Infiltrating the IT industry

Companies across the globe have unknowingly hired remote information technology workers acting on behalf of the Democratic People’s Republic of Korea (DPRK). Using stolen identities and gaining access to sensitive data, the workers illicitly generate revenue for the DPRK’s Weapons of Mass Destruction (WMD) and ballistic missiles programs (weapons program). The author breaks down elements of the scheme and provides tactics for organizations to avoid hiring bad actors.

Matthew Knoot allegedly had a farm. Not the kind with fields of crops, but a “laptop farm,” with a series of computers that he reportedly tended from his residences in the U.S. state of Tennessee. His objective, according to the U.S. Department of Justice (DOJ), was to provide a command center for a vast network of remote workers primarily in Russia and China who were illegally employed in information technology (IT) jobs at hundreds of U.S. and British companies.

The alleged mission of those workers was to funnel their salaries from contract work to the Democratic People’s Republic of Korea (DPRK or North Korea) to fund the authoritarian regime’s illegal weapons development programs. The DOJ accused Knoot of helping the overseas workers obtain stolen identities to pose as U.S. citizens. Knoot is also accused of downloading and installing unauthorized software to facilitate the workers’ access to remote jobs and conspiring to launder the workers’ payments into offshore accounts.

Due to sanctions against the government of North Korea, people in the U.S. are prohibited from engaging in transactions with the country without authorization from the U.S. Office of Foreign Assets Control (OFAC).

Knoot, who allegedly ran his laptop operation between July 2022 and August 2023, was charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens. Knoot and the fraudulent workers reportedly cost victim companies more than $500,000 for auditing and remediating devices, systems and networks.

But Knoot’s case isn’t an isolated incident. Just months before his arrest, the DOJ indicted a woman in Arizona for hosting a laptop farm in a similar scheme. Christina Chapman allegedly helped overseas IT workers — many of them connected to North Korea — secure remote IT jobs at more than 300 U.S. companies with stolen identities. More than 60 identities were allegedly compromised in the scheme. Because many of stolen identities belonged to U.S. nationals (non-citizens legally permitted to live in the U.S.), the false documentation was transmitted to the U.S. Department of Homeland Security.

With Chapman’s alleged assistance, the IT workers generated approximately $6.8 million in revenue. Like Knoot, Chapman is also accused of laundering funds to foreign accounts. Knoot and Chapman each received a monthly fee for their services; according to the DOJ, Knoot was paid by a foreign-based facilitator and Chapman charged fees from the overseas IT workers. And like Knoot, Chapman’s services allegedly funded DPRK’s weapons programs.

The cases against Knoot and Chapman aren’t the extent of the situation, and several other cases illuminate the breadth of the IT worker scheme. In December 2024, a U.S. federal court in Missouri indicted 14 North Korean nationals for violating U.S. sanctions, laundering money and stealing identities. Most recently, in January 2025, two North Korean nationals were indicted along with three accomplices for a multiyear scheme to exploit 64 U.S. companies and generate $866,255 in revenue laundered through a Chinese bank account.

These cases, including the ones involving Knoot and Chapman, are emblematic of organizations’ vulnerability to foreign actors, especially as they wrestle with filling high-demand jobs, such as IT positions. These cases also underline the danger to organizations from foreign adversaries looking to threaten international security. In fact, North Korean-connected IT workers reportedly infiltrated Australian companies in addition to U.S. and British companies. In a December 2024 Sydney Morning Herald article, John Hultquist, chief analyst at Google’s cybersecurity arm, Mandiant, warned, “As pressure has increased in the U.S., we have seen these IT workers shift their focus to other countries where employers are less familiar with this scheme and they are likely to meet less scrutiny.”

In this article, we break down the core components of the IT worker fraud scheme, its impact on organizations and national security, and describe actions that organizations can take to protect themselves.

The scheme and its core components

Going back to 2022, the U.S. Treasury Department, State Department and FBI issued a joint advisory warning the international community and public and private sectors about the DPRK’s deployment of remote workers into IT jobs. An updated public warning in 2023 included information about red flags of the scheme and due diligence measures that organizations should take to safeguard against hiring fraudulent workers. There are several important dimensions to the scheme as seen in Knoot’s and Chapman’s cases that organizations need to be aware of, including the use of highly skilled people, identity theft, deception regarding workers’ locations and the involvement of co-conspirators based in the targeted country.

Skilled, remote workers

In its Guidance on the Democratic People’s Republic of Korea Information Technology Workers, the U.S. government notes that the DPRK has intentionally “dispatched” thousands of highly skilled IT workers into the global economy to raise money for the DPRK’s weapons programs. According to the guidance, the fraudulent IT workers have developed applications and software for various industries, including cryptocurrency, entertainment, business and social networking organizations.

Because these fraudulent IT workers are based overseas, primarily in countries like China and Russia, they need a way to obscure their locations to carry out the scheme. This is where virtual private networks (VPN) and virtual private servers (VPS), third-party internet protocol (IP) addresses and proxy accounts come in handy to facilitate operations. To avoid being flagged for fraud or noncompliance with anti-money laundering laws and sanctions, the workers often employ dedicated devices for accessing their various financial accounts.

