Arizona woman arrested and charged over North Korean IT worker scheme

An Arizona woman participated in a scheme to help North Korean IT workers impersonate U.S. citizens so they could apply for remote work positions at American companies, federal prosecutors said Thursday as they filed charges against the woman and several others repealed.

Prosecutors say Christina Marie Chapman, 49, of Litchfield Park, Arizona, helped a Ukrainian citizen and three North Koreans as part of the scheme to compromise the identities of numerous Americans in order to facilitate remote jobs for IT workers, one of which Most unattached were to North Korea. The U.S. Department of Justice said in a statement that the operation netted the foreign workers at least $6.8 million in income.

Chapman is alleged to have worked with Oleksandr Didenko, 27, of Kiev, Ukraine, as part of the scheme. Didenko allegedly carried out a multi-year plan to set up accounts on U.S.-based freelance IT job search platforms and U.S. money service providers in the names of false identities, the DOJ said in its statement. These accounts were then sold to foreign IT workers who used the identities to apply for remote work positions.

Chapman was arrested in Arizona on May 15 and faces up to 97.5 years in prison, according to the Justice Department. Didenko faces up to 67.5 years for his role.

The U.S. government announced a reward of up to $5 million under the State Department’s Rewards for Justice program for information related to the operation and specifically to three North Koreans, codenamed Jiho Han, Chunji Jin and Haoran Xu, and their manager Zhonghua on.

If the North Koreans are ever brought to the United States, they face a maximum sentence of 20 years in prison.

“These IT employees are associated with the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs,” the State Department’s reward announcement said.

Chapman’s alleged job was to run a “laptop farm” in which she housed the foreign IT workers’ computers in her home to make it appear as if the computers were located in the United States. She also allegedly received checks and direct deposits for the IT employees into their U.S. financial accounts.

The workers managed to find employment at various unnamed U.S. companies, according to the DOJ, “including one of the Big Five television networks, a Silicon Valley technology company, an aerospace and defense company, an American automobile manufacturer, a luxury retail store, etc.” a US media and entertainment company, all Fortune 500 companies.”

North Korean IT employees with access to U.S. companies pose a dangerous insider threat, said Michael Barnhart, principal analyst at Mandiant focused on North Korean threats.

“By directing its IT workers to find employment with Western companies, North Korea has weaponized its technical talents and created the ultimate insider threat,” Barnhart said in a statement. “These activists are circumventing sanctions by using their paychecks to fund North Korea’s nuclear program.”

The workers also “provide North Korea’s more advanced threat group with a base in large organizations,” he added, which can be used for further operations and attacks.