Do you think your data is safe thanks to the information technology (IT) department? Think again.
The Department of Justice (DOJ) has released several court documents focusing on identity theft and other crimes related to the Democratic People's Republic of Korea (DPRK or North Korea). Prosecutors allege that North Korean IT workers infiltrated and defrauded U.S. companies, calling it the largest case ever brought in connection with this type of conspiracy.
plan
According to court documents, North Korea used stolen or borrowed identities to infiltrate the networks of U.S. companies and collect funds to donate to North Korea's weapons program in violation of U.S. and United Nations sanctions. It has sent thousands of skilled IT workers around the world. The scheme involved more than 300 U.S. companies, including many well-known Fortune 500 companies, using accounts on U.S. payment platforms and online job sites, proxy computers located in the U.S., and U.S. individuals and entities, some of which were fraudulent. (who was unaware of the act) was involved in the fraud. (facilitated fraud).
Prosecutors allege the scheme began in early 2020 when a group of overseas IT workers began performing services remotely for U.S. companies. To get the jobs, the workers stole the identities of Americans and applied for remote jobs in the United States. Once they obtained jobs in the United States, they were able to gain access to the internal systems of American companies, sometimes through employment agencies. Not only did they steal data and money, they were paid millions of dollars for their work and falsely reported that information to the IRS.
christina marie chapman
One of those indicted is Christina, a U.S. citizen who was arrested in Litchfield Park, Arizona, along with her co-conspirators (referred to in the indictment as John Does 1-3, with aliases Jiho Han, Haoran Xu, and Chunji).・This is Marie Chapman. gin).
Chapman is accused of helping IT employees verify stolen identities to impersonate U.S. citizens. Overseas IT workers have taken jobs at American companies, including the top five major television networks, Silicon Valley technology companies, aerospace manufacturers, American automakers, luxury retailers, and America's leading media and entertainment companies. . The indictment describes them as “one of the most prominent media and entertainment companies in the world,” all of which were Fortune 500 companies. Prosecutors allege that the overseas IT employees also leaked (a fancy technical term for stealing) data from at least two U.S. companies, including a multinational restaurant chain and an American clothing brand. .
(Overseas IT workers also attempted to gain employment and access to information at two different U.S. government agencies on three other occasions, but these efforts were generally unsuccessful.)
The FBI also executed a search warrant on a US-based “laptop farm.”Laptop farms are residences that host the laptops of IT workers overseas, so the IT workers appear to be operating in the United States
Chapman's residence was among those searched in October 2023 based on a warrant issued in the District of Arizona. She is accused of setting up a laptop farm at her home to support the scheme. Prosecutors also allege that she took and forged her own payroll checks and deposited overseas IT workers' salaries from U.S. companies directly into U.S. financial accounts.
“Using stolen identities of U.S. citizens is a crime in itself, but using that identity to procure jobs for foreigners with ties to North Korea at hundreds of U.S. companies is a national crime. “This would jeopardize the national security of the country.” Guy Ficco, Director of IRS-CI; “For more than 100 years, IRS Criminal Investigation special agents have been tracking that money, and their financial expertise has once again thwarted criminals in their tracks.”
Prosecutors allege Chapman was initially approached about joining the scheme on LinkedIn, where he was asked to become the company's “face of America.” (Her LinkedIn page appears to have been deleted.)
Chapman is now specifically charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder financial instruments, and operating an unauthorized money transfer business. . , illegal employment of foreigners. John Doe and his wife are charged with conspiracy to commit money laundering.
Mr. Chapman has been charged but has not yet entered a plea. If convicted, Chapman could face up to 97.5 years in prison for aggravated identity theft, including a minimum sentence of two years.
Chapman is currently being represented by a federal public defender, according to court documents.
John Doze remains at large. The U.S. Department of State has announced a reward of up to $5 million for information related to Chapman's co-conspirators. The Department of Justice encourages anyone with information regarding Jiho Han, Haoran Xu, Chunji Jin, Zhonghua, related individuals or entities, or their revenue generating or money laundering activities to contact the Justice Bounty Office through the Tor-based tip reporting channel: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (requires Tor Browser).
