North Korean ‘Laptop Farm’ Scams Target American Companies

(MUSIC INTRO)

[00:00:01] Bob: This week on The Perfect Scam.

(MUSIC SEGUE)

[00:00:04] There's an army of North Koreans, like thousands of North Koreans scattered around the world who are signing up for remote work jobs at all kinds of companies. And that is, at this point, bringing in hundreds of millions of dollars to the regime according to the Feds.

[00:00:24] Bob: According to the Feds, a significant amount of national income, right?

[00:00:27] It is. Yeah, and it's, they like to, to remind us that's being used to fund their weapons program. Which is pretty scary.

[00:00:34] It's one of those things I think everybody who hears about it is incredulous. What? What is happening?

(MUSIC SEGUE)

[00:00:46] Bob: Welcome back to The Perfect Scam. I'm your host, Bob Sullivan.

(MUSIC SEGUE)

[00:00:51] Bob: Imagine a dark room full of bookshelves, each shelf jam-packed with laptop computers, dozens of them humming away, lights flickering, each one with a Post-It note attached with a single name on it. Now imagine a pink purse just hanging off the side of one of those shelves. What is that purse? And what do those laptops have to do with funding North Korea's weapons program? Well that purse belonged to a woman named Christina Chapman, and those laptops, well this is a rags to riches to rags story you might not believe. That's why we have the Wall Street Journal's amazing cybersecurity reporter, Bob McMillan here to help us tell it.

[00:01:39] Bob McMillan: Yeah, Christina Chapman had worked a variety of jobs. She was in her mid- to late-40s, living in Minnesota. And she had kind of come to a point in her life where things were pretty rough. She was living in a trailer. She didn't have running water. She was getting showers at her local gym, and she had enrolled in a coding camp and tried to make a pivot into the tech world, and it wasn't really working out. So when I first encountered, I encountered her through a variety of TikToks that she had recorded over a couple of years, and at the very beginning of the saga, she was really at a, at a difficult time in her life and she was crying in some of these TikToks just because her life was so hard and it just hadn't worked out and financially she was strapped.

[00:02:29] Bob: She didn't have running water, didn't have working toilets where she lived.

[00:02:32] Bob McMillan: That's right. Yeah, she was showering at the, at her local gym.

[00:02:36] TikTok clip: Hi everybody. Um, TikTok fans. I need some help and I don't know really how to do this. Um, I'm classified as homeless in Minnesota. I live in a travel trailer. I don't have running water. I don't have a working bathroom. And now I don't have heat. Um, I don't know if anybody out there is willing to help...

[00:03:08] Bob: Things don't get any easier when the isolation of the pandemic starts to sink in, but in one way, that seems like it might be Christina Chapman's big break because companies start looking for remote workers as rules around hiring them have eased and well maybe that coding school thing does work out after all. She gets a message on LinkedIn.

[00:03:30] Bob McMillan: Somebody was looking for a representative in the United States. I think the message probably presented itself as a foreign company looking for help with some staffing issues here in the United States.

[00:03:45] Bob: And especially during the early times of COVID, but even now, that's not an uncommon kind of job description, right?

[00:03:51] Bob McMillan: Yeah, COVID really pushed remote work into the main stream, and that sort of became, there was actually some changes to the law that happened around COVID. It used to be that when you were onboarding an employee, you would have to meet them face-to-face, get them to sign an I-9, confirm their identity, look at their documents and everything like that, and because of the restrictions of COVID, the federal government lifted that requirement and it was a time when it was like a renaissance I guess you'd call it for remote work. That was the ideal time to, to look for and to obtain a remote working job.

[00:04:29] Bob: So Chapman responds and applies for a job at this company and well at first it seems like a lost cause again. Here's FBI agent Joe Hooper.

