Three cuffed for 'helping North Koreans' secure remote IT jobs in America
Your local nail tech could be a secret agent for Kim’s cunning plan
Three individuals accused of helping North Korea fund its weapons programs using US money are now in handcuffs.
All three are said by Uncle Sam's prosecutors to have used different methods to evade sanctions against the hermit nation and extract money from America's economy to benefit the Kim Jong-Un regime.
Minh Phuong Vong, of Bowie, Maryland, who was arrested on Thursday morning and charged with conspiracy to commit wire fraud, secured jobs under his own identity which were allegedly carried out by remote North Korean natives.
For years Kim Jong Un's regime has been deploying individuals with IT skills into the US workforce using various means to ultimately use their pay to fund programs back home. When the phenomenon was first made public by the US in 2022, it was believed some Nork software devs were each raking in compensation in excess of $300,000 a year.
Vong's alleged role in the conspiracy, at least according to the Feds, was to secure positions at companies and then outsource that work to North Koreans who could actually do the technical work, all while keeping a percentage of the salary for his trouble and funneling the rest back to Pyongyang. A Vietnam native, Vong was a naturalized US citizen who actually worked in a nail salon.
In one case, the complaint claimed, a CEO of a company hopped on a video call with Vong to verify his identity by holding up to the camera a copy of his US passport and state driving license.
This was shortly after another individual, who was charged and named only as John Doe, applied for the same role and later appeared at work meetings after Vong was hired, the Feds allege. The complaint adds that they described themselves as a software developer working out of Shenyang, China, and claimed communications between Vong and John Doe indicated the dev was of North Korean descent.
Feds arrest woman they claim is core cog in Nork's remote work machine
Also arrested this week was US national Christina Marie Chapman, 49, of Litchfield Park, Arizona, who allegedly helped North Korea on an even grander scale. She was charged with conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.
Chapman was essentially accused of running a laptop farm – a residence in the US fitted with arrays of laptops that overseas or Nork workers can remote into and work from. The local IP address of the machines was intended to add a layer of perceived legitimacy to any remote work carried out for a US company, the DoJ claims.
According to the indictment [PDF] against Chapman, she allegedly helped North Korean workers defraud major US companies, more than 300 in total, including various blue-chip companies across multiple industries.
Among the most high-profile victims in the alleged conspiracy were a "top-five national television network and media company," a Silicon Valley tech biz, an aerospace and defense company, an "iconic" American car brand, a luxury retail chain, and "one of the most recognizable media and entertainment companies in the world."
Data was also stolen from a multinational restaurant chain and class American clothing company, the indictment alleges.
Chapman is accused of helping overseas North Korean IT workers validate stolen US identities of which more than 60 are believed to have been compromised.
A total of $6.8 million is thought to have been generated for overseas workers in the scheme Chapman allegedly helped facilitate.
There is currently a $5 million reward for information on three of the overseas workers Chapman helped via the State Department's Rewards for Justice program. The trio are officially referred to as John Doe 1, 2, and 3, but are known to use the aliases Jiho Han, Chunji Jin, and Haoran Xu. Deets about their manager "Zhonghua" could also yield a reward.
"On the surface, today's allegations of wire fraud, identity theft, and money laundering may read like a typical white collar or economic crime scheme," said Kevin Vorndran, assistant director at the FBI's Counterintelligence Division.
"But what these allegations truly represent is a new high-tech campaign to evade US sanctions, victimize US businesses, and steal US identities. The charges clearly demonstrate how the FBI and its partners will employ every resource at our disposal to bring to justice anyone who helps North Korea evade sanctions."
"The FBI has long stated that cybersecurity is national security and this case is living proof of that," said Akil Davis, special agent in charge at the FBI's Phoenix Field Office. "That a woman living her quiet life in the outskirts of Phoenix can allegedly get so entangled in something like this clearly indicates our adversaries are getting more sophisticated and stealthier, so it's critical that businesses and citizens be hyper-vigilant with their cyber activities."
In October 2023, the US re-upped its awareness campaign of North Korea's tactics in this area, updating its guidance for organizations on how to spot a rogue Nork in the application process.
All things connected
At least some of the overseas workers who benefitted from Chapman's alleged crimes also worked with Ukrainian national Oleksandr Didenko, 27, of Kyiv, who was arrested earlier this month for similar matters.
Didenko is primarily accused of running the website UpWorkSell which claimed to offer overseas IT workers the opportunity to register on freelance IT job sites using identities other than their own to secure gig work at US-based companies.
He's alleged to have run this service from January 2018 onwards and believed that at least some of the website's users were North Korean.
Like Chapman, he's also accused of running a laptop farm. He was arrested in Poland at the request of Uncle Sam on May 7, and the US is currently trying to extradite him on charges of identity fraud.
UpWorkSell was just one website seized by the US as part of this latest clampdown on North Korea's attempts to extract money from the US economy while evading the litany of sanctions against it.
Twelve others that supported fraudulent North Korean workers bids to secure employment were also seized and are pictured in an unsealed affidavit [PDF]. Prosecutors said these were established by North Korean IT workers, working on behalf of China-based Yanbian
Silverstar Network Technology and the Russia-based Volasys Silver Star, both of which were sanctioned in 2018.
- Misconfigured cloud server leaked clues of North Korean animation scam
- Execs in Japan busted for winning dev bids then outsourcing to North Koreans
- That Asian meal you eat on holidays could launder money for North Korea
- Uncle Sam tells nosy nations to keep their hands off Americans' personal data
- Industry piles in on North Korea for sustained rampage on software supply chains
The websites were developed clumsily, according to prosecutors, and signs such as awkward phrasing, poor grammar, and suspicious registered addresses (residences rather than office blocks) should have aroused suspicions from the get-go.
"The alleged schemes likely benefitted the Democratic People's Republic of Korea in evading US sanctions and victimizing American businesses," said Larissa L Knapp, executive assistant director of the FBI's National Security Branch.
"By stealing the identities of American citizens to commit fraud, they obtained proceeds which likely helped fund the North Korean regime's priorities including nuclear weapons programs. The FBI and our partners are committed to rooting out insidious efforts that undermine our economic and national security." ®