The U.S. federal prosecutors on Thursday revealed charges against a North Korean job fraud nexus that ran its fraudulent scheme to generate illicit revenue for Kim Jong Un’s regime and support its sanctioned nuclear program.
The U.S. Department of Justice indicted an Arizona woman, a Ukrainian man and three North Korean nationals for their alleged participation in job fraud schemes that placed overseas information technology workers – posing as U.S. citizens and residents – in remote positions at U.S. companies.
This job fraud nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million, said the unsealed indictment of Christina Marie Chapman, 49, from Litchfield Park, Arizona.
The U.S. State Department said that between October 2020 and October 2023, Chapman, a U.S. citizen, helped North Korean IT workers under the aliases Jiho Han, Chunji Jin and Haoran Xu, to fraudulently obtain work as remote software and applications developers with companies in a range of sectors and industries including a major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store and a U.S.-hallmark media and entertainment company.
“They also attempted – but failed – to gain similar employment at two U.S. government agencies,” the State Department said.
In pursuit of running the job fraud scheme, Chapman and her co-conspirators took help of identity fraud.
“They compromised more than 60 identities of (legitimate) U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” the Justice Department said.
“The charges in this case should be a wakeup call for American companies and government agencies that employ remote IT workers. These crimes benefitted the North Korean government, giving it a revenue stream and, in some instances, proprietary information stolen by the co-conspirators,” said Principal Deputy Assistant Attorney General Nicole Argentieri, head of the Justice Department’s Criminal Division.
“On the surface, today’s allegations of wire fraud, identity theft, and money laundering may read like a typical white collar or economic crime scheme,” said Assistant Director Kevin Vorndran of the FBI’s Counterintelligence Division. “But what these allegations truly represent is a new high-tech campaign to evade U.S. sanctions, victimize U.S. businesses, and steal U.S. identities.”
Chapman’s Role in Job Fraud
Chapman hosted a “laptop farm,” for the North Korean IT workers at her residence, so that the computers appeared to be located within the United States on a daily basis.
“She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others,” the State Department said.
Chapman was arrested on Wednesday in her hometown in Arizona and faces a litany of counts including conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.
If convicted, Chapman faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.
Didenko, the Facilitator
The Justice department also named a Ukrainian national Oleksandr Didenko, 27, in the unsealed charges. Didenko allegedly run a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms under false identities and sold these accounts to overseas IT workers. Remote workers used these false identities to apply for jobs with unsuspecting companies.
To facilitate this fraudulent activity, Didenko hosted a website “UpWorkSell”, which advertised the ability for remote IT workers to buy or rent accounts on various platforms using identities other than their own.
Didenko’s domain upworksell[.]com was seized today by the Justice Department pursuant to a court order, and all traffic diverted to the FBI.
Didenko managed approximately 871 proxy identities, provided proxy accounts for three freelance IT hiring platforms and for three different money service transmitters, the complaint against Didenko said.
Together with the co-conspirators, Didenko facilitated the operation of at least three U.S.-based “laptop farms,” hosting approximately 79 computers. The Justice Department said it raided four U.S. residences under Didenko’s control where he ran laptop farms. He also laundered $920,000 worth payments since July 2018 in the job fraud scheme.
Didenko was arrested in Poland on May 7, and the State Department is seeking his extradition. If convicted, Didenko faces a maximum penalty of 67.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.
The North Korean Trio
The three North Korean workers “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs,” the State Department said.
The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times.
Details about the three North Korean IT workers are scarce but the State Department released an image of Jiho Han on its Rewards for Justice platform where it also announced a bounty of up to $5 million for information on any of these North Korean IT workers that leads to the disruption of financial mechanisms of the people engaged.
The FBI also released an alert about North Korean IT workers and their scheme to defraud U.S. businesses and fund Pyongyang’s illicit activities.
Targeting of Illicit IT Worker Activities
The latest announcement comes almost a year after the U.S. Treasury announced sanctions on four entities that employed thousands of North Korean IT workers that help illicitly finance the regime’s missile and weapons of mass destruction programs.
The treasury, at the time, said North Korea had scores of “highly skilled” IT workers around the globe who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.” These individuals, who can earn up to $300,000 annually, “deliberately” obscure their identities, locations and nationalities, using proxy accounts, stolen identities and falsified or forged documentation to apply for jobs, the Treasury said.
The 15-member United Nations Security Council has long prohibited North Korea from engaging in nuclear tests and ballistic missile launches. Since 2006, the country has been under stringent UN sanctions, continuously bolstered by the Council to sever financial support for its weapons of mass destruction (WMD) development endeavors. Yet, Pyongyang has amassed a staggering $3 billion funding for its nuclear program from cyberattacks particularly on cryptocurrency related companies.
*Update: The article has been edited throughout from the original version to include additional information.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
