Arizona Woman Sentenced in $17M IT Worker Fraud Scheme That Illegally Generated Revenue for North Korea

            WASHINGTON – Christina Marie Chapman, 50, of Litchfield Park, Arizona, was sentenced today in U.S. District Court to 102 months in prison for her role in a fraudulent scheme that assisted North Korean workers—posing as U.S. citizens and residents—in obtaining and working in remote IT positions at more than 300 U.S. companies. The scheme generated more than $17 million in illicit revenue for herself and for the Democratic People’s Republic of Korea (DPRK or North Korea), announced U.S. Attorney Jeanine Ferris Pirro and Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

            Chapman pleaded guilty on Feb. 11, 2025, in the District of Columbia to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments. In addition to the 102-month prison term, U.S. District Court Judge Randolph D. Moss ordered Chapman to serve three years of supervised release, to forfeit $284,555.92 that was to be paid to the North Koreans, and to pay a judgement of $176,850.

            The case involved one of the largest North Korean IT worker fraud schemes charged by the Department of Justice, with 68 U.S. person identities stolen and 309 U.S. businesses and two international businesses defrauded.

            Joining in the announcement were Federal Bureau of Investigation (FBI) Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division, FBI Special Agent in Charge Heith R. Janke of the FBI Phoenix Field Office, and Internal Revenue Service Special Agent in Charge Carissa Messick for IRS Criminal Investigation’s Phoenix Field Office.

            U.S. Attorney Pirro noted her Office’s ongoing efforts to stem North Korean revenue generation.

            “North Korea is not just a threat to the homeland from afar. It is an enemy within. It is perpetrating fraud on American citizens, american companies, and American banks. It is a threat to Main Street in every sense of the word,” she said. Pirro further called on corporate America to take action.

            “The call is coming from inside the house. If this happened to these big banks, to these Fortune 500, brand name, quintessential American companies, it can or is happening at your company. Corporations failing to verify virtual employees pose a security risk for all. You are the first line of defense against the North Korean threat.”

            Said Acting Assistant Attorney General Galeotti: “The defendant’s role as a U.S.-based facilitator was critical to North Korea’s complex scheme to defraud American companies and steal the identities of American citizens. This multi-year plot highlights the unique threat that North Korea poses to U.S. companies who hire remote workers. The Criminal Division remains steadfast in its commitment to identify and prosecute individuals who facilitate these criminal schemes against U.S. companies.”

           “The North Korean regime has generated millions of dollars for its nuclear weapons program by victimizing American citizens, businesses, and financial institutions,” said FBI Assistant Director Rozhavsky of the FBI’s Counterintelligence Division. “However, even an adversary as sophisticated as the North Korean government can't succeed without the assistance of willing U.S. citizens like Christina Chapman, who was sentenced today for her role in an elaborate scheme to defraud more than 300 American companies by helping North Korean IT workers gain virtual employment and launder the money they earned. Today's sentencing demonstrates that the FBI will work tirelessly with our partners to defend the homeland and hold those accountable who aid our adversaries.”

            According to court documents, North Korea has deployed thousands of highly skilled IT workers around the world, including the United States, to obtain remote employment using false, stolen, or borrowed identities of U.S. persons. To circumvent controls employed by U.S. companies to prevent hiring illicit overseas IT workers, the North Korean IT workers obtain assistance from persons residing in the U.S.

            Chapman, an American citizen, conspired and assisted the North Korean IT workers from October 2020 to October 2023.  Using stolen and purchased identities of U.S. nationals, the North Korean IT workers applied for remote IT jobs at U.S. companies and, in furtherance of the scheme, transmitted false documents to the Department of Homeland Security on at least 100 occasions.

