korean IT workers.

The FBI encourages U.S. companies to report suspicious activities, including any suspected North Korean IT worker activities, to local field offices.

Read the full article here

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *