How a daring and sophisticated fraud operation got North Koreans working US tech jobs

The Phoenix suburb of Litchfield Park seems an unlikely backdrop for international intrigue. You’d never find Jason Bourne screeching through its sun-banked subdivisions and golf courses in a vintage BMW, though a Club Car could present interesting possibilities.

But in a federal indictment unsealed last month, prosecutors said a modest cocoa-colored ranch home — minutes from the Wigwam Golf Club — operated as a hub of illicit finance for a ballistic-missile program run by one of America’s most dangerous enemies.

Since November 2016, after the US imposed sanctions restricting North Korea’s access to the American financial system, the isolated totalitarian state has pioneered a range of shadowy online efforts to get the hard currency needed to fund weapons programs critical to Kim Jong Un’s regime.

It’s a broad portfolio of tactics encompassing everything from high-profile crypto heists and crippling ransomware attacks — North Korea’s state hackers are thought to be behind the 2017 WannaCry attack, for example — to one-off ATM scams and poker sites embedded with malware. Business has been good. In 2022, the UN estimated that North Korea took in between $600 million and $1 billion through its crypto-related capers alone. Other estimates suggest that the regime could gain as much as $5 to $7 billion a year through online crimes, which often feature remarkable feats of engineering and hacking. 

Less well known, though, is an unglamorous program in which North Koreans with a passable amount of IT training simply work freelance for Western companies, collecting paychecks in exchange for carrying out the nameless nuts-and-bolts labor of the internet, like web and app development, database creation and animation. 

The US government estimates that thousands of North Koreans, based mostly in China and Russia, are part of the effort, which has expanded with the rise of remote work.

“That definitely enabled this operation to become bigger than it was,” Alex O’Neill said. He’s an analyst who’s studied North Korean cyber operations and recently published a report on the topic for the Royal United Services Institute, a UK defense and security think tank. “So many people are doing remote work now, and also so many people are contracting out work that previously — call it 5 years ago or 10 years ago — you couldn't really contract out. It just made it a lot easier for the North Koreans to get a foothold.”

In May 2022, the US government issued an advisory warning businesses against inadvertently hiring North Koreans and laying out some of the techniques of online subterfuge that help them elude detection. Last year the FBI published updated guidance on such techniques.  

These ruses involve using fake documents purchased off the dark web, private networks and servers, third-party IP addresses, and proxy accounts. There tends to be one significant snag in these operations: the difficulty of getting paid and channeling that money home. Almost all the proceeds are claimed by the North Korean regime, which remains severed from the global financial system.  

“The North Koreans rely on facilitators,” O’Neill said of the complicated and costly networks of humans the regime depends on to handle its financial transactions. “There is no Bank of America in Pyongyang.” 

In a May federal indictment laying out charges of fraud, money laundering, and conspiracy, the Justice Department said that Christina Marie Chapman, a 49-year-old woman recently living in Litchfield Park had been one of these facilitators. The indictment alleges that she carried out the grunt work that make such schemes work, from validating stolen IDs and faking tax documents to receiving and setting up corporate laptops, depositing paychecks, and transferring money overseas.  

“The conspiracy perpetrated a staggering fraud on a multitude of industries,” the indictment said, involving the identities of 60 Americans and interactions with 300 companies, including an unnamed television network, “a premier Silicon Valley technology company,” an aerospace and defense firm, and “one of the most recognizable media and entertainment companies in the world.” A separate application for a search warrant of Chapman’s residence sought information related to Fisker Automotive, MassMutual, Rocket Mortgage, NBCUniversal Media, and Hyatt Hotels, among other companies. The scheme generated some $6.8 million in revenue, Federal prosecutors said. 

Chapman was arrested on May 15 and entered a plea of not guilty. She is in Arizona awaiting an August court date. Repeated efforts to reach her and her attorney for comment were unsuccessful. The government alleges that Chapman operated a “laptop farm,” using her residence to host the corporate laptops that companies sent to workers they believed were in the US.  

As laid out in the indictment, it amounted to an incredibly irritating, and ultimately legal perilous, set of administrative tasks, with Chapman accused of receiving, unpacking, and setting up computers. The documents say she labeled them with the corresponding fake identity of the worker, juggled passwords and login information, and installed software — particularly the remote-worker software AnyDesk. Prosecutors said she relayed dozens of computers from US companies overseas, mostly to the Chinese city of Dandong, just across the Yalu River from North Korea. 

