Wijckmans was taken aback when he entered his Google Meet with a heavily accented fresh Asian male because Thomas had an Anglo-Saxon nickname. Thomas had set a basic picture of an company as his history. His end of the call was loud, and his net relationship was sluggish, which is unusual for a professional programmer. To Wijckmans, Thomas sounded like he was sitting in a huge, congested space, even a bedroom or a call centre.
Wijckmans fired off his exam questions, and Thomas ‘ messages were strong enough. However, Wijckmans noticed that Thomas seemed most engaged in inquiries regarding his income. He didn’t come across as curious about the actual work or about how the business operated or even about benefits like business property or health insurance. Wijckmans pondered something strange. The dialogue came to a shut, and he got ready for the next meeting in his lane.
When suddenly, the person said they were based in the US, had an Anglo title, and appeared to be a fresh Asian male with a heavy, non-American voice. He had a simple electronic background, had a terrible world connection, and had a singular focus on his salary. This applicant, though, was wearing eyeglasses. Wijckmans could make out a bright chatbox with messages scrolling through the lenses when he noticed the reflection of several screens. ” He was evidently either chatting with someone or on some Artificial tool”, Wijckmans remembers.
On large call, Wijckmans grabbed pictures and took information. He returned to the job software after the visit ended. He found that his company’s advertisements were being flooded with candidates just like these: an opening for a full-stack designer got more than 500 software in a day, far more than normal. And when he examined the programming testing of the candidates more thoroughly, he discovered that many of them appeared to have used a virtual private network, or VPN, which enables you to conceal the identity of their computers.
Wijckmans didn’t realize it still, but he’d stumbled onto the sides of an audacious, world crime operation. He’d accidentally made contact with an army of relatively modest IT workers, deployed to work remotely for American and European companies under fake identities, all to bankroll the government of North Korea.
Of course, with a little assistance from some friends on the ground.
christina chapman was living in a trailer in Brook Park, Minnesota, a hamlet north of Minneapolis, when she got a note from a recruiter that changed her life. She loved her dogs, her mother, and was a bubbly 44-year-old who posted social justice messages on TikTok. She had curly red hair and glasses. In her spare time she listened to K-pop, enjoyed Renaissance fairs, and got into cosplay. Chapman was also, according to her sparse online résumé, learning to code online.
She clicked on the message in her LinkedIn account in March 2020. A foreign company was looking for somebody to “be the US face” of the business. The business needed assistance in locating remote employment for foreigners. Chapman signed on. It’s unclear how fast her workload grew, but by October 2022 she could afford a move from chilly Minnesota to a low-slung, four-bedroom house in Litchfield Park, Arizona. Although it was a suburban corner lot with a few thin trees, the trailer was much more stylish.
Chapman then began documenting her life on TikTok and YouTube, primarily discussing her diet, fitness, or mental health. In one chatty video, shared in June 2023, she described grabbing breakfast on the go—an açaí bowl and a smoothie— because work was so busy. ” My clients are going crazy”! she reacted. In the background, the camera caught a glimpse of metal racks holding at least a dozen open laptops covered in sticky notes. Federal investigators made a few months later, seizing the laptops, raiding Chapman’s home, and eventually bringing charges alleging that she had spent three years supporting the government of North Korea’s “illicit revenue generation efforts.”
For maybe a decade, North Korean intelligence services have been training young IT workers and sending them abroad in teams, often to China or Russia. From these bases, they scour the web for job listings all over, usually in software engineering, and usually with Western companies. They favor positions that are entirely remote, have good pay, good data and system access, and few responsibilities. Over time they began applying for these jobs using stolen or fake identities and relying on members of their criminal teams to provide fictional references, some have even started using AI to pass coding tests, video interviews, and background checks.
However, the syndicate needs someone on the ground in the nation the applicant claims to reside in if an applicant receives a job offer. A fake employee, after all, can’t use the addresses or bank accounts linked to their stolen IDs, and they can’t dial in to a company’s networks from overseas without instantly triggering suspicion. That’s where someone like Christina Chapman comes in.
Chapman handled some of the fake workers ‘ salaries and signed fraudulent documents as the “facilitator” for hundreds of North Korea-linked jobs. She would often receive their paychecks in one of her bank accounts, take a cut, and wire the rest overseas: Federal prosecutors say Chapman was promised as much as 30 percent of the money that passed through her hands.
