How, using the identities of US citizens and “notebook farms”, North Koreans penetrated the networks of leading American companies and earned millions

North Korean hackers on the move.

How, using the identities of US citizens and “notebook farms”, North Koreans penetrated the networks of leading American companies and earned millions

Original of this material

© Forbes.ru05.29.2024, How IT specialists from North Korea were deceived into getting jobs in American companies

Kelly Phillips Erb

Think your personal data is safe thanks to your employer's IT department? Think again.

The US Department of Justice has declassified a number of court documents, which deal with identity theft and other crimes related to the DPRK. Prosecutors who allege that North Korean IT workers are infiltrating American companies and stealing money from them are calling it the largest case of such a fraudulent scheme.

Scheme

According to court documents, North Korea sent thousands of skilled IT workers around the world to infiltrate the networks of US companies and raise money for the North Korean weapons program in violation of US and UN sanctions. The schemes involved the theft of funds from more than 300 businesses in the United States, including many world-famous corporations, the use of American payment platforms and accounts on job search sites, proxy servers in the United States, and the recruitment of American citizens and organizations (some of them They didn’t even understand that they were helping scammers).

Prosecutors say it all began in 2020, when a group of foreign IT employees began providing services to American firms remotely. To achieve employment, the attackers stole the personal data of American citizens and used them to apply for remote vacancies in the United States. Once the contract was concluded (sometimes through recruitment agencies), employees received access to the internal systems of American enterprises. Moreover, they not only stole data and money, but also received millions of dollars for their work, and provided false information to the IRS.

Christina Marie Chapman

One of the defendants is US citizen Christina Marie Chapman, who was arrested in Litchfield Park, Arizona. The real names of her accomplices are unknown, but in the indictment they are tentatively identified as John Doe 1-3 under the fictitious names of Zihou Han, Haoran Xiu and Chunji Jin.

Chapman is accused of aiding IT workers in confirming stolen personal information so that they could impersonate US citizens. That's how overseas employees were able to find jobs at American businesses, including a top-five television network, a Silicon Valley IT company, an aerospace equipment manufacturer, a U.S. automobile manufacturer, a luxury retailer, and a popular U.S. media company (the indictment calls it “one of the the world's most recognizable media and entertainment companies”), with each organization included in the Fortune 500 ranking of the largest companies. The prosecution alleges that foreign workers also “sole” data from at least two American firms – an international restaurant chain and a US clothing manufacturer.

Foreign IT specialists also tried three times to get work and access to information in two US government agencies, but the attempts were unsuccessful.

The FBI also issued search warrants for laptop farms located in the United States. This is the name given to houses where there are laptop computers for foreign IT employees, creating the appearance that they are working in the States.

Chapman's residence was among those searched by law enforcement in October 2023, according to a warrant issued by a federal district court in Arizona. The woman is accused of running a “laptop farm” in her home to help run the scheme. Prosecutors also say she received and forged paychecks and accepted direct deposits from U.S. companies into her own U.S. bank financial accounts as salaries for overseas IT employees.

“Using the stolen personal information of U.S. citizens is a crime in itself, but when such information is used to employ foreign nationals with ties to North Korea at U.S. companies, it undermines the national security of an entire country,” said Guy Ficco, director of the IRS Criminal Investigations Division. “For more than 100 years, special agents from the IRS Criminal Investigations Unit have been tracking the flow of money, and their financial expertise has once again thwarted the plans of criminals.”

Prosecutors say Chapman initially received an offer to participate in the scheme through LinkedIn, where she was asked to become the American face of the company. Apparently, her page on the social network has now been deleted.

Chapman is now charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank theft, aggravated identity theft, and conspiracy to commit theft. personal data, participation in a conspiracy to launder money instruments, operating as an unlicensed money transfer business and illegal employment of foreign nationals. Her accomplices are charged with participating in a criminal conspiracy to commit money laundering.

So far, Champan has only been charged, but the woman has not yet responded to them. If convicted, she faces a maximum sentence of 97.5 years in prison, including a mandatory minimum of two years for aggravated identity theft.

According to court documents, Chapman is now represented by a federal lawyer.

The John Does, meanwhile, remain at large. US State Department announced the award for information about Chapman's associates in the amount of up to $5 million. Anyone who has information about people under the pseudonyms Zihou Han, Haoran Xiu and Chunji Jin, individuals and organizations associated with them, or about their income-generating and money laundering activities, the US Department of Justice asks to contact to the Rewards for Justice program office.

