Charges and seizures brought in fraud scheme aimed at denying revenue for workers associated with North Korea

 

IT workers infiltrated more than 300 U.S. companies, earning millions

Date: May 16, 2024

Contact: newsroom@ci.irs.gov

The Justice Department unsealed charges, seizures, and other court-authorized actions to disrupt the illicit revenue generation efforts of the Democratic People’s Republic of Korea (DPRK or North Korea).

The charges include prosecutions of an Arizona woman, Ukrainian man, and three unidentified foreign nationals who allegedly participated in schemes to place overseas information technology (IT) workers—posing as U.S. citizens and residents—in remote positions at U.S. companies.

As alleged in the court documents, DPRK has dispatched thousands of skilled IT workers around the world, who used stolen or borrowed U.S. persons’ identities to pose as domestic workers, infiltrate domestic companies’ networks, and raise revenue for North Korea. The schemes described in court documents involved defrauding over 300 U.S. companies using U.S. payment platforms and online job site accounts, proxy computers located in the United States, and witting and unwitting U.S. persons and entities. This announcement includes the largest case ever charged by the Justice Department involving this type of IT workers’ scheme.

Two criminal prosecutions brought by the U.S. Attorney’s Office for the District of Columbia, one in partnership with the Computer Crime and Intellectual Property Section of the Justice Department’s Criminal Division, were unsealed today. As part of the prosecutions, two defendants have been arrested and related seizures and search warrants have been executed in Washington, D.C. and other jurisdictions. The investigations were led by IRS Criminal Investigations (IRS-CI) and the FBI Phoenix and New York Field Offices, and coordinated with five other FBI field offices and four other U.S. Attorney’s Offices, producing arrests in the United States and Poland, the execution of five premises search warrants, and the seizure of illicitly obtained wages and a website domains.

“As alleged in the indictment, Chapman and her co-conspirators committed fraud and stole the identities of American citizens to enable individuals based overseas to pose as domestic, remote IT workers,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “The charges in this case should be a wakeup call for American companies and government agencies that employ remote IT workers. These crimes are alleged to have benefitted the North Korean government. The Criminal Division remains firm in its commitment to prosecute complex criminal schemes like this one.”

“Today’s announcement of charges and law enforcement action show our broad approach to attacking funding sources for North Korea across the United States,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “We will continue to vigorously pursue cases against individuals, in the United States and abroad, that use U.S. financial systems to raise revenue for North Korea.”

“Using the stolen identities of U.S. citizens is a crime by itself, but when you use those identities to procure employment for foreign nationals with ties to North Korea at hundreds of U.S. companies, you have compromised the national security of an entire nation,” said Chief Guy Ficco of IRS-CI. “For more than 100 years, IRS Criminal Investigation special agents have been following the money, and their financial expertise has once again stopped criminals in their tracks.”

“On the surface, today’s allegations of wire fraud, identity theft, and money laundering may read like a typical white collar or economic crime scheme,” said Assistant Director Kevin Vorndran of the FBI’s Counterintelligence Division. “But what these allegations truly represent is a new high-tech campaign to evade U.S. sanctions, victimize U.S. businesses, and steal U.S. identities. The charges clearly demonstrate how the FBI and its partners will employ every resource at our disposal to bring to justice anyone who helps North Korea evade sanctions.”

“Today’s announcement exposes disturbing criminal ties to North Korea where fraudsters allegedly used stolen identities of U.S. citizens to infiltrate the U.S. job market as remote workers,” said IRS Criminal Investigation Acting Special Agent in Charge of the Phoenix Field Office Carissa Messick. “CI and our federal partners will remain vigilant in our efforts to expose criminal fraud schemes that jeopardize our national security.”

“The FBI has long-stated that cybersecurity is national security and this case is living proof of that,” said FBI Special Agent in Charge Akil Davis of the Phoenix Field Office. “That a woman living her quiet life in the outskirts of Phoenix can allegedly get so entangled in something like this clearly indicates our adversaries are getting more sophisticated and stealthier, so it’s critical that businesses and citizens be hyper-vigilant with their cyber activities.”