However, her most significant job was tiding the “laptop farm.” After being hired, a fake worker will typically ask for their company computer to be sent to a different address than the one on record—usually with some tale about a last-minute move or needing to stay with a sick relative. The new address, of course, belongs to the facilitator, in this case Chapman. The facilitator occasionally forwards the laptop to a location abroad, but more frequently that person keeps it and installs software that makes it capable of remote management. Then the fake employee can connect to their machine from anywhere in the world while appearing to be in the US. ( You are aware of how to set up Anydesk )? one North Korean operative asked Chapman in 2022. ” I do it practically EVERYDAY”! She responded.
In messages with her handlers, Chapman discussed sending government forms like the I-9, which attests that a person is legally able to work in the US. She wrote,” I tried my best to copy your signature. ” Haha. Thank you”, came the response. ) She also performed basic tech troubleshooting and set up meetings on a worker’s behalf, occasionally on short notice, as in this conversation from November 2023:
Worker: We are going to have laptop setup meeting in 20 mins. Can you attend a team meeting and follow the IT official’s advice? Because it will require to restart laptop multiple times and I can not handle that. You can mute and just follow what they say…
Chapman: Who do I claim to be?
Worker: You don’t have to say, I will be joining there too.
Chapman: I’ve just entered Daniel as my name. If they ask WHY you are using two devices, just say the microphone on your laptop doesn’t work right… Most IT people are fine with that explanation.
She occasionally became agitated. ” I hope you guys can find other people to do your physical I9s”, she wrote to her bosses in 2023, according to court documents. I’ll send them to you, but I’ll let someone else handle the paperwork. I can go to FEDERAL PRISON for falsifying federal documents”. Michael Barnhart, an investigator at cybersecurity company DTEX and a leading expert on the North Korean IT worker threat, says Chapman’s involvement followed a standard pattern—from an innocuous initial contact on LinkedIn to escalating requests. The asks “get bigger and bigger,” he says, “little by little.” ” Then by the end of the day, you’re asking the facilitator to go to a government facility to pick up an actual government ID”.
By the time investigators raided Chapman’s home, she was storing a number of laptops, each with a sticky note identifying the fake worker’s employer and identity. Some of the North Korean operatives worked multiple jobs, some had been toiling quietly for years. Prosecutors said at least 300 employers had been pulled into this single scheme, including” a top-five national television network and media company, a premier Silicon Valley technology company, an aerospace and defense manufacturer, an iconic American car manufacturer, a high-end retail store, and one of the most recognizable media and entertainment companies in the world”. According to them, Chapman allegedly contributed at least$ 17 million to the passing of the money. She pleaded guilty in February 2025 to charges relating to wire fraud, identity theft, and money laundering and is awaiting sentencing.
One of the numerous North Korean fake-worker prosecutions that are currently being heard in US courts is Chapman’s case. A Ukrainian named Oleksandr Didenko has been accused of setting up a freelancing website to connect fake IT workers with stolen identities. Prosecutors say at least one worker was linked to Chapman’s laptop farm and that Didenko also has ties to operations in San Diego and Virginia. Didenko was detained in Poland last year and later extradited to the US. In Tennessee, 38-year-old Matthew Knoot is due to stand trial for his alleged role in a scheme that investigators say sent hundreds of thousands of dollars to accounts linked to North Korea via his laptop farm in Nashville. ( Knoot has entered a not-guilty plea. ) And in January 2025, Florida prosecutors filed charges against two American citizens, Erick Ntekereze Prince and Emanuel Ashtor, as well as a Mexican accomplice and two North Koreans. ( None of the defendants ‘ lawyers in these cases responded to requests for comment. ) According to the indictments, Prince and Ashtor allegedly spent six years operating a number of phony staffing firms that hired North Koreans for at least 64 positions.
The most promising students are taught hacking strategies and foreign languages that can improve their odds of becoming better operatives. Staff from government agencies including the Reconnaissance General Bureau — the nation’s clandestine intelligence service—recruit the highest-scoring graduates of top schools like Kim Chaek University of Technology ( described by many as” the MIT of North Korea” ) or the prestigious University of Sciences in Pyongsong. They are promised good wages and unfettered access to the internet—the real internet, not the intranet available to well-off North Koreans, which consists of a mere handful of heavily censored North Korean websites.
The first cyberattacks launched by Pyongyang were straightforward: defaming political websites or launching denial-of-service attacks to shut down US websites. They soon grew more audacious. In 2014, hackers from North Korea infamously stole and leaked sensitive data from Sony’s film studio. Then they targeted financial institutions: Fraudulent trades pulled more than$ 81 million from the Bank of Bangladesh’s accounts at the New York Federal Reserve. After that, North Korean hackers moved into ransomware—the WannaCry attack in 2017 locked hundreds of thousands of Windows computers in 150 countries and demanded payments in bitcoin. While it is up for debate about how much money the attack made as companies worked to upgrade their systems and security, which could have cost up to$ 4 billion, according to one estimate. However, some claim it made just$ 140,000 in payouts.