[00:04:40] Joe Hooper: Our understanding is that one of her family members was having medical issues and she needed a greater source of income, and so she proactively went online to obtain additional cyber training and she thought this was a way that she would be able to get a, a higher paying job. Uh, as a part of her training, one of her projects had to be posted online and through that posting online of that project, uh, she was contacted for a job. She went through the interview process, had to do a demonstration of her coding capabilities, and apparently did not perform that well. So she was not able to get that job, but through the same employer, she was offered a separate job as the face of the North American branch for this company.

[00:05:29] Bob: The face of the North American branch of this company? It sounds like an amazing opportunity.

[00:05:36] Bob: Okay, so she gets this job, what were the tasks that she had to do for this job?

[00:05:42] Bob McMillan: Well she had to do a lot of things. And it, she was basically like a full-service bureau for this foreign entity. She would receive laptops; she would plug in these laptops and that those were the devices. So when you get hired for a remote work job, it's quite common for your employer to send you out a laptop that's your corporate laptop you can be working on, so she would actually receive those on behalf of employees, and she would turn them on every day, power them up, get them working, get them configured on the network. She would be the sort of hands and eyes for these remote workers, but she also did a variety of other things. She processed their paperwork, she used her bank account to, to actually receive funds so when they got paid, they sometimes would go through her. She was a little bit of a task rabbit.

[00:06:31] Bob: So this company has Chapman essentially getting remote workers set up remotely. A lot of them. But the pay is good. It lets Chapman get a new place, start putting her life back together. But it's demanding too.

[00:06:47] TikTok clip: And I did not make my own breakfast this morning. My clients are going crazy, so I just got a smoothie bowl um, at the FA Smoothie Bowl, and it has banana, strawberries...

[00:06:59] Bob: But this job, it completely transforms her life.

[00:07:05] Bob McMillan: She went from living in a trailer to living in a nice house on the outskirts of Phoenix. She was able to go to events. She was a bit of a shut-in and then she was able to attend Drunken Shakespeare where she actually bought the queen's chair there which allowed her to have her own dead seat in the Drunken Shakespeare performance she would witness.

[00:07:25] TikTok clip: Hello everybody. It's probably incredibly irresponsible of me to be posting right now. I just got home from Drunken Shakespeare. This is the second time I've gone. And I want to go again so much. Today I got to be queen, queen for the night. And I got to die. I got to act out my death. And it was amazing. So if Drunken Shakespeare comes to your town, do yourselves a favor and go for at least one night. Just one night. Drunken Shakespeare is like what is better than chess kiss? What is better than chess kiss? I got to drink; I got to be royalty. I got to make someone else get drunk. Although he was already pretty drunk. Thank you so much for an amazing night.

[00:08:28] Bob McMillan: She traveled. She went to Long Beach, California, and she went to British Columbia. She eventually went to Japan all following her favorite Japanese boy band. She lived a, a normal life, I guess you'd say. She, in some ways it was like the American dream coming true for her.

[00:08:47] Bob: And she even got to be queen for a day.

[00:08:49] Bob McMillan: Oh yeah, yes, she did.

[00:08:52] Bob: Queen for a day. For a night anyway. By day, well she isn't really living like a queen. Her job is really all happening in one room of that house outside Phoenix. You can see it in one of her TikToks. Bob describes the room.

[00:09:12] Bob McMillan: You see just these row after row of, they look almost like Ikea shelves. They're metal, these metal shelves just stacked up with laptops, and the laptops. My favorite thing about this picture is you see all these laptops, they're all connected to the internet and they have all Post-It notes on them. Presumably, the Post-It notes are like the name of the employee and the log-in so they can log into the corporate network or whatever. But it's just, it's just a, it's basically a roomful of, of more than a dozen laptops all just waiting to be used.

[00:09:43] Bob: Here's Becky, here's Julio, here's Hector, here's Bob. It's crazy.

[00:09:47] Bob McMillan: Kevin's a popular name. (chuckles)

[00:09:49] Bob: But I also in that one picture, there's a huge pink woman's bag hanging on...

[00:09:54] Bob McMillan: Yeah.

[00:09:55] Bob: ...top of the rail which is just so humanizing for the rest of it.

