North Korea Stole Your Job
Credit to Author: Bobbie Johnson| Date: Thu, 01 May 2025 07:00:00 +0000
On paper, the first candidate looked perfect. Thomas was from rural Tennessee and had studied computer science at the University of Missouri. His résumé said he’d been a professional programmer for eight years, and he’d breezed through a preliminary coding test. All of this was excellent news for Thomas’ prospective boss, Simon Wijckmans, founder of the web security startup C.Side. The 27-year-old Belgian was based in London but was looking for ambitious, fully remote coders.
Thomas had an Anglo-Saxon surname, so Wijckmans was surprised when he clicked into his Google Meet and found himself speaking with a heavily accented young man of Asian origin. Thomas had set a generic image of an office as his background. His internet connection was laggy— odd for a professional coder—and his end of the call was noisy. To Wijckmans, Thomas sounded like he was sitting in a large, crowded space, maybe a dorm or a call center.
Wijckmans fired off his interview questions, and Thomas’ responses were solid enough. But Wijckmans noticed that Thomas seemed most interested in asking about his salary. He didn’t come across as curious about the actual work or about how the company operated or even about benefits like startup stock or health coverage. Odd, thought Wijckmans. The conversation came to a close, and he got ready for the next interview in his queue.
Once again, the applicant said they were based in the US, had an Anglo name, and appeared to be a young Asian man with a thick, non-American accent. He used a basic virtual background, was on a terrible internet connection, and had a single-minded focus on salary. This candidate, though, was wearing glasses. In the lenses, Wijckmans spotted the reflection of multiple screens, and he could make out a white chatbox with messages scrolling by. “He was clearly either chatting with somebody or on some AI tool,” Wijckmans remembers.
On high alert, Wijckmans grabbed screenshots and took notes. After the call ended, he went back over the job applications. He found that his company’s listings were being flooded with applicants just like these: an opening for a full-stack developer got more than 500 applications in a day, far more than usual. And when he looked more deeply into the applicants’ coding tests, he saw that many candidates appeared to have used a virtual private network, or VPN, which allows you to mask your computer’s true location.
Wijckmans didn’t know it yet, but he’d stumbled onto the edges of an audacious, global cybercrime operation. He’d unwittingly made contact with an army of seemingly unassuming IT workers, deployed to work remotely for American and European companies under false identities, all to bankroll the government of North Korea.
With a little help from some friends on the ground, of course.
christina chapman was living in a trailer in Brook Park, Minnesota, a hamlet north of Minneapolis, when she got a note from a recruiter that changed her life. A bubbly 44-year-old with curly red hair and glasses, she loved her dogs and her mom and posting social justice content on TikTok. In her spare time she listened to K-pop, enjoyed Renaissance fairs, and got into cosplay. Chapman was also, according to her sparse online résumé, learning to code online.
It was March 2020 when she clicked on the message in her LinkedIn account. A foreign company was looking for somebody to “be the US face” of the business. The company needed help finding remote employment for overseas workers. Chapman signed on. It’s unclear how fast her workload grew, but by October 2022 she could afford a move from chilly Minnesota to a low-slung, four-bedroom house in Litchfield Park, Arizona. It wasn’t fancy—a suburban corner lot with a few thin trees—but it was a big upgrade over the trailer.
The pandemic dramatically expanded the number of remote jobs, and Pyongyang saw the perfect opportunity.
Chapman then started documenting more of her life on TikTok and YouTube, mostly talking about her diet, fitness, or mental health. In one chatty video, shared in June 2023, she described grabbing breakfast on the go—an açaí bowl and a smoothie— because work was so busy. “My clients are going crazy!” she complained. In the background, the camera caught a glimpse of metal racks holding at least a dozen open laptops covered in sticky notes. A few months later, federal investigators raided Chapman’s home, seized the laptops, and eventually filed charges alleging that she had spent three years aiding the “illicit revenue generation efforts” of the government of North Korea.