At times, the government says, Chapman was called on in real time to maintain the illusion that the workers were who they said they were. In November 2022, after setting up a computer for a North Korean worker known as “AT,” she fielded a frantic message, the indictment said.

AT: Anydesk is not available, I think it’s probably screen lock issue. Could you please remove anydesk and install it again? … And please unlock screensaver…

AT: Hi, please help me, it’s very urgent. I have to meet team in 30 mins.

The next year, prosecutors said, the same worker — this time under the stolen US identity “Daniel B.” — apparently was under pressure again.

AT: We are going to have laptop setup meeting in 20 mins. Can you join Teams meeting and follow what IT guy say? Because it will require to restart laptop multiple times... 

CHAPMAN: Who do I say I am? 

AT: You don’t have to say, I will be joining there too. 

CHAPMAN: It’s going to have my name on it, right? 

AT: You just mute and listen, then follow what she instruct, she may ask you to restart laptop. …

CHAPMAN: I just typed in the name Daniel. If they ask WHY you are using two devices, just say the microphone on your laptop doesn’t work right. 

AT: Ok

CHAPMAN: Most IT people are fine with that explanation. 

On one occasion, the government said, Chapman was asked to retrieve a physical security badge at what’s described as a “Fortune 500 aerospace and defense manufacturer.” The indictment says Chapman responded that she would send one of her assistants, but added, “They don’t know that you guys use ‘borrowed identities.’” Chapman then asked the IT worker she was corresponding with whether they were indeed “Ryan F.,” the identity on the physical badge. After the worker said no, Chapman replied: “So it’s a stolen identity… and you’re asking me to have my assistant handle something that is illegal,” the indictment said.  

The indictment also says Chapman charged for such services, with IT workers sending nearly $180,000 in payments between November 2021 to October 2023. Numerous individual payments were labeled as “development work,” “service fee,” or “web design.” 

According to the government, Chapman was a cog in a much larger scheme, centered on a website they said was operated by 27-year-old Ukrainian Oleksandr Didenko. He was arrested last month in Poland and is facing extradition. 

The Department of Justice said Didenko’s site connected foreign workers seeking remote work at US companies with fake identities and access to US laptop farms to make it appear that they were in the US. The US says Didenko coordinated with other laptop farms in San Diego, Jefferson City, Tennessee, and Virginia Beach, according to an unsealed indictment against the Ukrainian. 

Amid an investigation of the organization, Chapman’s Litchfield Park address surfaced several times, attracting the attention of the FBI.

The bureau reported that in May 2023, a computer shipped to Chapman’s Arizona residence from an insurance company — a remote worker had claimed it was their parents’ home, where they were recovering from surgery — triggered concern after a suspicious internet-service provider based in the Seychelles, in Africa, tried to log in. The company’s security blocked the connection and turned on the computer’s camera, “capturing a screen shot of Chapman.”

In an application for a search warrant for the premises, agent Cody Rehrer noted a June 6, 2023 post on TikTok, which appeared to be taken at the house. 

“The TikTok video appears to be taken on a cellular phone, based on the movement of the camera during the video,” the affidavit said. “The video appears to show roughly more than ten laptops that appear to be running.” 

By last October, Rehrer was surveilling the house.

While the North Korean remote-worker program appears to be a relatively small piece of the cybercrime revenue the regime relies on, the size of the pie has been growing.

Last year, Anne Neuberger, deputy national-security adviser for cyber and emerging technology, said that roughly half of North Korea’s ballistic-missiles program was funded by cybercrime and crypto theft. 

Even if they’re not the most remunerative cyber ops, North Korean IT workers still present a security threat to Americans and companies, analysts and officials said.

That’s because these workers have been known to probe vulnerabilities once they gain access to the IT systems of companies, looking for opportunities to steal data, worker information, and intellectual property, as well as code-in back doors to allow future access. It’s even thought that the relatively low-level IT workers can pass along their access to more sophisticated hacking operations run by the regime. 

But such exploits seems to be the exception more than the rule, O’Neill said.

“What appears to be much more common is they just do some freelance IT work,” he said.