[00:09:58] Bob McMillan: Yeah. I don't think that Christina Chapman was like the greatest housekeeper. Her place was messy at times, and there's a very home officey feel to the laptop farm look there, I think.

[00:10:10] Bob: I don't know, rows of laptop computers with names stickered on them has a bit of a haunting matrix feel to me. But when FBI Agent Joe Hooper, also in Phoenix, sees that image, well it makes him think of something else.

[00:10:26] Joe Hooper: And there were laptops stacked on shelves that just seemed interesting and, and odd as to why somebody would have open laptops just out and about and on different shelves in a house where it's seemingly one or maybe two people lived.

[00:10:40] Bob: Joe finds that image suspicious because well his office has been getting some complaints lately, one specific complaint from a company that hired a remote worker and has grown suspicious.

[00:10:54] Joe Hooper: This company was doing some, some due diligence in their review of their hiring processes, and noticed uh some discrepancies in one of their employees uh, via their addresses and then dug a little bit deeper into their LinkedIn profile and noticed that there were a couple of profiles, one of which seemed to be superficial, and that was the one tied to the employment of their company. And so they contacted us.

[00:11:23] Bob: The company doesn't think too much of this one incident, but they are worried they have a remote worker who isn't quite who he says he is.

[00:11:33] Joe Hooper: When a complaint like that comes into our office, we'll take a look at it and see what's there, and through different types of legal process depending upon the information that, that we get, we're able to get records. And so looking at some of these bits of information that are provided, in this case we're able to identify that, you know, equipment was shipped to a certain address that did not match the address of the person that had gotten employed, or at least the information that they provided upon employment. In addition, we identified that there was a large number of pieces of equipment that were getting shipped to this address. It seemed to be that either a lot of people worked in this one location or there was a scheme going on at this location, and that just caused us to, to start digging a little bit further.

[00:12:25] Bob: They dig further and further and further, and well...

[00:12:32] Bob: The thread you pull leads to Christina Chapman.

[00:12:34] Joe Hooper: She was the one that was, that had the laptop for this employee that ended up being...

[00:12:41] Bob: That initial complaint, Christina Chapman has the laptop that company sent to its employee, and she has dozens and dozens more like it. She isn't just the face of that North American company she's working for. Chapman is running what's known as a laptop farm. Really, it's called a laptop farm; a farm for people who want to work for an American company but can't legally. To do that she helps each worker satisfy employment requirements often by using a US citizen's name and say a social security number which has been provided by this employer. Then she sets up her laptops in her farm so they appear to be logging on from inside the US. Perhaps Chapman thought at the beginning that her job was above board, but emails from this time reveal she came to know something was wrong relatively quickly.

[00:13:36] Bob: She wrote, you know, "I don't want to do this anymore. I could go to federal prison."

[00:13:39] Bob McMillan: Yeah, I mean...

[00:13:41] Bob: So she knew she was doing something bad.

[00:13:43] Bob McMillan: Yeah, she eventually got asked, I think, I'm trying to remember the specific things that were illegal that she did, but she definitely was asked to kind of misrepresent herself to these employers and to fill out forms, federal forms that on behalf of other people which it was illegal. She was moving money. Ultimately, she did enough of this kind of, I'm going to help you get a, get a, help... she basically helped hundreds of people, or she helped hundreds of entities really, represent themselves as employable workers in the United States. And at the end of the day, none of them were really legitimate.

[00:14:32] Bob: Not only were none of them legitimate but well it gets much worse because of who these remote workers really are.

[00:14:41] Bob: Where were they all from?

[00:14:42] Bob McMillan: It turns out they were all North Koreans.

[00:14:44] Bob: Which ups the stake of this story considerably, right? Why are North Koreans working with someone like Christina Chapman in order to get work in the US?

[00:14:54] Robert McMillan: I think it's a, a twisted path that got the North Koreans here. And I think that you have to go back to, they're a sanctioned country, right? So they've been cash starved for quite a long time because the United States basically won't allow any entities in our financial system to do business with North Korea. They've been cash starved for a while and they've actually been looking for ways to get illicit funds into the, into the hermit kingdom.