“The charges in this case should serve as a wake-up call to American companies and government agencies that employ remote IT workers,” said Assistant Attorney General Nicole M. Argentieri, head of the Justice Department's Criminal Division. These crimes benefited the North Korean government, provided a source of income, and in some cases had confidential information stolen by co-conspirators. The Criminal Division remains steadfast in its commitment to prosecuting complex criminal schemes such as this one. ”
Oleksandr Didenko
Also in the District of Columbia, a criminal complaint charges Oleksandr Didenko of Kyiv, Ukraine, with separate schemes to create fake accounts on a U.S. IT job search platform and a U.S.-based money services transmission company. was published.
According to the criminal complaint, Didenko operated a website called upworksell.com that purported to provide services to remote IT workers. According to an affidavit in support of the complaint filed by her FBI special agent who investigated the website, the site allows remote IT workers to buy or rent accounts in the name of her ID other than their own. was advertising. The site also advertised “credit card rentals” in the European Union and the United States, as well as his SIM card rentals for mobile phones. The customer sent money to charge the card, and Didenko provided the card information to the customer after receiving the fee.
Didenko allegedly offered various payment options including USDT (Tether)
USDT
USDC
Prosecutors say these were part of a “package of services” that also included fake interviews that allowed individuals to assume false identities and pitch remote IT jobs to unsuspecting companies. are doing.
(The upworksell.com domain was subsequently seized by the Department of Justice pursuant to a court order, and all traffic was forwarded to the FBI. A message now appears on the site notifying you that this has happened. )
According to an affidavit supporting the complaint, Didenko controlled approximately 871 “proxy” identities, provided proxy accounts to three U.S. freelance IT employment platforms, and provided proxy accounts to three different U.S.-based money service senders. provided an account. Didenko, in conjunction with his co-conspirators, facilitated the operation of his US-based farm of at least three laptops and at one time hosted approximately 79 computers.
Prosecutors allege Didenko admitted in the messages that he believed he was supporting North Korean IT workers. Additionally, in November 2023, a US cybersecurity firm discovered documents on an online storage platform related to North Korean IT workers' attempts to obtain employment as remote workers. According to court documents, the company assessed with “high confidence” that the documents may have come from a spy group with ties to North Korea. “Some of the documents we discovered contained information that pointed more definitively to North Korea,” the company said. Many of the passwords associated with these documents were created in Korean, typed on U.S. keyboards, and some passwords include words used only in North Korea. Additionally, Korean keyboard language settings were discovered on the computers used by the attackers behind these campaigns. ”
The document included guides and tips on securing employment, how to write a cover letter, creating a resume, sample resumes for alleged IT employees, interview scripts, and more. Several of the documents relate to online job listings seeking employees secured by North Korean IT workers, including a U.S. job posting that was later tied to a computer found at Chapman's residence through business records. (Prosecutors say Didenko and Chapman's activities are related).
One of Didenko's overseas IT worker customers also requested that a laptop be sent from one of Didenko's U.S. laptop farms to Chapman's laptop farm, and that one of Didenko's overseas IT worker customers was also asked to send a laptop from one of Didenko's U.S. laptop farms to Chapman's laptop farm. shows that these cells are interconnected. Search warrants were executed in the Southern District of California, the Eastern District of Tennessee, and the Eastern District of Virginia on four U.S. residences associated with laptop farms managed by Didenko.
If convicted, Didenko could face up to 67.5 years in prison for aggravated identity theft, including a minimum sentence of two years. Polish authorities arrested Didenko on May 6 at the request of the United States, which is seeking his extradition from Poland.
Court documents do not specify whether Mr. Didenko has obtained legal representation in the United States.
Alert
In 2022, the FBI, State Department, and Treasury Department issued an advisory warning the international community, private sector, and public about the threat posed by North Korean IT workers. The 16-page guide explains how North Korean IT workers operate and what red flags companies hiring freelance developers and freelance and payment platforms can use to identify these workers. Contains detailed information about the indicators. and general mitigation measures to better prevent companies from inadvertently hiring or promoting such workers.
The United States and the Republic of Korea (South Korea) issued updated guidance in October 2023. The guidance includes notable new indicators consistent with North Korean IT worker fraud and additional due diligence measures that the international community, private sector, and public authorities can take. Take steps to prevent the hiring of North Korean IT workers.
The FBI is encouraging U.S. companies to report suspicious activity, including suspected activities of North Korean IT employees, to their local field offices.