For maybe a decade, North Korean intelligence services have been training young IT workers and sending them abroad in teams, often to China or Russia. From these bases, they scour the web for job listings all over, usually in software engineering, and usually with Western companies. They favor roles that are fully remote, with solid wages, good access to data and systems, and few responsibilities. Over time they began applying for these jobs using stolen or fake identities and relying on members of their criminal teams to provide fictional references; some have even started using AI to pass coding tests, video interviews, and background checks.
But if an applicant lands a job offer, the syndicate needs somebody on the ground in the country the applicant claims to live in. A fake employee, after all, can’t use the addresses or bank accounts linked to their stolen IDs, and they can’t dial in to a company’s networks from overseas without instantly triggering suspicion. That’s where someone like Christina Chapman comes in.
As the “facilitator” for hundreds of North Korea–linked jobs, Chapman signed fraudulent documents and handled some of the fake workers’ salaries. She would often receive their paychecks in one of her bank accounts, take a cut, and wire the rest overseas: Federal prosecutors say Chapman was promised as much as 30 percent of the money that passed through her hands.
Her most important job, though, was tending the “laptop farm.” After being hired, a fake worker will typically ask for their company computer to be sent to a different address than the one on record—usually with some tale about a last-minute move or needing to stay with a sick relative. The new address, of course, belongs to the facilitator, in this case Chapman. Sometimes the facilitator forwards the laptop to an address overseas, but more commonly that person holds onto it and installs software that allows it to be controlled remotely. Then the fake employee can connect to their machine from anywhere in the world while appearing to be in the US. (“You know how to install Anydesk?” one North Korean operative asked Chapman in 2022. “I do it practically EVERYDAY!” she replied.)
In messages with her handlers, Chapman discussed sending government forms like the I-9, which attests that a person is legally able to work in the US. (“I did my best to copy your signature,” she wrote. “Haha. Thank you,” came the response.) She also did basic tech troubleshooting and dialed into meetings on a worker’s behalf, sometimes on short notice, as in this conversation from November 2023:
Worker: We are going to have laptop setup meeting in 20 mins. Can you join Teams meeting and follow what IT guy say? Because it will require to restart laptop multiple times and I can not handle that. You can mute and just follow what they say …
Chapman: Who do I say I am?
Worker: You don’t have to say, I will be joining there too.
Chapman: I just typed in the name Daniel. If they ask WHY you are using two devices, just say the microphone on your laptop doesn’t work right … Most IT people are fine with that explanation.
Sometimes, she got jumpy. “I hope you guys can find other people to do your physical I9s,” she wrote to her bosses in 2023, according to court documents. “I will SEND them for you, but have someone else do the paperwork. I can go to FEDERAL PRISON for falsifying federal documents.” Michael Barnhart, an investigator at cybersecurity company DTEX and a leading expert on the North Korean IT worker threat, says Chapman’s involvement followed a standard pattern—from an innocuous initial contact on LinkedIn to escalating requests. “Little by little, the asks get bigger and bigger,” he says. “Then by the end of the day, you’re asking the facilitator to go to a government facility to pick up an actual government ID.”
By the time investigators raided Chapman’s home, she was housing several dozen laptops, each with a sticky note indicating the fake worker’s identity and employer. Some of the North Korean operatives worked multiple jobs; some had been toiling quietly for years. Prosecutors said at least 300 employers had been pulled into this single scheme, including “a top-five national television network and media company, a premier Silicon Valley technology company, an aerospace and defense manufacturer, an iconic American car manufacturer, a high-end retail store, and one of the most recognizable media and entertainment companies in the world.” Chapman, they alleged, had helped pass along at least $17 million. She pleaded guilty in February 2025 to charges relating to wire fraud, identity theft, and money laundering and is awaiting sentencing.
