Behind the keyboard - Espionage and Identity Theft

Show Notes

This week on Scams, Hacks, and Frauds, we delve into the chilling world of cyber espionage, where unsuspecting companies become pawns in a dangerous game orchestrated by North Korean operatives. Join us as we unravel the harrowing tale of Christina Chapman, a woman who found herself entangled in an illegal operation that exploited her desperation to care for her ailing mother.  

Tune in for a riveting episode that not only highlights the personal cost of scams but also provides essential safety tips for safeguarding your own information in an increasingly digital landscape.

We publish new content every other Monday. The  10 minutes our episodes may save your wallet, and help protect your family.

If you like shows like "The Perfect Scam" or "Darknet Diaries" then this show might be for you.  

On our website you’ll find more computer hacking, identity fraud, impersonation, consumer rights and Romance Scams.  To find these and to access our transcripts, visit us at www.scamshacksandfrauds.com.

The transcript and spoken audio are available under the Creative Commons, Share Alike, With Attributions license. For more information on this visit creativecommons.org.  

Transcript

Imagine being in IT security at a Fortune 500 company, only to discover that the very staff you’ve been relying on to keep your company safe have been secretly siphoning off sensitive information, and live in a hostile country you’re not allowed to do business with. This might sound like the plot of a thriller film, but over 300 U.S. companies unknowingly found themselves in such scenarios, with North Korean operatives gaining deep access to their networks and endangering their trade secrets. This is the podcast that helps keep you safe from scams, hacks, and frauds.

Help us keep more people safe from Scams, Hacks, and Frauds. It doesn’t cost a thing, just like, subscribe and leave a comment or review, it helps get the word out there.

Let me introduce you to Christina Chapman. Christina’s story starts nearly 50 years ago when she was born in South Korea to American parents who were stationed there with the military, helping keep the peace and protect South Korea. When Christina was still very little, the family—including her older brother—moved back to the USA.

Her father, however, was no American hero. He was an alcoholic and unfaithful to his wife. By the time Christina was 5 years old, her mother had finally had enough and separated from him.

This decision, however, would not improve Christina’s situation; she now found herself torn between parents in Minnesota and California, forcing her to change schools every year.  This fractured upbringing made it extremely difficult to make long-term friendships and left her socially isolated.

Christina faced abuse from her father’s girlfriend and older brother, extending her isolation even within her family. Her father minimized the abuse and demanded apologies from Christina to those that abused her. She eventually severed ties with him in her early twenties, during which she drifted between low-paying jobs and unstable housing. At one point in her life, her identity was stolen.

Her relationship with her mother was more stable, and when her mother was diagnosed with cancer in 2018, Christina wanted to help. She needed a good job to support them, so she enrolled in a computer science boot camp. After completing it, she searched for jobs on LinkedIn and was soon approached to be the face of a company that connected overseas remote workers to jobs in the U.S. In that pivotal moment, it wasn't just about finding employment; the stakes were much higher. This wasn't just a career move; it was her mother’s lifeline. The gravity of her mother's situation overshadowed any doubts she might have had about the job’s legitimacy.

For Christine, the job was a godsend.  It promised not just enough to change her life, but to look after her mother the way she felt her mother deserved.  She no longer had to work,  bills were up to date, and her medical needs were fully covered.

But what exactly was this job? Well, she really would be supporting remote IT workers, but the job and the company itself weren’t exactly legal.  Not only would she be asked to do things that were crimes in their own right, she’d also be dealing with workers in North Korea, breaking international sanctions.

North Korea is largely cut off from the outside world. Its communications and media are tightly controlled, and both international trade and money transfers are heavily restricted due to its nuclear ambitions. The Kim family has ruled the country since its founding and all sorts of supernatural abilities are ascribed to the Kims. Everything South Korea is, North Korea is not.

The North Koreans, based just over the border in the Chinese city of Dandong, were running a particularly sophisticated operation. They would harvest personal details to create false identities, then verify these identities through online background checks, and subsequently apply for jobs as IT workers. What does North Korea gain from this? Well, first and foremost, they earn much-needed currency for North Korea. Thanks to those restrictions, their government is desperate for cash - what goods and materials they can't make themselves still have to be paid for somehow. Additionally, these operations are believed to support North Korea's Munitions Industry Department, which is their home for their illegal ballistic missile-related activities. By infiltrating companies and acquiring salaries under false pretenses, they can fund their military ambitions, including their nuclear weapons program.

