{
	"id": "59bd174a-49c6-433e-af58-4c38efa20f05",
	"created_at": "2026-04-06T00:17:43.49073Z",
	"updated_at": "2026-04-10T03:32:26.533949Z",
	"deleted_at": null,
	"sha1_hash": "5de692ee14965c3cf02832baf94208d02bf485ec",
	"title": "US woman allegedly aided North Korean IT workers infiltrate 300 firms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4955823,
	"plain_text": "US woman allegedly aided North Korean IT workers infiltrate 300 firms\r\nBy Sergiu Gatlan\r\nPublished: 2024-05-16 · Archived: 2026-04-05 15:55:57 UTC\r\nThe U.S. Justice Department charged five individuals today, a U.S. Citizen woman, a Ukrainian man, and three foreign\r\nnationals, for their involvement in cyber schemes that generated revenue for North Korea's nuclear weapons program.\r\nThey were allegedly involved between October 2020 and October 2023 in a campaign coordinated by the North Korean\r\ngovernment \"to infiltrate U.S. job markets through fraud in an effort to raise revenue for the North Korean government and\r\nits illicit nuclear program.\"\r\nTwo of them, Christina Marie Chapman and Oleksandr Didenko, were arrested on May 15 in Litchfield Park, Arizona, and\r\nin Poland on May 7, 2024, with the DOJ now seeking Didenko's extradition to the United States.\r\nhttps://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThey were both charged with conspiracy to defraud the United States, aggravated identity theft, and conspiracy to commit\r\nmoney laundering, wire fraud, identity fraud, and bank fraud.\r\nThree other foreign nationals, known only by their aliases (Jiho Han, Haoran Xu, and Chunji Jin), were also charged with\r\nconspiracy to commit money laundering.\r\nIf convicted, Chapman faces a maximum of 97.5 years in prison, while Didenko's maximum penalty can reach 67.5 years.\r\nEach of the John Does also faces a maximum penalty of 20 years.\r\n\"Chapman and her co-conspirators committed fraud and stole the identities of American citizens to enable individuals based\r\noverseas to pose as domestic, remote IT workers,\" said Nicole M. Argentieri, the head of the Justice Department's Criminal\r\nDivision.\r\nToday, the U.S. State Department announced a reward of up to $5 million for any information related to Chapman's co-conspirators, the North Korean IT workers charged today, and their manager, only known as Zhonghua.\r\nReward for information on North Korean IT workers (State Department)\r\nNorth Koreans worked remotely via U.S. laptop farms\r\nAccording to the indictment, Chapman housed the North Korean IT workers' computers in her own home, creating a \"laptop\r\nfarm\" to make it appear as though her co-conspirators' devices were in the United States.\r\nThey were hired as remote software and application developers with multiple Fortune 500 companies, including an\r\naerospace and defense company, a major television network, a Silicon Valley technology company, and a high-profile\r\ncompany.\r\nThey were paid millions for their work, and Chapman processed their paychecks from U.S. companies through her financial\r\naccounts.\r\nDidenko also ran an online platform known as UpWorkSell (whose domain was seized by the DOJ), knowingly providing\r\nservices to allow North Koreans to use false identities while hunting for remote IT work positions.\r\nhttps://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/\r\nPage 3 of 5\n\nUpWorkSell seizure banner (BleepingComputer)\r\n\"Didenko is alleged to have managed as many as approximately 871 proxy identities, provided proxy accounts for three\r\nfreelance IT hiring platforms, and provided proxy accounts for three different money service transmitters,\" the DOJ said.\r\n\"In coordination with co-conspirators, Didenko facilitated the operation of at least three U.S.-based 'laptop farms,' hosting\r\napproximately 79 computers. Didenko sent or received $920,000 in U.S.D. payments since July 2018.\"\r\nTheir scheme compromised over 60 U.S. identities and affected more than 300 U.S. companies. It also resulted in false tax\r\nliabilities for more than 35 U.S. citizens and generated at least $6.8 million in revenue for overseas IT workers.\r\nToday, the FBI also issued an advisory with more information on how North Korea's IT workers undermine the security of\r\ncompanies that hire them and guidance on how to spot North Korean IT worker schemes.\r\nPreviously, the United States also published joint advisories with foreign partners warning of North Korean IT worker\r\nschemes and sanctioned multiple organizations involved in North Korea's IT worker revenue generation schemes.\r\nhttps://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-nort\r\nh-koreas-weapons-program/\r\nhttps://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/"
	],
	"report_names": [
		"five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434663,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5de692ee14965c3cf02832baf94208d02bf485ec.pdf",
		"text": "https://archive.orkl.eu/5de692ee14965c3cf02832baf94208d02bf485ec.txt",
		"img": "https://archive.orkl.eu/5de692ee14965c3cf02832baf94208d02bf485ec.jpg"
	}
}