Chapman’s case is just one of several North Korean fake-worker prosecutions making their way through US courts. A Ukrainian named Oleksandr Didenko has been accused of setting up a freelancing website to connect fake IT workers with stolen identities. Prosecutors say at least one worker was linked to Chapman’s laptop farm and that Didenko also has ties to operations in San Diego and Virginia. Didenko was arrested in Poland last year and was extradited to the United States. In Tennessee, 38-year-old Matthew Knoot is due to stand trial for his alleged role in a scheme that investigators say sent hundreds of thousands of dollars to accounts linked to North Korea via his laptop farm in Nashville. (Knoot has pleaded not guilty.) And in January 2025, Florida prosecutors filed charges against two American citizens, Erick Ntekereze Prince and Emanuel Ashtor, as well as a Mexican accomplice and two North Koreans. (None of the defendants’ lawyers in these cases responded to requests for comment.) The indictments claim that Prince and Ashtor had spent six years running a string of fake staffing companies that placed North Koreans in at least 64 businesses.
before the hermit kingdom had its laptop farms, it had a single confirmed internet connection, at least as far as the outside world could tell. As recently as 2010, that one link to the web was reserved for use by high-ranking officials. Then, in 2011, 27-year-old Kim Jong Un succeeded his father as the country’s dictator. Secretly educated in Switzerland and said to be an avid gamer, the younger Kim made IT a national priority. In 2012, he urged some schools to “pay special attention to intensifying their computer education” to create new possibilities for the government and military. Computer science is now on some high school curricula, while college students can take courses on information security, robotics, and engineering.
The most promising students are taught hacking techniques and foreign languages that can make them more effective operatives. Staff from government agencies including the Reconnaissance General Bureau— the nation’s clandestine intelligence service—recruit the highest-scoring graduates of top schools like Kim Chaek University of Technology (described by many as “the MIT of North Korea”) or the prestigious University of Sciences in Pyongsong. They are promised good wages and unfettered access to the internet—the real internet, not the intranet available to well-off North Koreans, which consists of a mere handful of heavily censored North Korean websites.
The earliest cyberattacks launched by Pyongyang were simple affairs: defacing websites with political messages or launching denial-of-service attacks to shut down US websites. They soon grew more audacious. In 2014, North Korean hackers famously stole and leaked confidential information from Sony’s film studio. Then they targeted financial institutions: Fraudulent trades pulled more than $81 million from the Bank of Bangladesh’s accounts at the New York Federal Reserve. After that, North Korean hackers moved into ransomware—the WannaCry attack in 2017 locked hundreds of thousands of Windows computers in 150 countries and demanded payments in bitcoin. While the amount of revenue the attack generated is up for debate—some say it earned just $140,000 in payouts—it wreaked much wider damage as companies worked to upgrade their systems and security, costing as much as $4 billion, according to one estimate.
Governments responded with more sanctions and stronger security measures, and the regime pivoted, dialing back on ransomware in favor of quieter schemes. It turns out these are also more lucrative: Today, the most valuable tool in North Korea’s cybercrime armory is cryptocurrency theft. In 2022, hackers stole more than $600 million worth of the cryptocurrency ether by attacking the blockchain game Axie Infinity; in February of this year, they robbed the Dubai-based crypto exchange Bybit of $1.5 billion worth of digital currency. The IT pretender scam, meanwhile, seems to have been growing slowly until the pandemic dramatically expanded the number of remote jobs, and Pyongyang saw the perfect opportunity.
In 2024, according to a recent report from South Korea’s National Intelligence Service, the number of people working in North Korea’s cyber divisions—which includes pretenders, crypto thieves, and military hackers—stood at 8,400, up from 6,800 two years earlier. Some of these workers are based in the country, but many are stationed overseas in China, Russia, Pakistan, or elsewhere. They are relatively well compensated, but their posting is hardly cushy.