[00:15:21] Bob: North Koreans. Chapman isn't just helping people illegally get jobs and paychecks from US companies, she's helping a country that's under heavy US sanctions facilitating the movement of cash from US companies to effectively the North Korean regime. Now it turns out the North Koreans have become very good at setting up laptop farms in the US. As Bob said, it's kind of a twisted story.

[00:15:48] Bob McMillan: I don't know if you remember, but a decade ago now, they hacked the Swiss system and stole a billion dollars, not all of which they've been able to get away with. And then after that they started experimenting with ransomware. There was something called Wanna Cry that was actually a ran--, a worm, a ransomware worm that demanded a ransom and they actually made some money from Wanna Cry, although it was quickly stopped. So they started learning about cryptocurrency, and I think this scam ul--, ultimately dates back to the time around the late teens when North Korea was dabbling with cryptocurrency. And one of the ways they learned to steal cryptocurrency was to, to do insider jobs, to get jobs at cryptocurrency companies and to basically use their position of trust there to steal money. And they have stolen billions of dollars in cryptocurrency over the years. But it turns out that this scam, this fake worker scam really started with the crypto companies around 2020, the early 2020s. So just a couple of years before Chapman got into it, and it expanded from there because I think what happened was, they were so desperate for money that they realized that yes, they could steal cryptocurrency, but they can also just get paychecks, right? And so they started doing this very unique scam where, according to the FBI, there's an army of North Koreans, like thousands of North Koreans scattered around the world who are signing up for remote work jobs at all kinds of companies. They're Fortune 500 US companies, but companies around the world in fact at this point, and they're collecting paychecks. Some of them are great workers, and they can last a long time, years even at these companies. Some of them are terrible workers and they get fired right away, but they still get paid. And that is at this point bringing in hundreds of millions of dollars to the regime according to the Feds.

[00:17:49] Bob: A--, according to the Feds, a significant amount of national income.

[00:17:52] Bob McMillan: It is, yeah, and it's, they like to, to remind us that's being used to fund their weapons program, which is pretty scary.

[00:18:00] Bob: It's amazing that someone could keep a job for years doing this. My head immediately wonders, is that just for a North Korean coder who wants a job, but anybody who's doing this inside North Korea must be doing this with some sort of tacit approval of the government.

[00:18:16] Robert McMillan: Yeah. Yeah, that's, yeah, that's what the Feds say that the, that it's all just a money-raising operation for North Korea, and that the majority of the funds get funneled back to the, to the regime there. Yeah, North Korea is not the kind of place where there's a lot of free enterprise.

[00:18:32] Bob: Clark Flynt-Barr is a Government Affairs Director with AARP's Financial Security Team, but before that, she had learned about laptop farms working at a company called Chainanalysis. They do cryptocurrency investigations.

[00:18:47] And this was something that was coming up a lot in the cryptocurrency space. You would pretty frequently see Twitter threads about how somebody thought they had just interviewed a North Korean for their crypto business, and they would share, this is what happened and this is how we figured out that they were actually North Korean, and there's a large cryptocurrency exchange, Kraken, that wrote a whole blog piece about an investigation they did into a North Korean who tried to get a job at Kraken, but they figured out that the person was im--, impersonating a, I don't want to say a legitimate employee, but you know, somebody else in order to try to gain employ there.

[00:19:26] Bob: And not only do they get these remote jobs, some are able to hang on for years.

[00:19:33] Clark Flynt-Barr: Yeah, I think these are very talented employees for a lot of companies. They're like they're good at their job and they're, in some cases, quite shocked to learn that they're a criminal who has infiltrated the company, not just an employee.

[00:19:49] Bob: Yeah, which is stunning to me to how widespread this problem is at this point.

