US Woman Gets 8-Year Sentence for Operating 'Laptop Farm' That Helped North Koreans Steal Millions

Arizona resident Christina Chapman sentenced to over 8 years in prison for facilitating elaborate identity theft scheme that generated $17 million for North Korean regime

An Arizona woman has been sentenced to more than eight years in federal prison for operating a sophisticated "laptop farm" that helped North Korean IT workers pose as American citizens and secure remote jobs at over 300 US companies, generating millions in revenue for the isolated regime's weapons programs.

Insider Threat Risk Profiler | Modern Security Assessment Tool

Quantify and address your organization’s insider threat risks from remote work, deepfakes, and identity theft. Get actionable recommendations to strengthen your security posture.

Modern Security Assessment ToolSecurity Careers

Christina Marie Chapman, 50, of Litchfield Park, Arizona, was sentenced to 102 months in prison on Thursday after pleading guilty in February to conspiracy to commit wire fraud, aggravated identity theft, and money laundering conspiracy. The elaborate scheme used stolen identities to generate $17 million that was sent back to North Korea, with at least 68 US-based victims having their identities stolen during the operation that ran from October 2020 to October 2023.

Hiring the Right Cybersecurity Professionals: Lessons from the North Korean Insider Threat Incident

In the ever-evolving landscape of cybersecurity, the recent incident involving a U.S. security firm hiring an apparent nation-state hacker from North Korea has highlighted the critical importance of stringent hiring practices. This incident, where KnowBe4 unwittingly hired a North Korean IT worker posing as a legitimate candidate, underscores the

Security Careers HelpSecurity Careers

The 'Laptop Farm' Operation

Chapman's role was central to the deception. She operated a "laptop farm," where she hosted dozens of computers and other hardware sent by US companies to her address so that the companies believed the work was being done within the United States. Photos released by investigators showed shelves lined with laptops, each labeled with identifying information about the associated company and stolen identity.

She installed a program on those computers that allowed remote access to them from overseas. Wages were deposited into Chapman's bank account and payroll checks were sent to her, and she transferred the money onward. The North Korean workers, operating primarily from China and other locations, could then remotely access these devices to perform their IT duties while appearing to be based in the United States.

The FBI seized more than 90 laptops from Chapman's home during an October 2023 raid, uncovering the extent of the operation that had successfully deceived major American corporations.

Remote Work Security Assessment Tool | Security Careers Help

Evaluate and improve your organization’s remote workforce security posture with our comprehensive security assessment tool. Discover vulnerabilities and get actionable recommendations.

Security Careers HelpSecurity Careers Help

Massive Scale and High-Profile Victims

The scope of Chapman's operation was staggering. More than 300 US companies hired the North Korean workers for IT positions, including a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American carmaker, a luxury retail store and a US media and entertainment company.

Nike was identified as one of the victims, having unwittingly hired a North Korean IT worker and paid the employee $70,000. Members of the same group unsuccessfully tried to get employed at two different US government agencies, highlighting the national security implications of the scheme.

Chapman claimed to not know that she was working with North Koreans, according to prosecutors, and "did not specifically attempt to raise revenue for the benefit of North Korea". However, the evidence suggested otherwise.

The Remote Work Security Revolution: Protecting Your Distributed Workforce in 2025

The statistics are staggering: 73% of security breaches now involve remote work vulnerabilities. What began as an emergency pandemic response has evolved into a permanent transformation of how we work, fundamentally reshaping the cybersecurity landscape. Organizations that treated remote work as a temporary accommodation are now grappling with the reality

Security Careers HelpSecurity Careers

The China Connection

Over an eight-month period, she sent 35 separate packages to Dandong, China - a city on the border with North Korea. In addition to China, she also shipped company laptops to Pakistan, the UAE, and Nigeria. US Attorney Jeanine Pirro expressed skepticism about Chapman's claims of ignorance, stating she believed Chapman was well aware she was helping the US adversary.

Chapman was paid $176,850 for the conspiracy, and as part of her sentence, she was ordered to forfeit $284,555.92 that was to be paid to the North Koreans, and to pay a judgment of $176,850.

Security Team Risk Assessment Tool | CISO’s Rapid Assessment Platform

Evaluate your security team’s readiness against sophisticated threats. Identify critical gaps in team composition and capabilities.

Security Team Risk Assessment Tool

Part of Broader North Korean Strategy

Chapman's case represents just one piece of a much larger North Korean operation designed to circumvent international sanctions and fund the regime's nuclear weapons program. In 2024 a United Nations Panel of Experts report estimated that the technology sector continues to be a key moneymaker for North Korea with an estimated 3,000 North Korean IT workers abroad and another 1,000 more operating inside North Korea, generating $250 million to $600 million annually.

Following crushing financial sanctions in 2016 that cut off North Korea from the US financial system and banned North Korean workers from getting jobs at US businesses, DPRK leaders created a scheme to weaponize remote work. Workers, trained in tech and AI from an early age, are deployed to China, Russia, Nigeria, or the United Arab Emirates to manage dozens of fake or stolen identities, apply for remote IT jobs, and then send their salaries back to North Korea.

