North Korea-linked IT workers infiltrated hundreds of US firms

Pierluigi Paganini May 18, 2024

The U.S. Justice Department charged five individuals, including a U.S. woman, for aiding North Korea-linked IT workers to infiltrate 300 firms.

The Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.

The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.

The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.

Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.

She faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

Didenko allegedly ran a multi-year scheme creating accounts on U.S.-based freelance IT job platforms and money service transmitters using false identities, including those of U.S. persons. Then the man sold these accounts to overseas IT workers. He is the administrator of a website called upworksell.com, which was used to advertise these services along with credit card and SIM card rentals. The investigation revealed that Didenko managed about 871 proxy identities and provided accounts for three freelance IT platforms and three U.S.-based money service transmitters. He facilitated at least three U.S.-based laptop farms, hosting around 79 computers, and received or sent $920,000 since July 2018. The man admitted to assisting North Korean IT workers and was interconnected with other cells within the DPRK IT worker network. If convicted, Didenko faces up to 67.5 years in prison, including a mandatory minimum of two years for aggravated identity theft.

DoJ also unsealed charges against three other individuals John Doe 1, alias Jiho Han; John Doe 2, alias Haoran Xu; John Doe 3, alias Chunji Jin.

Chapman and her co-conspirators allegedly compromised more than 60 identities of U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to DHS on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers. The department seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.” reads the press release published by DoJ.

Concurrent with DoJ’s announcement, the U.S. Department of State announced a reward of up to $5 million for information related to the above three individuals.

“Rewards for Justice is offering a reward of up to $5 million for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea (Democratic People’s Republic of Korea, DPRK), including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support weapons of mass destruction (WMD) proliferation. Such activities include work by highly skilled North Korean nationals sent abroad whose income generates funds for the DPRK regime.” reads the the U.S. Department of State’s announcement.

“The Department is seeking information on North Korean information technology (IT) workers using aliases Jiho Han, Chunji Jin, and Haoran Xu, and their manager Zhonghua. These individuals engaged in a scheme that enabled Han, Jin, and Xu to obtain illicit telework employment with U.S. companies using false identities belonging to more than 60 real U.S. persons. The illicit scheme generated at least $6.8 million for the DPRK.

The FBI also issued an advisory warning of the public and private sector of the threat posed to U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea). 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)



you might also like

leave a comment