In March 2020, about the time the Covid pandemic started, Christina Chapman, a woman who lived in Arizona and Minnesota, received a message on LinkedIn asking her to “be the US face” of a company and help overseas IT workers gain remote employment.
As working from home became the norm for many people, Chapman was able to find jobs for the foreign workers at hundreds of US companies, including some in the Fortune 500, such as Nike; “a premier Silicon Valley technology company”; and one of the “most recognizable media and entertainment companies in the world”.
The employers thought they were hiring US citizens. They were actually people in North Korea.
Chapman was participating in the North Korean government’s scheme to deploy thousands of “highly skilled IT workers” by stealing identities to make it look like they were in the US or other countries. They have collected millions of dollars to boost the government’s nuclear weapons development, according to the US justice department and court records.
Chapman’s bizarre story – which culminated in an eight-year prison sentence – is a curious mix of geopolitics, international crime and one woman’s tragic tale of isolation and working from home in a gig-dominated economy where increasingly everything happens through a computer screen and it is harder to tell fact from fiction.
The secret North Korean workers, according to the federal government and cybersecurity experts, not only help the US’s adversary – a dictatorship which has been hobbled by international sanctions over its weapons program – but also harm US citizens by stealing their identities and potentially hurt domestic companies by “enabling malicious cyber intrusions” into their networks.
“Once Covid hit and everybody really went virtual, a lot of the tech jobs never went back to the office,” said Benjamin Racenberg, a senior intelligence manager at Nisos, a cybersecurity firm.
“Companies quickly realized: I can get good talent from anywhere. North Koreans and other employment fraudsters have realized that they can trick hiring systems to get jobs. I don’t think that we have done enough as a community to prevent this.”
To run the schemes, the North Koreans need facilitators in the United States, because the companies “aren’t going to willingly send laptops to North Korea or even China”, said Adam Meyers, head of counter-adversary operations for CrowdStrike, a cybersecurity firm.
“They find somebody that is also looking for a gig-economy job, and they say, ‘Hey, we are happy to get you $200 per laptop that you manage,’” said Meyers, whose team has published reports on the North Korean operation.
Chapman grew up in an abusive home and drifted “between low-paying jobs and unstable housing”, according to documents submitted by her attorneys. In 2020, she was also taking care of her mother, who had been diagnosed with renal cancer.
About six months after the LinkedIn message, Chapman started running what law enforcement officials describe as “laptop farms”.
In addition to hosting computers, she helped the North Koreans pose as US citizens by validating stolen identity information; sent some laptops abroad; logged into the computers so that the foreign workers could connect remotely; and received paychecks and transferred the money to the workers, according to court documents.
Meanwhile, the North Koreans created fictitious personas and online profiles to match the job requirements for remote IT worker positions. They often got the jobs through staffing agencies.
In one case, a “top-five national television network and media company” headquartered in New York hired one of the North Koreans as a video-streaming engineer.
The person posing as “Daniel B” asked Chapman to join a Microsoft Teams meeting with the employer so that the co-conspirator could also join. The indictment does not list victims’ full names.
“I just typed in the name Daniel,” Chapman told the person in North Korea, according to court records of an online conversation. “If they ask WHY you are using two devices, just say the microphone on your laptop doesn’t work right.”
“OK,” the foreign actor responded.
“Most IT people are fine with that explanation,” Chapman replied.
Chapman was aware that her actions were illegal.
“I hope you guys can find other people to do your physical I-9s. These are federal documents. I will SEND them for you, but have someone else do the paperwork. I can go to FEDERAL PRISON for falsifying federal documents,” Chapman wrote to a group of her co-conspirators.
Chapman was also active on social media. In a video posted in June 2023, she talked about having breakfast on the go because she was so busy, and her clients were “going crazy!”, Wired reported.
Behind Chapman were racks with at least a dozen open laptops with sticky notes. In October 2023, federal investigators raided her home and found 90 laptops. In February this year, she pleaded guilty to conspiracy to commit wire fraud, aggravated identity theft and conspiracy to launder monetary instruments.
Over the three years that Chapman worked with the North Koreans, some of the employees received hundreds of thousands of dollars from a single company. In total, the scheme generated $17m for Chapman and the North Korean government.
The fraudsters also stole the identities of 68 people, who then also had false tax liabilities, according to the justice department.
In a letter to the court before her sentencing, Chapman thanked the FBI for arresting her because she had been “trying to get away from the guys that I was working with for awhile [sic] and I wasn’t really sure how to do it”.
“The area where we lived didn’t provide for a lot of job opportunities that fit what I needed,” Chapman wrote. “To the people who were harmed, I send my sincerest apologies. I am not someone who seeks to harm anyone, so knowing that I was a part of a company that set out to harm people is devastating to me.”
Last week, US district court judge Randolph Moss sentenced Chapman to more than eight years in prison; to forfeit $284,000 that was to be paid to the North Koreans, and to pay a fine of $176,000.
Chapman and her co-conspirators were not the only ones conducting such fraud. In January, the federal government also charged two people in North Korea, a Mexican citizen and two US citizens for a scheme that helped North Korean IT workers land jobs with at least 64 US companies and generated at least $866,000 in revenue, according to the justice department.
Racenberg, of Nisos, said he expected cybercriminals to use artificial intelligence to “get better and better” at performing such schemes.
Companies should conduct “open-source research” on applicants because oftentimes the fraudsters reuse résumé content, Racenberg said.
“If you put the first few lines of the résumé in, you might find two, three other résumés online that are exactly the same with these very similar companies or similar dates,” Racenberg added. “That should raise some flags.”
During an interview, if there is background noise that sounds like a call center or if the applicant refuses to remove a fake or blurred background, that could also be cause for concern, Meyers, of CrowdStrike, said.
And companies should ask new hires to visit the office to pick up their laptop rather than mail it to them because that allows the company to see if the person who shows up is the same one you interviewed, Racenberg said.
Five years after the pandemic, more companies have also started to require employees to return to the office at least part time. If all corporations did that, would it eliminate the threat?
“It’s going to prevent all of this from happening, yes,” Racenberg said. “But are we going to go back to that? Probably not.”