As if taken from a Hollywood script, the DOJ shared publicly how an Arizona woman and three unidentified foreign nationals placed overseas information technology workers, posing as U.S. citizens and residents in remote positions within U.S. companies. In a nutshell, the quartet put together a scheme where they hoodwinked over 300 companies into hiring North Korean (DPRK) IT workers who used stolen or borrowed U.S. person identities in order to raise hard currency revenue for the DPRK. The scheme ran from at least October 2020 through October 2023.
Separately, yet remarkably similar, the DOJ also shared data concerning the arrest of Ukrainian national, Oleksandr Didenko who ran a years-long scheme creating fake identities on U.S. IT search platforms with U.S. based money service transmitters. Didenko, then sold these accounts to foreign nationals outside the United States who used these identities to apply for jobs. Some of those identities, Didenko advises, were used by the DPRK.
Laptop farming for North Korea
The U.S. citizen, Christina Marie Chapman, identified in the unsealed indictment was arrested on May 15 in Litchfield Park, AZ. Ukrainian citizen Didenko was arrested on May 7 in Poland and the United States is seeking his extradition. There is a $5 million reward for information leading to the arrest of Chapman’s three co-conspirators.
According to the DOJ, “The overseas IT workers gained employment at U.S. companies, including at a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company, all of which were Fortune 500 companies.”
It is important to note, that the DOJ was cognizant that some of these companies could have been targeted specifically by the DPRK with their statement, “Some of these companies were purposely targeted by a group of DPRK IT workers, who maintained postings for companies at which they wanted to insert IT workers.”
Furthermore, Chapman’s stable of IT workers attempted to garner employment to two U.S. government agencies on multiple occasions (unsuccessfully).
Chapman ran a “laptop farm” hosting a multitude of IT workers “company issued” computers inside her home. These computers provided the U.S. presence for the “employees” and would then interconnect the overseas IT workers into her home and then via their company issued device into their employer’s network. Chapman used her residence to receive checks, correspondence, etc, and charged a monthly fee to the workers for the service. As noted, over 300 companies were impacted and over 60 U.S. identities of U.S. persons were stolen or borrowed. The scheme generated over $6.8 million in revenue for the overseas workers laundered through Chapman’s laptop farm.
South Korea details the scheme
It should be noted that on December 8, 2022, the Republic of Korea (South Korea) Foreign Ministry issued a warning that this scheme was being used by North Korea to increase hard currency revenue for the DPRK. The warning was explicit, “DPRK IT workers are located all around the world, obfuscating their nationality and identities. They earn hundreds of millions of dollars a year by engaging in a wide range of IT development work, including freelance work platforms (websites/applications) and cryptocurrency development, after obtaining freelance employment contracts from companies around the world.”
South Korea outlined the modus operandi of the DPRK dispatch of “highly skilled IT workers all over the world, including Asia and Africa. IT workers located overseas from groups and live together and they earn foreign currency by obtaining IT development work via online freelance work platforms.”
The warning continues, “They present themselves as non-North Korean nationals and work as freelance IT workers, obtaining employment contracts from companies located in developed countries in North America, Europe and East Asia.”
The indicators, provided to assist employers to identify the DPRK IT workers working under false identities, according to the Ministry are:
Didenko’s identity roulette
The affidavit supporting the complaint alleges Didenko managed approximately 871 “proxy” identities on three U.S. IT hiring platforms. To accomplish this he used three U.S.-based laptop farms, hosting 79 computers. Didenko offered a slightly different service than Chapman, with the same end goal, placing workers inside U.S. companies. The DOJ described Didenko’s efforts as “Didenko ran a website, upworksell.com, which advertised creating, buying, and renting accounts at U.S. websites using false identities, and also advertised “Credit Card Rental” in the European Union and the United States and SIM card rental for cellular phones. ” The DOJ also notes the interaction between Didenko’s and Chapman’s clientele, when a laptop from Didenko’s laptop farm was requested to be sent to Chapman’s laptop farm.
Seeding into U.S. companies
“Today’s announcement of charges and law enforcement action show our broad approach to attacking funding sources for North Korea across the United States,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “We will continue to vigorously pursue cases against individuals, in the United States and abroad, that use U.S. financial systems to raise revenue for North Korea.”
The U.S. Attorney’s office understands the financial fraud taking place which provides an avenue to prosecution. There is more than just financial fraud at play, this jaded-eye observers. If egg on the face of 300-plus companies whose hiring and onboarding pipeline have been hoodwinked isn’t sufficient incentive for all human resource departments to review their “verification processes”. The understanding that the DPRK used this mechanism to seed individuals in targeted companies for purposes beyond the financial aspect. They were after infrastructure knowledge, intellectual property, and more.