North Korean hackers ran US-based “laptop farm” from Arizona woman’s home

Christina Chapman, a 50-year-old resident of Arizona, has been sentenced to 102 months in prison for her involvement in a scheme that aided North Korean hackers in stealing American identities. This operation allowed these hackers to secure remote IT positions with over 300 U.S. companies, including well-known brands like Nike, ultimately directing millions of dollars to the North Korean government. In a heartfelt letter addressed to the judge, Chapman explained her motivations for participating in the scheme. She revealed that she was seeking a Monday-to-Friday job that would enable her to care for her mother, who was battling cancer at the time. Tragically, her mother passed away in 2023. Chapman expressed remorse for her actions, offering sincere apologies to anyone affected by her misconduct. She also thanked the FBI for intervening and expressed a desire to write books and launch her own underwear business upon her release. The fraudulent operation required extensive administrative work, including the theft of U.S. identities and managing the hiring process. Chapman assisted the North Korean hackers by completing paperwork, such as resumes and I-9 forms to demonstrate employment eligibility. She noted her concerns about the legal implications of falsifying federal documents, stating, "I can go to FEDERAL PRISON for falsifying federal documents." Chapman's role extended beyond mere paperwork; she played a crucial part in the technical aspects of the scheme. Once her clients were hired, she would receive their company laptops and often reship them to a location in China near the North Korean border. However, she retained more than 90 devices at her home in Arizona. Using various technologies like proxies, VPNs, and remote access tools such as Anydesk, the North Korean hackers accessed these laptops from abroad, effectively masquerading as legitimate remote employees. They participated in Zoom meetings, received salaries, and occasionally engaged in data breaches or ransomware attacks.