“Oleksandr Didenko allegedly owned and operated U.S.-based online infrastructure as well as fraudulent and stolen U.S. persons’ identities for use by Information Technology workers in North Korea in an effort to evade sanctions,” said FBI Assistant Director Smith of the New York Field Office. “The arrest of Didenko demonstrates the FBI’s commitment to protecting the United States from threats posed by a hostile foreign actors, specifically the government of the Democratic Peoples Republic of Korea. Didenko's arrest also sends a clear message to anyone who supports this type of brazen illegal activity the FBI and our global law enforcement partners will hold you accountable wherever you may be.”

An indictment was unsealed today in the District of Columbia against U.S. citizen Christina Marie Chapman, of Litchfield Park, Arizona, related to her participation in a scheme to assist overseas IT workers—posing as U.S. citizens and residents—in working at more than 300 U.S. companies in remote IT positions. Chapman was arrested yesterday in Litchfield Park, Arizona.

As alleged in the indictment, Chapman and her co-conspirators’ scheme defrauded U.S. companies across myriad industries, including multiple well-known Fortune 500 companies, U.S. banks, and other financial service providers. The identities of more than 60 U.S. persons were compromised and used by IT workers related to Chapman’s cell.

In addition to Chapman, the indictment charged three foreign nationals with money laundering for their participation in the scheme. As alleged in the indictment, the department seized wages earned by more than 19 overseas IT workers and will seek forfeiture of the same.

Additionally, a criminal complaint was unsealed today in the District of Columbia charging Ukrainian national Oleksandr Didenko, of Kyiv, with a separate years-long scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters.

As alleged in the complaint, Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies. Several U.S. persons had their identities used by IT workers related to Didenko’s cell, and evidence in the complaint showed that the overseas IT workers using Didenko’s services were also working with Chapman. Polish authorities arrested Didenko on May 7 at the request of the United States, which is seeking Didenko’s extradition from Poland.

Didenko’s company’s online domain, upworksell.com, was also seized today by the Justice Department pursuant to a court order, and all traffic diverted to the FBI.

Related to the above schemes, the FBI executed search warrants for U.S. based “laptop farms,” residences that hosted multiple laptops for overseas IT workers, wherein U.S.-based facilitators logged onto U.S. company computer networks and then allowed the overseas IT workers to remotely access those laptops through various software applications. The overseas IT workers used the laptop farms’ U.S. Internet Protocol addresses to make it appear as though they were operating inside the United States. Chapman’s residence was searched in October 2023 pursuant to a search warrant issued in the District of Arizona, resulting in evidence that is reflected in the indictment. Search warrants for four U.S. residences associated with laptop farms controlled by Didenko were issued in the Southern District of California, Eastern District of Tennessee, and Eastern District of Virginia, and executed between May 8 and May 10.

Concurrent with today’s announcement, the U.S. Department of State announced a reward of up to $5 million for information related to Chapman’s coconspirators: John Doe 1, alias Jiho Han; John Doe 2, alias Haoran Xu; John Doe 3, alias Chunji Jin; and an unindicted coconspirator utilizing aliases “Zhonghua” and “Venechor S.”

Chapman Indictment, Money Seizures, and Premises Warrant

According to the indictment, the overseas IT workers associated with Chapman, many of whom were tied to North Korea, posed as U.S. citizens using the stolen, false, or borrowed identities of U.S. nationals, and applied for positions at U.S companies, causing the transmission of false documentation to the U.S. Department of Homeland Security (DHS). The overseas IT workers gained employment at U.S. companies, including at a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company, all of which were Fortune 500 companies. Some of these companies were purposely targeted by a group of DPRK IT workers, who maintained postings for companies at which they wanted to insert IT workers.

