Arizona Woman Will Go To Jail For Multi-Million Dollar Fraud Scheme Connected To North Korea

Forbes

6 days ago

The scheme generated more than $17 million in illicit revenue. getty
An Arizona woman has been sentenced to 102 months—that's eight and a half years—for her role in a scheme involving North Korean information technology (IT) workers who infiltrated and defrauded 309 U.S. businesses and two international businesses. Following her arrest last year, prosecutors called it the largest case ever charged involving this type of scheme. The scheme generated more than $17 million in illicit revenue for Chapman and for the Democratic People's Republic of Korea (DPRK or North Korea).
Christina Marie Chapman, a resident of Litchfield Park, Arizona, pleaded guilty on February 11 to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments. In addition to her prison term, U.S. District Court Judge Randolph D. Moss ordered Chapman to serve three years of supervised release, to forfeit $284,555.92 that was to be paid to the North Koreans, and to pay a judgment of $176,850.
According to court documents filed following her arrest, the scheme worked like this: North Korea sent thousands of skilled IT workers around the world with stolen or borrowed identities to infiltrate U.S. companies' networks, and raise money to contribute to the North Korean weapons program in violation of U.S. and U.N. sanctions. The scheme involved defrauding more than 300 U.S. companies, including many well-known large companies, using U.S. payment platforms and online job site accounts, as well as proxy computers located in the U.S. and U.S. persons and entities (some of which were unaware that they were helping to commit fraud).
Prosecutors claim the scheme began early in 2020, when a group of overseas IT workers began providing remote services to U.S. companies. To get the jobs, the workers stole the identities of U.S. nationals and applied for remote jobs in the U.S. Once they had obtained jobs in the U.S.—sometimes through the use of staffing companies—they were able to access the internal systems of U.S. companies. Not only did they steal data and money, they were paid millions of dollars for their work, and falsely reported that information to the IRS.
Chapman was arrested in Litchfield Park, Arizona, alongside her co-conspirators (referred to in the indictment as John Does 1-3, using the aliases Jiho Han, Haoran Xu, and Chunji Jin).
Chapman was initially accused of assisting the IT workers in validating stolen identity information so that they could pose as U.S. citizens. The overseas IT workers gained employment at U.S. companies, including a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company (referred to in the indictment as 'one of the most recognizable media and entertainment companies in the world'), all of which were Fortune 500 companies. Prosecutors say the overseas IT workers also exfiltrated (a fancy tech word for stole) data from at least two U.S. companies, including a multinational restaurant chain and an American clothing brand.
(The overseas IT workers also attempted to gain employment and access to information at two different U.S. government agencies on three other occasions, although these efforts were generally unsuccessful.)
The FBI also executed search warrants for U.S.-based 'laptop farms.' Laptop farms are residences that host laptops for overseas IT workers, so the IT workers appear to be operating inside the U.S.
Chapman also shipped 49 laptops and other devices supplied by U.S. companies to locations overseas, including multiple shipments to a city in China on the border with North Korea. More than 90 laptops were seized from Chapman's home following the execution of a search warrant in October 2023. Prosecutors say the laptops included notes identifying the U.S. company and the identity associated with each laptop.
Prosecutors allege that Chapman received and forged payroll checks, as well as received direct deposits of the overseas IT workers' wages from U.S. companies into her U.S. financial accounts. She then transferred the proceeds from the scheme to individuals overseas.
Much the income generated by the scheme was reported to the IRS and Social Security Administration in the names of actual U.S. individuals whose identities had been stolen or borrowed.
'Using the stolen identities of U.S. citizens is a crime by itself, but when you use those identities to procure employment for foreign nationals with ties to North Korea at hundreds of U.S. companies, you have compromised the national security of an entire nation,' said Chief Guy Ficco of IRS-CI said following Chapman's arrest. 'For more than 100 years, IRS Criminal Investigation special agents have been following the money, and their financial expertise has once again stopped criminals in their tracks.'
Prosecutors claim that Chapman was initially approached to participate in the scheme on LinkedIn, where she was asked to be the 'U.S. face' of a company. (Her LinkedIn page appears to have been taken down.) Chapman was charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money-transmitting business, and unlawful employment of aliens. The John Does are charged with conspiracy to commit money laundering.
Before her plea, Chapman faced a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years on the aggravated identity theft count. Oleksandr Didenko
A criminal complaint was also unsealed last year, charging Oleksandr Didenko, of Kyiv, Ukraine, with a separate scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters.
According to the criminal complaint, Didenko operated a website, upworksell.com, which purported to provide services to remote IT workers. According to the affidavit supporting the complaint provided by the Special Agent with the FBI, who reviewed the website, the site advertised the ability for remote IT workers to buy or rent accounts in the name of identities other than their own. The site also advertised 'Credit Card Rental' in the European Union and the U.S., as well as SIM card rental for cell phones. Customers sent money to be loaded onto the card, and Didenko provided the card information to the customer after deducting a fee.