[00:19:53] Clark Flynt-Barr: It sounds like it has become very widespread. But the North Korean hackers have gotten very successful at infiltrating US businesses. And there's a lot of potential national security ramifications of that, but also think about the amount of customer data that is held by those companies and what you could do with all of that customer information. You could sell that to other people. You could use it to impersonate people and steal their identities. You can use it to scam people because you have more tailored information about them. So there's really a lot of potential harm from this trend.

[00:20:35] Bob: And the harm seems to be everywhere.

[00:20:40] Bob McMillan: It seems basically if you work for, if you work for a Fortune 500 company, I would be shocked if you haven't had a North Korean at least apply for a job there. And many of them have hired people.

[00:20:53] Bob: Now you might be thinking, how would a Fortune 500 company be fooled into hiring a remote worker from a sanctioned country? Well they are very good at applying for jobs.

[00:21:05] Bob McMillan: Yeah, yeah, they're, they're really great and the other thing that is remarkable to me about this scam is that it's a, it's, it's a multi-level industry. So what, I guess what I mean by that is that there are, as you're doing, you're asking these people to do different things, they actually have different people they bring in for different phases of the scam. There might be somebody who's like sending out all the resumes and dealing with the correspondence around that. But then there would be a separate person who actually does the interview. And then another person altogether who does the coding, you know what I mean? You, they have a way of giving you the person you want to see at the time you want to see them, and I've actually heard about people who are not North Koreans who sometimes take the job interviews, right? There's like a whole, like I said earlier, their core competency is just finding temporary workers who will do anything. And so as companies have become more strict about just making sure you, you present as a real person and that you're a coder, in the interview the face, the video interview that they're doing, they've literally hired people just to do the interviews. People who are not North Koreans, but people who actually know how to write software will do these interviews.

[00:22:23] Bob: And they find people like Christina Chapman to be accomplices. But now, Federal authorities are watching her. They found her laptop farm on TikTok for heck's sake.

[00:22:36] Joe Hooper: We're trying to identify victim companies that may be out there. In addition, Ms. Chapman, and um, and the North Koreans are, they're not just developing personas out of thin air, they're actually stealing identities from online and using legitimate people's information to get hired by these companies. And so we'll gather enough information to where we have probable cause to believe that Ms. Chapman has evidence of, of these criminal acts at her house, and that's when we, that's when we execute a search warrant. You know we; we did know that there were, companies were shipping pieces of equipment to her address, stolen identities were being used as part of um, applying and getting hired, uh, by these companies.

[00:23:27] Bob: It's October 2023.

[00:23:30] Joe Hooper: When we arrived to search her home, she was not home. Uh, by this time she had hired a couple of assistants to help her out, not just with the laptop farm, but also with just daily chores and food prep and stuff like that. She had actually flown to LA during the time of our search, and so we did contact her, or did get in contact with her that day regarding this situation and, and everything that, that had happened, and during that initial contact the case agent actually explained to her not to alter or delete any information and that we actually, we wanted to talk to her in person but until that point, do not alter or delete. It appears after she had the conversation with the case agent, she contacted her handler who advised her to delete all of the information and messages between the two of them which she tried to do. We eventually got that information that helped again with evidence to, to prove this crime. But when we did sit down and discuss with her about these actions, she did admit to all of this, um, at the end of the day that these were schemes that she was conducting. She was not completely aware of the fact that these were North Korean IT workers. She did have some sense that these folks were located in China and/or from China, but she didn't have a sense that they were North Korean.

[00:24:58] Bob: Further investigation reveals that Chapman had facilitated the movement of $17 million from the US to North Korean, but she...

[00:25:09] Joe Hooper: Ms. Chapman actually lived fairly modestly even though we're, we were able to see that the North Koreans had, had gotten about, you know, over $17 million from this scheme. She had only made just over 150,000 over a three-year period and so she lived actually fairly modestly so that there wasn't this big large setup, it's basically a, you know you got to have an internet connection at your house and then through wireless connection to the router, you can set up a good amount of laptops at one location to, to facilitate this activity as long as you have the bandwidth.