Senior Assistant Deputy Attorney General Nicole M. Argentieri, head of the Justice Department's criminal division, states: “The charges in this case should be a wake-up call to U.S. companies and government agencies that employ remote IT workers. These crimes are beneficial to the North Korean government, a source of income for it and, in some cases, official information stolen by accomplices.”

Alexander Didenko

A lawsuit was also declassified in the District of Columbia accusing Kyiv native Alexander Didenko of running a separate scheme to create fake accounts on American IT job search platforms using American money transfer services.

According to the complaint, Didenko operated the website upworksell.com, which allegedly provided services to remote IT employees. According to a written statement made by an FBI special agent who examined the Internet page, an advertisement on the site stated that remote IT workers could buy or rent accounts registered to other people. In addition, the site promoted “credit card rentals” in the European Union and the United States and SIM card rentals for mobile phones. In the latter case, clients sent money to be credited to the card, and Didenko provided information on it in return, charging a commission for it.

The man allegedly had a number of options for receiving payment for his services, including USDT (Tether stablecoin), BUSD (Binance stablecoin), USDC (Dollar stablecoin) and accounts with American money transfer services.

Prosecutors are confident that this was just part of a “full range of services” that also included staged interviews so that clients could impersonate other people and enter into remote employment contracts with unsuspecting firms.

The domain upworksell.com has since been seized by a Department of Justice order, and all site traffic has been redirected to the FBI. Now there is a corresponding message about this on the page.

According to the written statement, Didenko’s arsenal included “intermediary” personal data of approximately 871 people, proxy accounts on three American platforms for recruiting IT personnel and three different American platforms for making money transfers. Together with his accomplices, the defendant established the operation of at least three “laptop farms” in the United States, and at one time the total number of computers on them reached 79.

According to the prosecution, in his messages Didenko admitted that he was assisting IT employees from North Korea. In addition, in November 2023, a US cybersecurity firm found documents on an online data storage platform that described attempts by North Korean IT specialists to gain employment remotely. According to court documents, the firm concluded “with a high degree of confidence” that a group of spies with ties to North Korea may be involved in the files. In part, the company said: “Several of the documents we found contained information that more clearly points to North Korea. Many of the passwords associated with these documents are made by typing Korean text on a US keyboard layout, and some include words used only in North Korea. Moreover, the computers of the attackers behind these campaigns have Korean keyboard settings activated.”

The documents include guides and advice on successful employment, writing cover letters, formatting a resume, sample resumes for fake IT employees, and step-by-step interviews. Several documents relate to postings on online job boards that eventually went to North Korean IT specialists – vacancies from American employers, according to business records, that later turned out to be connected to computers in Chapman's home (prosecutors say the activities of Didenko and Chapman was interconnected).

One of Didenko’s foreign IT clients also requested that a laptop be sent from one of Didenko’s “farms” to Chapman’s “laptop farm,” indicating connections between the two cells within a network of foreign IT specialists from North Korea. Search warrants for four homes with “laptop farms” controlled by Didenko in the United States were issued by federal courts in the Southern District of California, the Eastern District of Tennessee and the Eastern District of Virginia.

If convicted, the man faces a maximum sentence of 67.5 years in prison, including a mandatory minimum of two years for aggravated identity theft. Didenko was arrested at the request of the United States on May 6 by Polish law enforcement agencies. American authorities are demanding the detainee's extradition to the United States.

Whether the accused intends to use the services of a lawyer in the United States is not specified in court documents.

Alarm Signals

In 2022, the FBI, State Department, and US Treasury Department released recommendation, which warned the international community, the private sector and the general public about the threat posed by North Korean IT specialists. In a 16-page manual contained detailed information on how DPRK IT employees operate, what red flags companies that hire freelance developers, specialized platforms and payment services should recognize, as well as general proactive measures that businesses can take to better protect themselves from knowingly hiring such employees and complicity in their activities.

In October 2023, US and South Korean authorities released updated recommendations. They list additional signs to look out for in light of fraudulent activity by North Korean IT workers and countermeasures that the international community, the private sector and the general public should take to avoid hiring remote workers from the DPRK.

The FBI encourages US companies to report suspicious activity, including any activity believed to be carried out by North Korean IT employees.