Cybersecurity and Remote Work: Best Practices

Introduction The COVID-19 pandemic has accelerated the trend of remote work, making it a new norm for many organizations. While remote work offers flexibility and convenience, it also presents unique cybersecurity challenges. This article aims to explore these challenges and provide best practices to ensure a secure remote working environment.

Security Careers HelpSecurity Careers

Sophisticated Deception Tactics

The North Korean operation has evolved to use cutting-edge technology to avoid detection. Microsoft's Threat Intelligence unit said North Korean IT scammers are expanding their use of AI, including "the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We've also observed that they've been utilizing voice-changing software".

The North Korean government has been able to earn millions through the scheme, using artificial intelligence to assist workers in creating fictitious resumes and faking their way through interviews. Most IT roles are done by teams of North Koreans generally located across China, Russia and Southeast Asia.

Securing the Remote Workforce: Best Practices for Cybersecurity in a Post-Pandemic World

Summary: A review of the major cybersecurity considerations for remote work and best practices for securing a remote workforce, in the wake of the COVID-19 pandemic. The COVID-19 pandemic has permanently shifted the paradigm of work, making remote work not just a temporary measure but a long-term norm for many

Security Careers HelpSecurity Careers

Beyond Financial Theft: National Security Risks

The scheme poses risks beyond financial fraud. IT workers employed under this scheme also gained access to sensitive employer data and source code, including International Traffic in Arms Regulations (ITAR) data from a California-based defense contractor that develops artificial intelligence-powered equipment and technologies.

In some instances, North Korean workers even stole cryptocurrency from their employers. One case involved workers who "gained access to the company's virtual currency" and later used stolen funds, with one defendant accused of using a Telegram account to recommend other North Korean operatives for jobs at the same company.

Rate My SOC | Cybersecurity Operations Center Maturity Assessment

Evaluate your Security Operations Center maturity with our free assessment tool. Identify gaps and get actionable recommendations.

RateMySOCRateMySOC Team

Government Crackdown Intensifies

Chapman's sentencing comes as part of a broader Justice Department initiative called the "DPRK RevGen: Domestic Enabler Initiative," launched in March 2024 to target North Korean revenue generation schemes and their US-based facilitators.

Recent coordinated actions have resulted in searches of 29 known or suspected "laptop farms" across 16 states, the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites, and charges against multiple North Korean nationals and their American accomplices.

In December 2024, federal prosecutors indicted 14 North Korean nationals for a conspiracy that generated at least $88 million over approximately six years, with some conspirators ordered by their superiors to earn at least $10,000 per month.

The Silent Compromise: How “Overemployed” Remote Workers Are Creating a New Class of Insider Threats in the Software Development Lifecycle

TL;DR: A growing movement of remote workers secretly holding multiple full-time jobs simultaneously is creating unprecedented insider threat risks across the software development lifecycle, with individuals gaining access to sensitive API keys, source code, and cloud configurations across multiple organizations without traditional MSP oversight or security controls. Justice Department

Security Careers HelpSecurity Careers

Warning to Corporate America

US Attorney Pirro issued a stark warning to American businesses during Chapman's sentencing: "North Korea is not just a threat to the homeland from afar. It is an enemy within. It is perpetrating fraud on American citizens, American companies, and American banks. It is a threat to Main Street in every sense of the word. The call is coming from inside the house. If this happened to these big banks, to these Fortune 500, brand name, quintessential American companies, it can or is happening at your company. Corporations failing to verify virtual employees pose a security risk for all. You are the first line of defense against the North Korean threat".

The FBI has issued multiple guidance documents to help companies detect North Korean IT workers, including indicators to watch for such as inconsistencies in background checks, unusual payment requests, and suspicious remote access patterns.

Beyond the Great Resignation: Mastering Cybersecurity Retention with Remote Work, Upskilling, and Inclusion

The cybersecurity industry is currently grappling with what’s often referred to as the “Great Resignation” or “Big Quit,” a significant challenge for employers globally. Even before the pandemic, the sector faced a labor shortage, and today, retaining engaged, productive, and happy staff is more critical than ever. Professionals are growing

Security Careers HelpSecurity Careers

Ongoing Threat

Hundreds of Fortune 500 companies have been found to have hired thousands of North Korean IT workers—and the workers have continued to get jobs, despite increased awareness and law enforcement efforts.

FBI Assistant Director Roman Rozhavsky noted: "However, even an adversary as sophisticated as the North Korean government can't succeed without the assistance of willing US citizens like Christina Chapman, who was sentenced today for her role in an elaborate scheme to defraud more than 300 American companies by helping North Korean IT workers gain virtual employment and launder the money they earned".

The case serves as a sobering reminder that the shift to remote work, accelerated by the COVID-19 pandemic, has created new vulnerabilities that hostile foreign governments are actively exploiting. As Chapman begins her eight-year sentence, the broader threat from North Korean IT worker schemes continues to evolve, requiring ongoing vigilance from both law enforcement and corporate America.

The Justice Department's crackdown on North Korean IT worker fraud schemes is ongoing, with additional arrests and prosecutions expected as investigators continue to uncover the full scope of these operations.