2020 was particularly good year for these North Korean hacker groups. With more people now working from home due to the pandemic, the increased pressure on IT infrastructure and companies’ eagerness to recruit remote workers created many opportunities for employment scams.

The most of the companies targeted in this scam aren’t named in court documents, but their descriptions reveal the seriousness of the threat: prominent retailers, a large car manufacturer, a top media company, a leading TV network, a cybersecurity firm, and an aerospace and defense company. Of the companies named, they include Nike - yes, that Nike.

Over 300 companies, including many Fortune 500 firms and at least one U.S. government agency, were affected. Not only were they paying a salary to someone they legally cannot employ, we know in at least some cases they were downloading information from the company's servers and sending it elsewhere - this was espionage on a large scale.  

American companies must verify that employees are authorized to work in the U.S. using an I-9 form or, since 2023, a system called E-Verify. Christine’s role was to complete these forms for the North Koreans, forge signatures, pay for background checks, and help them validate their stolen identities.

When North Korean workers got hired, laptops were sent to Christine’s address. She set them up with remote access so the North Koreans would appear to be working from her home. Christine also cashed their pay checks and transferred money to North Koreans in China, and In one example, she dispatched an associate to the Aerospace and Defence industry company mentioned before in order to get a special security card required to access secure US military systems.

Over the years  Christine became increasingly uncomfortable with her role supporting the North Koreans, Despite this, she felt unable to leave because she needed to care for her mother.  Even after her mother passed away in April 2023 she was too afraid to leave not knowing what the North Koreans could to to her. A few months later, Christine was arrested—an event she later described to the court as a relief, giving her the chance to escape the situation and seek much-needed therapy.
In July 2025 she plead guitly to conspiract to commit wire fraud, Aggravated Identity theft and a conspiracy to launder monetary instrument and was sentenced to 102 months in prison, or about 8 and a half years.

But, this isn’t the end of North Korean remote IT workers.  Cybersecurity firm CrowdStrike reports seeing similar groups target Canada, the United Kingdom, Germany, Brazil, India, and Japan; and there are probably further groups within the United States.

——

In this particular case, we know that the gang has run over 1,000 queries on background checking services, indicating that they have access to an extraordinary amount of personal information. The sad fact is in the handful of decades we’ve been online thousands of data breaches have occurred, and just this year tens of millions of stolen accounts have been identified by haveibeenpwned.com. If you’ve ever shared your personal information with any organization - and that's pretty much everyone - some of your personal details are almost certainly out there, in the hands of goodness knows who. As a quick safety checklist, here are three steps you can take before the episode ends: First, visit Have I Been Pwned to check if your details are available online. Second, consider freezing your credit to prevent unauthorized access. Lastly, enable Multi-Factor Authentication (MFA) on your online accounts to add an extra layer of security. Taking these steps can significantly reduce your risk of identity theft. Some credit report sites and packaged bank accounts also offer services to check if your information is available on the dark web.

Even if some of your information is already out there, that’s not a reason to make getting your personal data easy .  Be careful with what you share online.  Review your social media profiles to see who they’re sharing your information with, and consider adjusting these settings to share only with family members and close friends.  Don’t share your date of birth, address, or any sensitive information widely. Think twice about entering contests and sweepstakes online or offline, even if they’re legitimate, they’re probably using and selling your details for marketing purposes, and once you’re done with it, remember to shred any mail you receive that has any personal information - including your name and address.

Be cautious about where you shop online.  Ensure that your web browser is connected to a secure site when you do.  Look for a padlock symbol, and the letters HTTPS in the address bar.  Also, research the company’s site and reputation to confirm you’re dealing with the company you expect

If you’re an employer and you’re employing remote staff, make the effort to ensure you’re meeting with your staff every once in a while, but particularly before hiring them.  In one case where these hackers were targeting a US government department, their inability to communicate beyond sharing their names during a video call was a major red flag that prevented them from gaining further access to the department.  Other hackers would pretend to be different ethnicities while keeping their camera off during video calls.  Whilst AI is getting to the level where it can fake a person on a video call, you can’t fake a person in real life.  Make sure you’re not just giving Identity documents the once-over, but verifying their authenticity, and that the person in the photo ID documents really is the person giving it to you.

That’s all for this week. Please leave a comment or review telling us where you are so we can find stories near you, or email us at cee@scamshacksandfrauds.com with your experiences. For now, I’m Cee, and this is the podcast dedicated to keeping you safe from scams, hacks, and frauds.