US offers $5 million for info on North Korean IT workers involved in job fraud

Editor's note: Story updated 12:35 p.m. and 1:30 p.m. Eastern U.S. time with details from Department of Justice and FBI announcements. 

The U.S. is offering a reward of up to $5 million for information on a network of people charged with scamming companies of nearly $7 million on behalf of North Korea.

The State Department said that from October 2020 to October 2023, a U.S. national named Christina Chapman helped workers under the aliases Jiho Han, Chunji Jin and Haoran Xu fraudulently obtain remote work as software and applications developers with companies in a range of sectors and industries.

Chapman, the three workers and a 27-year-old Ukrainian, Oleksandr Didenko, have been charged by federal prosecutors in the scheme. The three workers' manager, who used the aliases Zhonghua and Venechor S, is listed as an un-indicted co-conspirator. 

Chapman was arrested on Wednesday in her hometown of Litchfield Park, Arizona, and Didenko was arrested in Poland on May 7. The U.S. is seeking his extradition.  

“These individuals engaged in a scheme that enabled Han, Jin, and Xu to obtain illicit telework employment with U.S. companies using false identities belonging to more than 60 real U.S. persons. The illicit scheme generated at least $6.8 million for the DPRK,” the State Department said. 

The scheme "impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons," the DOJ said.

The three workers "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs," the State Department said.

The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times. 

The North Koreans were able to gain employment at several Fortune 500 companies, including a “top-five major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company.”

Chapman allegedly helped them acquire the identities of the 60 U.S. citizens and “received and hosted” the laptop computers sent from employers in an effort to make it look like the North Koreans were based in the United States, the State Department said.

Chapman enabled the workers to connect remotely to the U.S. companies’ IT networks on a daily basis and “helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others.”

Didenko "allegedly owned and operated U.S.-based online infrastructure as well as fraudulent and stolen U.S. persons’ identities" in the scheme, said FBI Assistant Director Jim Smith of the New York Field Office.

The DOJ said it also raided four U.S. residences controlled by Didenko where he ran laptop farms. 

The State Department urged anyone with information on Chapman, Han, Jin and Xu to come forward. The FBI also released an alert about North Korean IT workers.

Evading sanctions

Last year, the U.S. Treasury announced sanctions on four entities that employ thousands of North Korean IT workers who help illicitly finance the regime's missile and weapons of mass destruction programs. 

The department said North Korea maintains legions of “highly skilled” IT workers around the globe, primarily in China and Russia, who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.”

These individuals, who can earn up to $300,000 annually, “deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation” to apply for jobs, Treasury said.

Brian Nelson, undersecretary of the Treasury for terrorism and financial intelligence, said last year that the DPRK’s “extensive illicit cyber and IT worker operations” help “finance the regime’s unlawful weapons of mass destruction and ballistic missile programs.” 

Several U.S. law enforcement agencies and international organizations have warned in recent years of North Korean IT workers posing as citizens from other countries to obtain work. Their positions were either used to generate funding for North Korea’s regime or infiltrate organizations with access to funds and information.