Governments responded with more sanctions and stronger security measures, and the regime pivoted, dialing back on ransomware in favor of quieter schemes. These are, it turns out, also more lucrative: Today, cryptocurrency theft is the most valuable tool in North Korea’s cybercrime arsenal. In 2022, hackers stole more than$ 600 million worth of the cryptocurrency ether by attacking the blockchain game Axie Infinity, in February of this year, they robbed the Dubai-based crypto exchange Bybit of$ 1.5 billion worth of digital currency. The IT pretender scam, meanwhile, seems to have been growing slowly until the pandemic dramatically expanded the number of remote jobs, and Pyongyang saw the perfect opportunity.
In 2024, there were 8, 400 people working in North Korea’s cyber divisions, which included pretenders, crypto thieves, and military hackers, according to a recent report from South Korea’s National Intelligence Service, an increase from 6, 800 two years earlier. Some of these workers are based in the country, but many are stationed overseas in China, Russia, Pakistan, or elsewhere. Although they are comparatively well-paid, their posting is not very professional.
Teams of 10 to 20 young men live and work out of a single apartment, sleeping four or five to a room and grinding up to 14 hours a day at weird hours to correspond with their remote job’s time zone. They have quotas of illicit earnings they are expected to meet. Both of their relatives, who are effectively held hostage to prevent defections, are tightly controlled, as are their movements. ” You don’t have any freedom”, says Hyun-Seung Lee, a North Korean defector who lives in Washington, DC, and says some of his old friends were part of such operations. You are not permitted to leave the apartment unless you need to make a purchase, such as going grocery shopping, and the team leader has that arrangement made. Two or three people must go together so there’s no opportunity for them to explore”.
The US government estimates that a typical team of pretenders can earn up to$ 3 million each year for Pyongyang. According to experts, the money is funneled from Kim Jong Un’s personal slush fund to the nation’s nuclear weapons program. A few million dollars may seem small next to the flashy crypto heists— but with so many teams operating in obscurity, the fraud is effective precisely because it is so mundane.
A major multinational corporation hired a remote engineer to work on website development in the summer of 2022. ” He would dial in to meetings, he would participate in discussions”, an executive at the company told me on condition of anonymity. ” His manager said he was considered the most productive member of the team”.
His coworkers planned a surprise party for him to celebrate his birthday one day. Colleagues gathered on a video call to congratulate him, only to be startled by his response—but it’s not my birthday. The employee apparently had forgotten the birth date that was recorded in his records after almost a year at the company. It was enough to spark suspicion, and soon afterward the security team discovered that he was running remote access tools on his work computer, and he was let go. It was only later, when federal investigators discovered one of his pay stubs at Christina Chapman’s laptop farm in Arizona, that the company connected the dots and realized it had employed a foreign agent for nearly a year.
For many pretenders, the goal is simply to earn a good salary to send back to Pyongyang, not so much to steal money or data. According to Adam Meyers, senior vice president for counter adversary operations at CrowdStrike, “we’ve seen long-tail operations where they were going to work in some of these organizations for 10, 12, or 18 months.” Sometimes, though, North Korean operatives last just a few days — enough time to download huge amounts of company data or plant malicious software in a company’s systems before abruptly quitting. That code could alter financial data or manipulate security information. Or they could rot for months or even years.
” The potential risk from even one minute of access to systems is almost unlimited for an individual company”, says Declan Cummings, the head of engineering at software company Cinder. According to experts, attacks are becoming more frequent not just in the US but also in Germany, France, Britain, Japan, and other nations. They urge companies to do rigorous due diligence: speak directly to references, watch for candidates making sudden changes of address, use reputable online screening tools, and conduct a physical interview or in-person ID verification.
But none of these methods are foolproof, and AI tools are constantly weakening them. Nearly anyone can answer esoteric questions in chat with unearned confidence using the tools provided by ChatGPT and other similar platforms, and their coding proficiency threatens to render programming tests unimportant. AI video filters and deepfakes can also add to the subterfuge.
For instance, many HR representatives now ask new employees to hold their ID up to the camera for closer inspection during an onboarding call. ” But the fraudsters have a neat trick there”, says Donal Greene, a biometrics expert at the online background check provider Certn. They take a green-colored card the exact shape and size of an identity card—a mini green screen—and, using deepfake technology, project the image of an ID onto it. They can actually move it and display the reflection, Greene asserts. ” It’s very sophisticated”. Look-alikes have even been known to travel to pick up physical ID cards from offices or take a drug test that prospective employers may require.
