In March 2020, coinciding with the onset of the Covid pandemic, Christina Chapman, a resident of Arizona and Minnesota, received a LinkedIn message inviting her to “become the face of the US” for her company, which sought foreign IT workers to facilitate remote employment.

As remote work became commonplace, Chapman successfully connected foreign workers with numerous US companies, including major players in the Fortune 500 like Nike, referred to as a “Premier Silicon Valley Technology Company,” and “one of the world’s most renowned media and entertainment firms.”

Employers believed they were hiring US citizens; however, they were actually North Koreans.

Chapman was entangled in a North Korean governmental initiative to deploy thousands of “highly skilled IT workers” by commandeering identities to present them as US citizens or from other nations. This scheme reportedly generated millions of dollars intended to fund the regime’s nuclear weapons development, as per US Department of Justice court records.

Chapman’s peculiar saga concluded with an eight-year prison term, serving as a bizarre mix of tragic narratives involving geopolitics, international crime, and the isolation of working from home in a gig economy heavily reliant on digital interactions, obscuring the line between fact and fiction.

Federal and cybersecurity experts warn that covert North Korean workers not only assist adversaries of the US but also aid oppressive regimes affected by international sanctions related to weapons development while jeopardizing the identities of American citizens and potentially undermining domestic companies through “malicious cyber intrusions.”

“After Covid hit and everyone transitioned to virtual work, many tech jobs never returned to the office,” noted Benjamin Racenberg, senior intelligence manager at NISOS, a cybersecurity firm.

“Companies quickly recognized that they could source talent globally, leading to a situation where North Korea and other fraudulent employment sources manipulated the hiring system to secure jobs.”

North Korea required a US intermediary to execute this scheme, as companies are “unwilling to ship laptops to North Korea or China,” explained Adam Meyers, anti-side effects director at cybersecurity company CrowdStrike.

“They recruit individuals seeking gigs, proposing, ‘Hey, I can get you $200 per laptop you manage,'” said Myers, whose team has released a report on North Korea’s tactics.

Chapman had a troubling upbringing, navigating “between low-paying jobs and unstable housing,” according to a document submitted by her attorney. In 2020, she was also tasked with caring for her mother, diagnosed with kidney cancer.

About six months after the LinkedIn communication, Chapman commenced operations described by law enforcement as “laptop farms.”

In facilitating these operations, she supported North Koreans in masquerading as US citizens through identity verification. She sent laptops abroad and logged onto them so foreign workers could connect remotely, with salaries funneled to workers as indicated by court records.

Meanwhile, North Koreans constructed online identities that aligned with job specifications for remote IT roles, often securing positions via staffing agencies.

In one instance, a “Top 5 National TV Network and Media Company” based in New York employed a North Korean as a video streaming engineer.

Individuals impersonating “Daniel B” requested Chapman to join a Microsoft team together with their employers to facilitate conspirators’ participation. The indictment does not disclose the full name of the victim.

“I just typed the name Daniel,” Chapman communicated to a North Korean, as per online chat records. “When I ask why you are using two devices, please respond that the laptop’s microphone is malfunctioning.”

“Okay,” the foreign participant replied.

“Most people will accept that explanation,” Chapman responded.

Chapman acknowledged the illegality of her actions.

“I hope you can find someone else to handle your physical I-9. Those are federal documents. I’ll send it to you, but I’ll have someone else handle the paperwork. If you’re caught, you could go to federal prison for forgery,” Chapman told her co-conspirators.

Chapman was also active on social media, posting in a June 2023 video about her hectic schedule while grabbing breakfast on the go, as reported by Wired.

Behind her was a rack with at least 12 open laptops. When federal agents raided her home in October 2023, they discovered 90 laptops. In February of the same year, she pled guilty to conspiracy to commit wire fraud, identity theft, and conspiracy to obfuscate financial products.

Throughout her three-year collaboration with North Korea, some employees amassed hundreds of thousands of dollars from single companies, generating a total of $17 million for Chapman and the North Korean regime.

The fraud operation also involved stealing the identities of 68 individuals, according to the Department of Justice.

In a letter to the court prior to her sentencing, Chapman expressed gratitude to the FBI for her arrest, stating she was attempting to escape from a long-time associate. “And I truly didn’t know how to do that.”

“The area we lived in provided few job opportunities that aligned with my needs,” Chapman wrote. “I sincerely apologize to those affected. I am not someone who seeks to harm others, so it’s devastating to realize I was part of a scheme that sought to inflict damage.”

Last week, U.S. District Judge Randolph Moss sentenced Chapman to over eight years in prison, seizing $284,000 intended for North Korea along with a $176,000 fine.

Chapman and her collaborators were not alone in such fraud; in January, the federal government indicted a scheme where two North Koreans, Mexican citizens, and two US citizens obtained positions in at least 64 US companies, generating over $866,000 in revenue, as reported by the Department of Justice.

Racenberg from NISOS expressed concern that cybercriminals will increasingly leverage artificial intelligence to enhance such schemes.

He advised companies to conduct “open-source research” on applicants, as fraudsters frequently replicate content from existing resumes.

“If you input the initial lines of your resume, you may discover two or three other resumes online that are strikingly similar, using identical companies or timelines,” Racenberg cautioned. “That should raise some red flags.”

During interviews, if background noises resemble a call center or if applicants refuse to remove a fake or blurry background, this should also raise concerns, according to Myers from CrowdStrike.

Businesses should also encourage new hires to visit offices and require the return of laptops directly rather than mailing them.

Five years after the pandemic, more companies are gradually insisting their employees return to the office at least part-time. If all businesses did the same, would that eradicate the threat?

“While this may reduce occurrences, it doesn’t guarantee everything will revert to former practices,” Racenberg commented. “However, the likelihood of reverting completely is quite low.”