(The domain upworksell.com was seized by the DOJ under a court order, and all traffic was initially diverted to the FBI. The URL is currently for sale.)
According to the affidavit supporting the complaint, Didenko managed as many as approximately 871 'proxy' identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters. In coordination with his co-conspirators, Didenko is alleged to have facilitated the operation of at least three U.S.-based laptop farms, at one point hosting approximately 79 computers.
Prosecutors alleged that Didenko acknowledged in messages that he believed he was assisting North Korean IT workers. Additionally, in November 2023, a U.S. cybersecurity firm discovered documents on an online storage platform related to North Korean IT workers' attempts to obtain remote employment. According to court documents, the firm assessed these documents with 'high confidence' as being attributable to an espionage group tied to North Korea. The documents included guides and tips on securing employment, writing a cover letter, building a resume, sample resumes of purported IT workers, and interview scripts. Several documents related to online job postings seeking employees that North Korean IT workers secured were found, including jobs with U.S. employers that were later tied through business records to the computers found in Chapman's residence (prosecutors allege that Didenko and Chapman's activities were connected).
Prosecutors claimed that one of Didenko's overseas IT worker customers also requested that a laptop be sent from one of Didenko's U.S. laptop farms to Chapman's laptop farm, showing the interconnectivity of these cells within the North Korean overseas IT worker network. Search warrants were issued for four U.S. residences associated with laptop farms controlled by Didenko in the Southern District of California, the Eastern District of Tennessee, and the Eastern District of Virginia.
Polish authorities arrested Didenko on May 6, 2024, at the request of the U.S., which sought his extradition from Poland. Didenko's arrest in the U.S. was logged in December of 2024, and the following month, Didenko pleaded not guilty. Didenko's attorney, Christopher Michael Davis of Davis and Davis, did not comment on the case beyond advising that Didenko has a status hearing in September.
(Court documents indicate that Didenko does not speak or read English, and a Ukrainian translator is required to translate any plea agreement. The interpreter counsel has been using is out of the country through mid-August.) Other Co-Conspirators
Last year, the U.S. Department of State announced a reward of up to $5 million for information related to Chapman's co-conspirators. The DOJ encourages anyone with information on Jiho Han, Haoran Xu, Chunji Jin, Zhonghua, associated individuals or entities, or their revenue-generating and money laundering activities to contact the Rewards for Justice office. That reward remains posted. Government Reaction
'The North Korean regime has generated millions of dollars for its nuclear weapons program by victimizing American citizens, businesses, and financial institutions,' said Assistant Director Rozhavsky of the FBI's Counterintelligence Division. 'However, even an adversary as sophisticated as the North Korean government can't succeed without the assistance of willing U.S. citizens like Christina Chapman, who was sentenced today for her role in an elaborate scheme to defraud more than 300 American companies by helping North Korean IT workers gain virtual employment and launder the money they earned. Today's sentencing demonstrates that the FBI will work tirelessly with our partners to defend the homeland and hold those accountable who aid our adversaries.'
'Today's sentencing brings justice to the victims whose identities were stolen for this international fraud scheme,' said Special Agent in Charge Carissa Messick of the IRS Criminal Investigation (IRS-CI) Phoenix Field Office. 'The scheme was elaborate. If this sentencing proves anything, it's that no amount of obfuscation will prevent IRS-CI and our law enforcement partners from tracking down those that wish to steal the identities of U.S. nationals, launder money, or engage in criminality that jeopardizes national security.' Alerts
This month, FBI Phoenix issued guidance for HR professionals on detecting North Korean IT workers, and the Department of State issued guidance on the North Korean IT worker threat.
Prior guidance was issued in 2022—it was an advisory to alert the international community, private sector, and public about the North Korean IT worker threat. The 16-page guide provided detailed information on how North Korean IT workers operate, red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify those workers; and general mitigation measures for companies to better protect against inadvertently hiring or facilitating the operations of such workers.
The United States and the Republic of Korea (South Korea) issued updated guidance in October 2023, which included new indicators to watch for that are consistent with North Korean IT worker fraud and additional due diligence measures the international community, private sector, and public can take to prevent the hiring of North Korean IT workers.
The FBI issued additional guidance in May 2024 regarding the use of U.S. persons acting as facilitators by providing a U.S.-based location for U.S. companies to send devices and a U.S.-based internet connection for access to U.S. company networks. More recently, the FBI issued guidance in January 2025 concerning the extortion and theft of sensitive company data by North Korean IT workers, along with recommended actions.
The FBI encourages U.S. companies to report suspicious activities, including any suspected North Korean IT worker activities, to local field offices. Forbes Massive North Korean Fraud Planted Tech Workers, Hit 300 U.S. Companies By Kelly Phillips Erb Forbes 15 Tips To Help You Protect Yourself From Identity Theft And Related Tax Fraud By Kelly Phillips Erb