A single overseas worker can provide a great deal of value for the DPRK by being employed by multiple companies. According to Knoot’s indictment, one of the IT workers involved in the operation was employed by four different companies during the same year and earned $258,000. And while earning money for the weapons program is a major impetus for the scheme, it doesn’t appear to be the only goal. Some IT workers deployed to work for companies in North America, Europe and East Asia used their access to privileged company networks and data to facilitate cyberattacks. In particular, DPRK IT job applicants have targeted cryptocurrency companies and hacked major crypto projects.

False, stolen and ‘borrowed’ identities

To disguise their true identities, DPRK IT workers use false, stolen and  “borrowed” identities to gain employment through staffing and contracting companies. In some cases, the foreign IT workers “borrow” U.S. nationals’ identities in exchange for money. U.S. co-conspirators, like Knoot and Chapman, then assist the overseas workers by validating stolen identification information belonging to U.S. citizens. For example, according to Chapman’s indictment, she opened, authorized and paid for accounts with online background check service (OBCS) providers to validate stolen U.S. identities. IT workers overseas also used Chapman’s OBCS account to run criminal history reports and trace the government identification numbers of U.S. nationals to verify the identities and further impersonate the U.S. nationals. Ultimately, the workers were employed by hundreds of organizations, including some Fortune 500 companies.

‘Farm’ operators

Chapman’s and Knoot’s most valuable assets were their homes. Pulling off the scheme most likely wouldn’t have been feasible if the IT workers weren’t able to demonstrate that they were based in the U.S. Both Chapman and Knoot’s homes made it possible for the employers to send their “employees” equipment and paychecks.

Chapman and Knoot managed the logistics of the scheme — namely the “laptop farms,” operated from their homes. These laptop farms made it appear as though the contract workers were physically using the devices in the U.S., providing them U.S.-based internet connections, assistance with setting up the devices to enable network access from unauthorized foreign locations, and the creation of U.S.-based front businesses, financial accounts and accounts on popular job sites. Chapman sent devices issued by U.S. employers to locations in China, Pakistan, Nigeria and the United Arab Emirates.

Beyond the threat to international security with the development weapons, IT worker fraud has serious implications for organizations, especially for technology companies, social media and professional networking platforms that rely on contract workers to carry out daily operations, including Chapman herself.

Another critical part of the scheme was laundering the workers’ income out of the U.S. to offshore accounts. In Chapman’s case, the IT workers’ earnings were deposited into her bank account. Overseas IT workers often accessed and transferred funds from Chapman’s account into accounts at a foreign money service transmitter (MST) that passed U.S. money through a New York branch; these MST accounts were opened and managed by overseas actors. From the MST accounts, the funds were then transferred to an offshore account belonging to someone in China.

Figure 1 illustration from “Guidance on the Democratic People’s Republic of Korea,” advisory issued by the U.S. Department of State, U.S. Department of Treasury and FBI, May 16, 2022.

The impact

The IT worker fraud scheme generated millions of dollars in illicit revenue intended to fund the DKRP’s weapons development programs. According to a March 2024 United Nations Security Council report, DPRK information technology workers can raise anywhere between $250 million to $600 million annually for the regime. A single IT worker could potentially earn $300,000 in one year, while a team of IT workers can earn $3 million a year. In October 2023 alone, the U.S. government seized 17 website domains that were used by IT workers to defraud businesses, circumvent sanctions and bolster the DPRK’s weapons program.

Beyond the threat to international security with the development weapons, IT worker fraud has serious implications for organizations, especially for technology companies, social media and professional networking platforms that rely on contract workers to carry out daily operations. More than a dozen cryptocurrency and blockchain technology companies were infiltrated by DPRK IT workers, and popular job search sites, including LinkedIn, were leveraged to recruit U.S. facilitators, including Chapman herself.

Though the DPRK is a sanctioned country prohibited from accessing U.S. financial systems, the scheme required the use of payment platforms and U.S. bank accounts to receive and transfer funds, adding yet another layer of complexity for financial institutions subject to anti-money laundering and sanctions compliance requirements. Moreover, the fraud can have a profound financial impact on companies and individuals victimized by the scheme. For example, victims of identity theft face tax liabilities due to the income earned under their names, and victim companies incur additional compliance costs for audit and remediation efforts. As mentioned earlier, organizations that employed IT workers connected to Knoot’s case, had to spend hundreds of thousands of dollars in audit, remediation and legal fees in the wake of the scheme.

