In March 2020, about the time the Covid pandemic started, Christina Chapman, a woman who lived in Arizona and Minnesota, received a message on LinkedIn asking her to \u201cbe the US face\u201d of a company and help overseas IT workers gain remote employment.<\/p>\n
As working from home became the norm for many people, Chapman was able to find jobs for the foreign workers at hundreds of US companies, including some in the Fortune 500, such as Nike; \u201ca premier Silicon Valley technology company\u201d; and one of the \u201cmost recognizable media and entertainment companies in the world\u201d.<\/p>\n
The employers thought they were hiring US citizens. They were actually people in North Korea<\/a>.<\/p>\n Chapman was participating in the North Korean government\u2019s scheme to deploy thousands of \u201chighly skilled IT workers\u201d by stealing identities to make it look like they were in the US or other countries. They have collected millions of dollars to boost the government\u2019s nuclear weapons development, according to the US justice department<\/a> and court records.<\/p>\n Chapman\u2019s bizarre story \u2013 which culminated in an eight-year prison sentence \u2013 is a curious mix of geopolitics, international crime and one woman\u2019s tragic tale of isolation and working from home in a gig-dominated economy where increasingly everything happens through a computer screen and it is harder to tell fact from fiction.<\/p>\n The secret North Korean workers, according to the federal government and cybersecurity experts, not only help the US\u2019s adversary \u2013 a dictatorship which has been hobbled by international sanctions<\/a> over its weapons program \u2013 but also harm US citizens by stealing their identities and potentially hurt domestic companies by \u201cenabling malicious cyber intrusions\u201d into their networks.<\/p>\n \u201cOnce Covid hit and everybody really went virtual, a lot of the tech jobs never went back to the office,\u201d said Benjamin Racenberg, a senior intelligence manager at Nisos, a cybersecurity firm.<\/p>\n \u201cCompanies quickly realized: I can get good talent from anywhere. North Koreans and other employment fraudsters have realized that they can trick hiring systems to get jobs. I don\u2019t think that we have done enough as a community to prevent this.\u201d<\/p>\n To run the schemes, the North Koreans need facilitators in the United States, because the companies \u201caren\u2019t going to willingly send laptops to North Korea or even China\u201d, said Adam Meyers, head of counter-adversary operations for CrowdStrike, a cybersecurity firm.<\/p>\n \u201cThey find somebody that is also looking for a gig-economy job, and they say, \u2018Hey, we are happy to get you $200 per laptop that you manage,\u2019\u201d said Meyers, whose team has published reports on the North Korean operation.<\/p>\n Chapman grew up in an abusive home and drifted \u201cbetween low-paying jobs and unstable housing\u201d, according to documents<\/a> submitted by her attorneys. In 2020, she was also taking care of her mother, who had been diagnosed with renal cancer.<\/p>\n About six months after the LinkedIn message, Chapman started running what law enforcement officials describe as \u201claptop farms\u201d.<\/p>\n In addition to hosting computers, she helped the North Koreans pose as US citizens by validating stolen identity information; sent some laptops abroad; logged into the computers so that the foreign workers could connect remotely; and received paychecks and transferred the money to the workers, according to court documents.<\/p>\n Meanwhile, the North Koreans created fictitious personas and online profiles to match the job requirements for remote IT worker positions. They often got the jobs through staffing agencies.<\/p>\n In one case, a \u201ctop-five national television network and media company\u201d headquartered in New York hired one of the North Koreans as a video-streaming engineer.<\/p>\n The person posing as \u201cDaniel B\u201d asked Chapman to join a Microsoft Teams meeting with the employer so that the co-conspirator could also join. The indictment does not list victims\u2019 full names.<\/p>\n \u201cI just typed in the name Daniel,\u201d Chapman told the person in North Korea, according to court records of an online conversation. \u201cIf they ask WHY you are using two devices, just say the microphone on your laptop doesn\u2019t work right.\u201d<\/p>\n \u201cOK,\u201d the foreign actor responded.<\/p>\n \u201cMost IT people are fine with that explanation,\u201d Chapman replied.<\/p>\n Chapman was aware that her actions were illegal.<\/p>\n \u201cI hope you guys can find other people to do your physical I-9s. These are federal documents. I will SEND them for you, but have someone else do the paperwork. I can go to FEDERAL PRISON for falsifying federal documents,\u201d Chapman wrote to a group of her co-conspirators.<\/p>\n Chapman was also active on social media. In a video posted in June 2023, she talked about having breakfast on the go because she was so busy, and her clients were \u201cgoing crazy!\u201d, Wired reported<\/a>.<\/p>\n Behind Chapman were racks with at least a dozen open laptops with sticky notes. In October 2023, federal investigators raided her home and found 90 laptops. In February this year, she pleaded guilty to conspiracy to commit wire fraud, aggravated identity theft and conspiracy to launder monetary instruments.<\/p>\n Over the three years that Chapman worked with the North Koreans, some of the employees received hundreds of thousands of dollars from a single company. In total, the scheme generated $17m for Chapman and the North Korean government.<\/p>\n The fraudsters also stole the identities of 68 people, who then also had false tax liabilities, according to the justice department.<\/p>\n In a letter to the court before her sentencing, Chapman thanked the FBI for arresting her because she had been \u201ctrying to get away from the guys that I was working with for awhile [sic] and I wasn\u2019t really sure how to do it\u201d.<\/p>\n \u201cThe area where we lived didn\u2019t provide for a lot of job opportunities that fit what I needed,\u201d Chapman wrote. \u201cTo the people who were harmed, I send my sincerest apologies. I am not someone who seeks to harm anyone, so knowing that I was a part of a company that set out to harm people is devastating to me.\u201d<\/p>\n Last week, US district court judge Randolph Moss sentenced Chapman to more than eight years in prison; to forfeit $284,000 that was to be paid to the North Koreans, and to pay a fine of $176,000.<\/p>\n Chapman and her co-conspirators were not the only ones conducting such fraud. In January, the federal government also charged two people in North Korea, a Mexican citizen and two US citizens for a scheme that helped North Korean IT workers land jobs with at least 64 US companies and generated at least $866,000 in revenue, according to the justice department<\/a>.<\/p>\n Racenberg, of Nisos, said he expected cybercriminals to use artificial intelligence to \u201cget better and better\u201d at performing such schemes.<\/p>\n Companies should conduct \u201copen-source research\u201d on applicants because oftentimes the fraudsters reuse r\u00e9sum\u00e9 content, Racenberg said.<\/p>\n \u201cIf you put the first few lines of the r\u00e9sum\u00e9 in, you might find two, three other r\u00e9sum\u00e9s online that are exactly the same with these very similar companies or similar dates,\u201d Racenberg added. \u201cThat should raise some flags.\u201d<\/p>\n During an interview, if there is background noise that sounds like a call center or if the applicant refuses to remove a fake or blurred background, that could also be cause for concern, Meyers, of CrowdStrike, said.<\/p>\n And companies should ask new hires to visit the office to pick up their laptop rather than mail it to them because that allows the company to see if the person who shows up is the same one you interviewed, Racenberg said.<\/p>\n