Chapman ran a “laptop farm,” hosting the overseas IT workers’ computers inside her home so it appeared that the computers were located in the United States, and also received and forged payroll checks and received direct deposits of the overseas IT workers’ wages from the U.S. companies into her U.S. financial accounts. The overseas IT workers also attempted to gain employment and access to information at two different U.S. government agencies on three different occasions, although these efforts were generally unsuccessful. The overseas IT workers associated with Chapman’s cell were paid millions for their work, much of which has been falsely reported to the IRS and the Social Security Administration in the name of the actual U.S. persons whose identities were stolen or borrowed. Chapman also allegedly conspired with the John Doe defendants to commit money laundering by conducting financial transactions under aliases to receive money generated by the scheme and transfer those funds outside of the United States, in an attempt to hide that these were proceeds of the IT workers’ fraud.

Chapman and her co-conspirators allegedly compromised more than 60 identities of U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to DHS on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers. The department seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.

Chapman is charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens. The John Does are charged with conspiracy to commit money laundering. If convicted, Chapman faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count, and the John Does face a maximum penalty of 20 years in prison.

The IRS-CI Phoenix Field Office and the FBI Phoenix Field Office are investigating this case, with assistance from the FBI Chicago Field Office.

Assistant U.S. Attorney Karen P. Seifert for the District of Columbia and Trial Attorney Ashley R. Pungello of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting this case, with assistance from Paralegal Specialists Brian Rickers and Jorge Casillas. The U.S. Attorney’s Office for the District of Arizona and Trial Attorney Gregory Nicosia of the National Security Division’s National Security Cyber Section also provided valuable assistance.

Didenko Complaint, Domain Seizure, and Premises Warrants

According to the criminal complaint, Didenko allegedly engaged in a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms and with U.S. money service transmitters in the names of false identities, including identities of U.S. persons, and sold these accounts to overseas IT workers. Didenko ran a website, upworksell.com, which advertised creating, buying, and renting accounts at U.S. websites using false identities, and also advertised “Credit Card Rental” in the European Union and the United States and SIM card rental for cellular phones. Didenko allegedly offered a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work with unsuspecting companies. As stated, Didenko’s domain was seized as part of the case.

According to the affidavit in support of the complaint, Didenko is alleged to have managed as many as approximately 871 “proxy” identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters. In coordination with his co-conspirators, Didenko facilitated the operation of at least three U.S.-based laptop farms, at one point hosting approximately 79 computers. Didenko sent or received $920,000 in U.S. dollars payments since July 2018.

Didenko acknowledged in messages that he believed he was assisting North Korean IT workers. One of Didenko’s overseas IT worker customers also requested that a laptop be sent from one of Didenko’s U.S. laptop farms to Chapman’s laptop farm, showing the interconnectivity of these cells within the DPRK overseas IT worker network. Search warrants of Didenko’s laptop farms were executed in early May 2024.

If convicted, Didenko faces a maximum penalty of 67.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

The FBI New York Field Office is investigating this case. The FBI Norfolk and San Diego Field Offices and the Jefferson City, Tennessee, Resident Agency provided assistance in executing search warrants.

Assistant U.S. Attorneys Karen P. Seifert and Steven Wasserman for the District of Columbia are prosecuting the case, with assistance from Paralegal Specialists Brian Rickers and Jorge Casillas and the U.S. Attorney’s Office for the District of Columbia. The U.S. Attorney’s Offices for the Southern District of California, Eastern District of Tennessee, and Eastern District of Virginia, Justice Department’s Office of International Affairs, and Trial Attorney Jacques-Singer Emory of the National Security Division’s National Security Cyber Section provided valuable assistance as well.


The FBI, along with the Departments of State and Treasury, issued a May 2022 advisory to alert the international community, private sector, and public about the North Korea IT worker threat. Updated guidance was issued in October 2023 by the United States and the Republic of Korea (South Korea), which includes indicators to watch for that are consistent with North Korea IT worker fraud.

An indictment and a criminal complaint are merely allegations. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.