Teams of 10 to 20 young men live and work out of a single apartment, sleeping four or five to a room and grinding up to 14 hours a day at weird hours to correspond with their remote job’s time zone. They have quotas of illicit earnings they are expected to meet. Their movements are tightly controlled, as are those of their relatives, who are effectively held hostage to prevent defections. “You don’t have any freedom,” says Hyun-Seung Lee, a North Korean defector who lives in Washington, DC, and says some of his old friends were part of such operations. “You’re not allowed to leave the apartment unless you need to purchase something, like grocery shopping, and that is arranged by the team leader. Two or three people must go together so there’s no opportunity for them to explore.”
The US government estimates that a typical team of pretenders can earn up to $3 million each year for Pyongyang. Experts say the money is pumped into everything from Kim Jong Un’s personal slush fund to the country’s nuclear weapons program. A few million dollars may seem small next to the flashy crypto heists— but with so many teams operating in obscurity, the fraud is effective precisely because it is so mundane.
in the summer of 2022, a major multinational company hired a remote engineer to work on website development. “He would dial in to meetings, he would participate in discussions,” an executive at the company told me on condition of anonymity. “His manager said he was considered the most productive member of the team.”
One day, his coworkers organized a surprise to celebrate his birthday. Colleagues gathered on a video call to congratulate him, only to be startled by his response—but it’s not my birthday. After nearly a year at the company, the worker had apparently forgotten the birth date listed in his records. It was enough to spark suspicion, and soon afterward the security team discovered that he was running remote access tools on his work computer, and he was let go. It was only later, when federal investigators discovered one of his pay stubs at Christina Chapman’s laptop farm in Arizona, that the company connected the dots and realized it had employed a foreign agent for nearly a year.
Agents have even been known to send look-alikes to pick up a physical ID card from an office or to take a drug test required by an employer.
For many pretenders, the goal is simply to earn a good salary to send back to Pyongyang, not so much to steal money or data. “We’ve seen long-tail operations where they were going 10, 12, 18 months working in some of these organizations,” says Adam Meyers, a senior vice president for counter adversary operations at the security company CrowdStrike. Sometimes, though, North Korean operatives last just a few days— enough time to download huge amounts of company data or plant malicious software in a company’s systems before abruptly quitting. That code could alter financial data or manipulate security information. Or these seeds could lay dormant for months, even years.
“The potential risk from even one minute of access to systems is almost unlimited for an individual company,” says Declan Cummings, the head of engineering at software company Cinder. Experts say that attacks are ramping up not just in the US but also in Germany, France, Britain, Japan and other countries. They urge companies to do rigorous due diligence: speak directly to references, watch for candidates making sudden changes of address, use reputable online screening tools, and conduct a physical interview or in-person ID verification.
But none of these methods are foolproof, and AI tools are constantly weakening them. ChatGPT and the like give almost anyone the capacity to answer esoteric questions in real time with unearned confidence, and their fluency with coding threatens to make programming tests irrelevant. AI video filters and deepfakes can also add to the subterfuge.
At an onboarding call, for instance, many HR representatives now ask new employees to hold their ID up to the camera for closer inspection. “But the fraudsters have a neat trick there,” says Donal Greene, a biometrics expert at the online background check provider Certn. They take a green-colored card the exact shape and size of an identity card—a mini green screen—and, using deepfake technology, project the image of an ID onto it. “They can actually move it and show the reflection,” says Greene. “It’s very sophisticated.” North Korean agents have even been known to send look-alikes to pick up a physical ID card from an office or to take a drug test required by prospective employers.
Even security experts can be fooled. In July 2024, Knowbe4, a Florida-based company that offers security training, discovered that a new hire known as “Kyle” was actually a foreign agent. “He interviewed great,” says Brian Jack, KnowBe4’s chief information security officer. “He was on camera, his résumé was right, his background check cleared, his ID cleared verification. We didn’t have any reason to suspect this wasn’t a valid candidate.” But when his facilitator—the US-based individual giving him cover—tried to install malware on Kyle’s company computer, the security team caught on and shut him out.
Back in london, Simon Wijckmans couldn’t let go of the idea that somebody had tried to fool him. He’d just read about the Knowbe4 case, which deepened his suspicions. He conducted background checks and discovered that some of his candidates were definitely using stolen identities. And, he found, some of them were linked to known North Korean operations. So Wijckmans decided to wage a little counter exercise of his own, and he invited me to observe.
