A 50-year-old Arizona woman who pleaded guilty in February to her role in a massive North Korean IT worker scam that generated more than $17 million for the rogue country was sentenced this week to 8.5 years in prison.

According to court documents, Christina Marie Chapman played a key role in an operation that helped North Korean workers who were posing as U.S. citizens and resident get IT jobs at more than 300 companies, including numerous Fortune 500 firms. The fake workers used their jobs to generate revenue for North Korea – bypassing international and U.S. sanctions – as well as steal data and plant malware.

Chapman’s sentencing is the latest step in the U.S. Justice Department’s (DOJ) widening crackdown on such North Korean worker scams, which have proliferated since emerging in 2020 and are now leveraging AI tools to scale operations.

Her case also highlighted the crucial role U.S. citizens play in these schemes, according to Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division.

“The North Korean regime has generated millions of dollars for its nuclear weapons program by victimizing American citizens, businesses, and financial institutions,” Rozhavsky said in a statement. “However, even an adversary as sophisticated as the North Korean government can’t succeed without the assistance of willing U.S. citizens like Christina Chapman.”

Multiple Roles

Chapman had multiple duties within the scam. Between October 2020 and October 2023, housed dozens of laptops at her home – the so-called “laptop farm” – that were used to dupe American companies into believing the IT workers were working in the United States. She would log into the company-issued laptops and helped the IT workers who were actually overseas connect to them remotely.

More than 90 laptops were found in Chapman’s home during a law enforcement raid in October 2023.

She also shipped 49 laptops and other devices that were supplied by U.S. companies overseas, with some sent to a city in China that sits on the border with North Korea, according to the DOJ.

As part of the IT worker scams, the North Korean operators steal the identities of U.S. and other citizens to use when applying for jobs with U.S. companies. Chapman helped the workers validate stolen identities of U.S. citizens. In addition, she also received paychecks at her home for the imposters, forged their signatures, deposited them in her financial institution in the United States, and then transferred the money to the overseas workers.

She received a monthly payment from the IT workers for her efforts.

Conspiracy and Identity Theft Charges

Chapman had pleaded guilty to two conspiracy charges – to commit wire fraud and money laundering – as well as aggravated identity theft. Along with the prison time, Chapman will have to serve three years of supervised release, forfeit $284,555.92 that was set to be paid to the North Koreans, and pay a judgement of $176,850.

According to court records, she helped North Koreans get remote IT jobs with 309 U.S. companies, including some Fortune 500 companies. Among the victimized companies were a top-five TV network, a tech company in Silicon Valley, an aerospace manufacturer, an American car maker, a luxury retail store, and a media and entertainment company.

The IT workers also stole data from at least two U.S. companies – a multinational restaurant chain and a classic American clothing brand – and tried to get employment at two U.S. government agencies on three occasions, though they were unsuccessful.

There also was other fallout from the scam. The identities of 68 U.S. citizens were stolen, which caused false information to be sent to the U.S. Department of Homeland Security more than 100 times and created false tax liabilities for more than 35 U.S. people.

A Growing Problem

North Korea has expanded the IT worker scams to raise money for its various weapons programs. According to the DOJ, a report last year by a United Nations panel said the IT sector continues to bring money into the country and estimated there are 3,000 North Korean IT workers abroad and another 1,000 operating inside North Korea. The schemes generate $250 million to $600 million for the country every year, according to the report.

Also this week, the FBI issued an alert to businesses about the North Korean worker scams, outlining some of the techniques the bad actors use, including using people based in the United States to help them get and keep employment.

“These witting and unwitting U.S.-based individuals provide a U.S.-based location for companies to send devices, enabling North Korea to circumvent controls companies may have in place to prevent the hiring of illicit, overseas workers as well as controls intended to prevent unauthorized access to company networks by North Korean IT workers, including through the unauthorized installation of remote access software,” the FBI wrote.

Punching Back

Chapman’s sentencing comes weeks after the DOJ announced a broad investigation into North Korean IT worker scams that resulted in two indictments, one arrest, raids on 29 laptop farms in 16 states, the seizure of 29 financial accounts used to launder money, and the takeover of 21 fraudulent websites.

Investigators said that the operations not only resulted in millions of dollars being sent back to North Korea, but also the theft of sensitive information, such as employer data and military.

A month before, the U.S. government also moved to collect $7.74 million seized in 2023 linked to another IT worker scam.

Scammers Embrace AI

In a report in June, Microsoft’s Threat Intelligence unit said North Korean IT scammers are expanding their use of AI, including “the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software.”

The Microsoft researchers also said the schemes typically have targeted companies in the United States in sectors like technology, manufacturing, and transportation. However, they wrote, “we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles.”