Arizona woman charged in North Korean IT worker scheme that raised millions

Sean Lyngaas, Holmes Lybrand and Evan Perez, CNN
·4 min read
42

US federal prosecutors on Thursday charged an Arizona woman with participating in an elaborate fraud scheme to help foreign IT workers pose as Americans, get hired by major US companies and earn $6.8 million in revenue that could benefit the nuclear-armed North Korean regime.

The scheme compromised the identities of 60 Americans and affected 300 US companies, including a major national TV network, a “premier” Silicon Valley tech company, and an “iconic” American car maker, says an indictment unsealed in the US District Court for the District of Columbia. The indictment did not name of the companies.

The Arizona woman, Christina Chapman, is accused of running a “laptop farm” from her home, in which she logged into US company-issued laptops on behalf of the foreign IT workers to trick companies into believing the workers were living in the US. At least some of the workers are described as North Korean nationals in the indictment.

The court documents shed light on a broader phenomenon that US national officials have been trying to thwart for years: How thousands of North Korean overseas IT workers are trying to subvert sanctions and send untold amounts of money back to Pyongyang.

Chapman is charged with nine counts including conspiracy to defraud the US. She has been arrested and is expected to make her initial court appearance in Arizona on Thursday, a law enforcement official familiar with the matter told CNN. Court records did not identify a lawyer for Chapman.

“The conspiracy perpetrated a staggering fraud on a multitude of industries, at the expense of generally unknowing U.S. companies and persons,” the indictment says.

The overseas IT workers also “attempted to gain employment and access to information at two different U.S. government agencies on three different occasions,” the indictment says, not naming the agencies. Those attempts were “discovered and thwarted,” prosecutors said.

In a separate criminal complaint unsealed Thursday, a Ukrainian man named Oleksandr Didenko was accused of operating at least three “laptop farms” comprised of 79 computers in San Diego; Jefferson City, Tennessee; and Virginia Beach, Virginia. Didenko ran a business that allowed clients, including overseas IT workers, to use false identities to get hired for remote work, prosecutors alleged. A person who gave their name as Christina Chapman was among the people that Didenko shipped a laptop to, according to the complaint.

When the FBI used a warrant to search Chapman’s residence in October, agents found more than 90 computers, the complaint says. Three jobs filled by North Korean IT workers at US companies were tied through business records to the computers found in Chapmans’ residence, according to the complaint.

Didenko is accused of aggravated identity theft and wire fraud among other charges. He is not yet in custody in the US, the law enforcement official told CNN.

North Korean IT workers generally pose as other nationalities, offer to work remotely and apply for jobs in gaming, IT support, and artificial intelligence, among other sectors, according to a 2022 public warning from the State Department and other agencies.

FBI agents and State and Treasury officials have been quietly trying to raise awareness of the North Korean insider threat by conducting briefings for business executives and chasing down leads about potential North Korean IT workers at US companies.

Some of these IT workers work closely with North Korean hackers, who are also a rich source of revenue for the regime, according to experts. About half of North Korea’s missile program has been funded by cyberattacks and cryptocurrency theft, a White House official said last year.

“By directing its IT workers to gain employment at Western companies, North Korea has weaponized its tech talent and created the ultimate insider threat,” Michael Barnhart, a North Korea specialist at Google-owned cybersecurity firm Mandiant, told CNN.

“These operatives bypass sanctions by diverting their paychecks to help fund North Korea’s nuclear program. Simultaneously, they’re providing a foothold into major organizations for North Korea’s more advanced threat groups,” Barnhart said.

A previous CNN investigation found that the founder of a California-based cryptocurrency startup had unwittingly paid tens of thousands of dollars to a North Korean engineer. The entrepreneur was unaware of the situation until the FBI notified him, he said.

And North Korean illustrators and graphic designers appear to have helped produce work for US animation studios unbeknownst to those companies, independent researchers told CNN last month. The researchers discovered a trove of cartoon sketches on an open computer server on the North Korean portion of the internet.

The State Department on Thursday offered $5 million in rewards for “information that leads to the disruption” of North Korean money laundering or other financial fraud.

The State Department rarely reveals details of the fruits of its “Rewards for Justice” program, which the department says has paid about $250 million to some 125 people worldwide over the last 40 years for tips that helped apprehend terrorists and counter national security threats. But the department did say on Thursday that it had paid $5 million each to two unnamed people whose information “helped disrupt an illicit financial scheme that benefited” North Korea.

For more CNN news and newsletters create an account at CNN.com