So far, everything matches the hallmarks of a fake worker—his virtual background, his slow connection, his good but heavily accented English.
I dial in to Google Meet at 3 am Pacific time, tired and bleary. We deliberately picked this offensively early hour because it’s 6 am in Miami, where the candidate, “Harry,” claims to be.
Harry joins the call, looking pretty fresh-faced. He’s maybe in his late twenties, with short, straight, black hair. Everything about him seems deliberately nonspecific: He wears a plain black crewneck sweater and speaks into an off-brand headset. “I just woke up early today for this interview, no problem,” he says. “I know that working with UK hours is kind of a requirement, so I can get my working hours to yours, so no problem with it.”
So far, everything matches the hallmarks of a fake worker. Harry’s virtual background is one of the default options provided by Google Meet, and his connection is a touch slow. His English is good but heavily accented, even though he tells us he was born in New York and grew up in Brooklyn. Wijckmans starts with some typical interview questions, and Harry keeps glancing off to his right as he responds. He talks about various coding languages and name-drops the frameworks he’s familiar with. Wijckmans starts asking some deeper technical questions. Harry pauses. He looks confused. “Can I rejoin the meeting?” he asks. “I have a problem with my microphone.” Wijckman nods, and Harry disappears.
A couple of minutes pass, and I start to fret that we’ve scared him away, but then he pops back into the meeting. His connection isn’t much better, but his answers are clearer. Maybe he restarted his chatbot, or got a coworker to coach him. The call runs a few more minutes and we say goodbye.
Our next applicant calls himself “Nic.” On his résumé he’s got a link to a personal website, but this guy doesn’t look much like the profile photo on the site. This is his second interview with Wijckmans, and we are certain that he’s faking it: He’s one of the applicants who failed the background check after his first call, although he doesn’t know that.
Nic’s English is worse than Harry’s: When he’s asked what time it is, he tells us it’s “six and past” before correcting himself and saying “quarter to seven.” Where does he live? “I’m in Ohio for now,” he beams, like a kid who got something right in a pop quiz.
Several minutes in, though, his answers become nonsensical. Simon asks him a question about web security. “Political leaders … government officials or the agencies responsible for border security,” Nic says. “They’re responsible for monitoring and also securing the borders, so we can employ the personnel to patrol the borders and also check the documents and enforce the immigration laws.”
I’m swapping messages with Wijckmans on the back channel we’ve set up when it dawns on us: Whatever AI bot Nic seems to be using must have misinterpreted a mention of “Border Gateway Protocol”—a system for sending traffic across the internet—with national borders, and started spewing verbiage about immigration enforcement. “What a waste of time,” Wijckmans messages me. We wrap up the conversation abruptly.
I try to put myself in the seat of a hiring manager or screener who’s under pressure. The fraudsters’ words may not have always made sense, but their test scores and résumés looked solid, and their technical-sounding guff might be enough to fool an uninformed recruiter. I suspect at least one of them could have made it to the next step in some unsuspecting company’s hiring process.
Wijckmans tells me he has a plan if he comes across another pretender. He has created a web page that looks like a standard coding assessment, which he’ll send to fake candidates. As soon as they hit the button to start the test, their browser will spawn dozens of pop-up pages that bounce around the screen, all of them featuring information on how to defect from North Korea. Then loud music plays—a rickroll, “The Star-Spangled Banner”—before the computer starts downloading random files and emits an ear-splitting beep. “Just a little payback,” he says.
Wijckman’s stunt is not going to stop the pretenders, of course. But maybe it will irritate them for a moment. Then they’ll get back to work, signing on from some hacking sweatshop in China or through a laptop farm in the US, and join the next team meeting—a quiet, camera-off chat with coworkers just like me or you.
Let us know what you think about this article. Submit a letter to the editor at mail@wired.com.