Victim victimizers

There’s yet another dark element to the IT worker fraud scheme. In many instances, the IT workers themselves are exploited by the DPRK. According to the U.S. State Department’s 2020 Trafficking in Persons Report: North Korea, the DPRK government imposes a forced labor policy on its citizens, including its overseas contract workers. Government officials mobilize adults in different industries, including IT. One nongovernmental organization (NGO) noted in the State Department report, said that the North Korean government withholds food and imposes taxes on citizens who refuse to participate. In the case of the IT workers, they must forfeit most of their earnings to “dispatchers” who keep a small percentage of the earnings themselves before transmitting the funds to the DPRK, according to a UN Security Council report. The IT workers are also forced to work excessively long days as they’re closely monitored by government security agents.

Guarding against IT worker fraud

The IT worker scheme encompasses a variety of frauds, such as identity theft, the use of fraudulent documents and the misuse of company property — all tactics that fraud examiners are well acquainted with. Relying on the usual methods and precautions to guard against these smaller schemes, such as robust background checks and multifactor authentication, could play a significant role in detecting the larger fraud.

If an organization suspects that it has employed fraudulent contract employees, an important first step is looking at sign-in logs for anomalies in login locations to determine whether multiple contract workers are sharing the same home address. An address search could reveal anomalies, such as an unreasonably high number of residents in a location or a suspiciously high combined household income. Cross-referencing residents and household employment history may also suggest that workers had multiple employers during the same time frame. For example, we know from Knoot’s and Chapman’s indictments that a single IT worker could obtain remote jobs with multiple employers.

Determining whether workers are accessing the company network outside of regular business hours and from unauthorized locations can also aid in detecting this particular scheme. Review contractors’ pre-onboarding documentation for apparent forgery or stolen identities and compare the pre-onboarding background checks with independent background searches.

Finally, follow the money. Are contract employees’ paychecks deposited into accounts held in their name, or someone else’s? Obtain financial records and determine whether funds are being transferred out and whether the ultimate recipient accounts are offshore.

Companies that rely on outsourced talent, including staffing agencies, subcontractors and IT companies that hire freelance IT developers, should be on alert for the following red flags:

1. Inconsistencies in the spelling of names across social media profiles and portfolio websites, contact information and background information (nationality, work and education history).
2. Requests from contractors to send work items to locations other than their purported residence, or to locations other than the address on the identification documents provided during the pre-employment process without a reasonable explanation.
3. Logins from multiple IP addresses, especially during a brief period. Determine whether the IP addresses are associated with locations that workers are authorized to work from.
4. Frequent fund transfers via payment platforms, especially transfers to accounts based in China, and requests from workers to be compensated in cryptocurrency.
5. Frequent address changes for payments. For example, the founder of decentralized finance startup Cluster told CoinDesk in a 2024 article, “Every two weeks they changed their payment address, and every month or so they would change their Discord name or Telegram name.”
6. Failing to respond to communications in a timely manner or being unable to work during normal business hours, refusing to appear on camera for meetings or appearing overly concerned about attending potential in-person meetings.

To better safeguard against IT worker fraud, organizations should follow these best-practice recommendations:

1. Examine current hiring processes and controls and identify areas for improvement, such as implementing more robust background checks and identity verification. One victim company subsequently provided its recruiters with tools to screen phone numbers and carriers once it realized that applicants connected to the DPRK used Voice Over Internet Protocol (VoIP) phone numbers.
2. Instead of using the contact information provided by the contractors for their previous employers, verify prior employment directly with the companies using official contact information. 
3. Conduct all pre-employment interviews on camera and hold frequent on-camera meetings throughout the contracted period with the employee. Ask all applicants and employees to turn off background filters so that you can assess their surroundings.
4. Implement processes for continuous cross-checking of human-resources systems and data for applicants and employees with the same resume and contact information.
5. Require verification of banking information that corresponds to their other identifying documents and be highly cautious when contractors request that their earnings be directed to accounts in someone else’s name.
6. Closely monitor devices for installation of remote administration tools not authorized by the company or necessary for company technical support, and software applications that make it appear as though the employee is online and active by preventing computers from going into sleep mode, such as mouse jigglers.
7. Incorporate multifactor authentication and biometric applications like facial recognition for employees when they sign into company devices and networks.
8. Ensure that there’s strong and continuous coordination between human resources, IT and security teams. Recruiting and onboarding staff should be trained to recognize these red flags.
9. Only ship company devices to addresses on the applicant’s application, or to a shipping location near their address that requires identification verification.

Fighting fraud and protecting national security

Despite their all-important roles as facilitators of the scheme, Chapman and Knoot received a startlingly small sum for their efforts. Between them, Chapman and Knoot were paid a total of $200,000. Yet while their compensation might seem low for the amount of work they allegedly did, the charges against them are serious. If convicted, Chapman could face up to 97 years in prison. Knoot is looking at a possible 20 years behind bars.

As companies communicate and share information with law enforcement and train their staffs to recognize the red flags of contract-worker fraud, they contribute to countering security threats posed by imposter hires. Bad actors will continue to infiltrate systems, but fraud fighters who are knowledgeable about the scheme and how to guard against it are better able to protect their organizations — and their countries.

Trisha Gangadeen, CFE, is a financial crimes compliance and investigations professional. Contact her at trishagangadeen@gmail.com.