            Chapman and her coconspirators obtained jobs at 309 U.S. companies, including Fortune 500 corporations, often through temporary staffing companies or other contracting organizations. The impacted companies included a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a U.S media and entertainment company. The IT workers also attempted to obtain employment and access to information at two different U.S. government agencies, although these efforts were generally unsuccessful. Some of the companies were purposely targeted by a group of DPRK IT workers, who maintained a repository of postings for companies at which they wanted to insert IT workers.

            Chapman operated a “laptop farm” where she received and hosted computers from the U.S. companies her home, so that the companies would believe the workers were in the United States. Chapman also shipped 49 laptops and other devices supplied by U.S. companies to locations overseas, including multiple shipments to a city in China on the border with North Korea. More than 90 laptops were seized from Chapman’s home following the execution of a search warrant in October 2023.

Christina Chapman organized and stored U.S. company laptops in her home, and included notes identifying the U.S. company and identity associated with each laptop.

            Chapman and the North Korean IT workers netted more than $17.1 million for their work. Much of the income was falsely reported to the IRS and Social Security Administration in the names of actual U.S. individuals whose identities had been stolen or borrowed. Additionally, Chapman received and forged payroll checks in the names of the stolen identities used by the IT workers and received IT workers’ wages through direct deposit from U.S. companies in her U.S. financial accounts. Chapman further transferred the proceeds from the scheme to individuals overseas.

            Said FBI Phoenix Special Agent in Charge Janke: “The sentencing today demonstrates the great lengths to which the North Korean government will go in its efforts and resources to fund its illicit activities. The FBI continues to pursue these threat actors to disrupt their network and hold those accountable wherever they may be.”

            “Today’s sentencing brings justice to the victims whose identities were stolen for this international fraud scheme,” said Special Agent in Charge Carissa Messick of the IRS Criminal Investigation Phoenix Field Office. “The scheme was elaborate. If this sentencing proves anything, it’s that no amount of obfuscation will prevent IRS-CI and our law enforcement partners from tracking down those that wish to steal the identities of U.S. nationals, launder money, or engage in criminality that jeopardizes national security.”

            The conspiracy orchestrated a vast and sophisticated fraud scheme, at the expense of generally unknowing U.S. companies and persons — generating at least $17.1 million of revenue for North Korea. The coconspirators compromised the identities of 68 U.S. persons, creating false tax liabilities for these victims; applied for or obtained remote jobs at 309 U.S. companies and 2 international companies; and caused false information to be conveyed to DHS on more than 100 occasions.

            In 2024 a United Nations Panel of Experts report estimated that the technology sector continues to be a key moneymaker for North Korea with an estimated 3,000 North Korean IT workers abroad and another 1,000 more operating inside North Korea, generating $250 million to $600 million annually.

            This case was investigated by the FBI Phoenix Field Office, and the IRS Criminal Investigation Phoenix Field Office. Assistance was provided by the FBI Chicago Field Office.

            Assistant U.S. Attorney Karen P. Seifert for the District of Columbia and Trial Attorney Ashley R. Pungello of the Criminal Division’s Computer Crime and Intellectual Property Section prosecuted the case, with assistance from Paralegal Specialist Jorge Casillas. Assistant U.S. Attorney Joshua Rothstein, the Victim Witness Unit, the U.S. Attorney’s Office for the District of Arizona, and the National Security Division’s National Security Cyber Section also provided assistance.

***

            In a coordinated effort, FBI Phoenix also issued guidance for HR professionals on detecting North Korean IT workers, and the Department of State issued guidance[KS1]  on the North Korean IT worker threat.

            Prior guidance was issued by the FBI, State Department, and the Department of the Treasury on this threat in a May 2022 advisory, and by the United States and the Republic of Korea (South Korea) in October 2023. The FBI issued updated guidance in May 2024 regarding the use of U.S. persons acting as facilitators by providing a U.S.-based location for U.S. companies to send devices and a U.S.-based internet connection for access to U.S. company networks and in January 2025 concerning the extortion and theft of sensitive company data by North Korean IT workers, along with recommended mitigations.

24cr0220