Even security experts can be fooled. In July 2024, Knowbe4, a Florida-based company that offers security training, discovered that a new hire known as “Kyle” was actually a foreign agent. He “did a great job,” says Brian Jack, KnowBe4’s lead information security officer. ” He was on camera, his résumé was right, his background check cleared, his ID cleared verification. We had no reason to believe that this candidate was not a good one. But when his facilitator—the US-based individual giving him cover—tried to install malware on Kyle’s company computer, the security team caught on and shut him out.
Back in london, Simon Wijckmans couldn’t let go of the idea that somebody had tried to fool him. He had just read about the Knowbe4 case, which raised more serious questions. He conducted background checks and discovered that some of his candidates were definitely using stolen identities. And he discovered that some of them were connected to well-known North Korean operations. So Wijckmans decided to wage a little counter exercise of his own, and he invited me to observe.
At 3 am, I’m tired and drained when I dial in to Google Meet. We deliberately picked this offensively early hour because it’s 6 am in Miami, where the candidate,” Harry”, claims to be.
Harry arrives on the call and appears fairly fresh-faced. He’s maybe in his late twenties, with short, straight, black hair. Everything about him seems deliberately nonspecific: He wears a plain black crewneck sweater and speaks into an off-brand headset. He claims,” I just woke up early today for this interview, no problem.” ” I know that working with UK hours is kind of a requirement, so I can get my working hours to yours, so no problem with it”.
Everything so far resembles a fake worker. Harry’s virtual background is one of the default options provided by Google Meet, and his connection is a touch slow. His English is good but heavily accented, even though he tells us he was born in New York and grew up in Brooklyn. Harry keeps glancing to his right as he responds, and Wijckmans begins with some standard interview questions. He talks about various coding languages and name-drops the frameworks he’s familiar with. Wijckmans begins to pose more in-depth technical queries. Harry pauses. He looks confused. Can I re-enter the conversation?” he asks. ” I have a problem with my microphone,” I said. Wijckman nods, and Harry disappears.
A couple of minutes pass, and I start to fret that we’ve scared him away, but then he pops back into the meeting. His answers are clearer, but his connection isn’t much improved. Maybe he restarted his chatbot, or got a coworker to coach him. We say goodbye and the call continues for a few more minutes.
Our next applicant calls himself” Nic”. On his résumé he’s got a link to a personal website, but this guy doesn’t look much like the profile photo on the site. He’s one of the applicants who, despite not knowing it, admittedly didn’t pass the background check after his first interview with Wijckmans, and we can tell from his second interview that he’s faking it.
Nic’s English is worse than Harry’s: When he’s asked what time it is, he tells us it’s” six and past” before correcting himself and saying “quarter to seven”. He lives where? ” I’m in Ohio for now”, he beams, like a kid who got something right in a pop quiz.
Several minutes in, though, his answers become nonsensical. He is posed a security-related question by Simon. ” Political leaders… government officials or the agencies responsible for border security”, Nic says. They are also accountable for securing and monitoring the borders, so we can employ the personnel to patrol the borders, check the documents, and enforce the immigration laws.
I’m swapping messages with Wijckmans on the back channel we’ve set up when it dawns on us: Whatever AI bot Nic seems to be using must have misinterpreted a mention of” Border Gateway Protocol” —a system for sending traffic across the internet—with national borders, and started spewing verbiage about immigration enforcement. ” What a waste of time”, Wijckmans messages me. We stop abruptly to end the conversation.
I try to put myself in the seat of a hiring manager or screener who’s under pressure. Although the fraudsters ‘ test results and résumés appeared solid, and their technical-sounding guff might be enough to deceive an uninformed recruiter, their words may not have always made sense. I suspect at least one of them could have made it to the next step in some unsuspecting company’s hiring process.
Wijckmans tells me he has a plan if he comes across another pretender. He will send fake candidates a web page that looks like a standard coding assessment. As soon as they hit the button to start the test, their browser will spawn dozens of pop-up pages that bounce around the screen, all of them featuring information on how to defect from North Korea. The computer then starts downloading random files and making an ear-splitting beep, followed by a loud music rickroll,” The Star-Spangled Banner.” ” Just a little payback”, he says.
Wijckman’s stunt is not going to stop the pretenders, of course. But perhaps it will annoy them a little bit. Then they’ll get back to work, signing on from some hacking sweatshop in China or through a laptop farm in the US, and join the next team meeting—a quiet, camera-off chat with coworkers just like me or you.