[00:25:47] Bob: Chapman distraught from the investigation doesn't mention she's under scrutiny from the Feds, but it's fairly clear from her TikTok account that something terrible has happened.

[00:26:00] TikTok clip: Hi everybody. Today I'm having a day where I just, you know when your brain just doesn't want to grab onto anything? Um, I haven't been working for like the last two months. I lost my job at the end of October again, didn't get paid for that last month. I usually got paid at the end of the month for what I did during the month, and I didn't get paid. Um, luckily, I had some savings, and um, that has nearly dried out. Dried out, dried up, and even though I have been applying to at least three to four jobs every day, I haven't found anything yet. And I have bills.

[00:26:48] Bob: And it gets worse.

[00:26:52] TikTok clip: I need help, and I'm really bad at asking. I haven't worked since the end of October, and that's not by choice. I lost my job and I have gone through all of my savings, um, and money that I borrowed. Um, hoping that somewhere between then and now I would have found a job. I have applied at probably over a thousand jobs, and I still haven't gotten anything. Um, which is not normal for me. I've never had to apply for more than 20 jobs, or 20 different places and I found a job, so this is very unusual for me. Um, I, I literally don't know what to do. I am down to my last couple hundred dollars. Um, I am already late on several bills. Uh, and I don't know what to do. Um, I am beyond scared. Uh, and now my, my brain is, is a jumbled mess because I'm... whew ... I'm not somebody who usually asks for help. I'm usually the person helping. Somebody needs money for food, I will, I will give them money. If they need money for rent, I'm the one who does that. So me having to ask is very, very hard. Whew. Um...

[00:28:39] Bob: And then she hits rock bottom.

[00:28:44] TikTok clip: So I'm in the car, I'm about to go check into the shelter, and I didn't realize how sad I was. Um, my dogs are safely with my friends, and they are heading on their way back to California. Whew. And right now I feel completely lost. I didn't realize (inaudible-sobbing). I look tore up without a filter.

[00:29:20] Bob: Chapman is indicted in May 2024 on 9 counts, including conspiracy to defraud the US, a flurry of news coverage about her laptop farm follows, and that encourages a series of victims to also come forward.

[00:29:34] Joe Hooper: There was a, a good amount of local media here in the Phoenix area that broadcast this news story, because the lady was local. It was kind of unexpected. Somebody who was, you know, a middle-aged woman, lived in a suburb of Phoenix, was actually running a laptop farm for the North Koreans that amounted to over $17 million dollars being washed from US companies. And so that had a pretty significant impact and gained a lot of attention here locally uh, in Arizona.

[00:30:07] Bob: Okay, that makes sense. And then so other companies, HR departments, executives, or whatnot see those news stories and think wait a minute, this sounds a little bit too familiar. So, so tips start coming in, is that what happened?

[00:30:19] Joe Hooper: That's exactly what happened, and I will, I will say, even before this when we contacted victim organizations as a, as a part of this scheme and a part of our coordination with those victim companies and treating them as victims as we provide them with information and tips on how to detect and some of those companies were actually able to self-identify additional remote employees within their organization independent of us, or independent of one of our investigations, but because of the information that we obtained through this investigation, and we had identified one remote employee, they were able to identify additional problems that they had within their own company, and then also from the news it wasn't just companies identifying stuff, but then also people themselves realizing hey, I'm in the middle of a fraud, I might be in the middle of a fraud scheme here and calling the FBI and saying, hey, I was, I was hired for a job to set up these laptops at my home or apartment, and I think I may be in the middle of a scheme, and bringing that attention to the FBI as well. So it's not just the companies but the individuals were in tuned to it also, and we got referrals from both.

[00:31:36] Bob: Ultimately, prosecutors say Chapman helped get North Koreans paying jobs at 300 US companies. They included a top 5 major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a US media and entertainment company. Earlier this year Chapman pleaded guilty and was sentenced to 8 years in prison.

[00:32:04] Joe Hooper: My impression is that when she initially started out it, it was to receive a higher paying job. And that was, that was her objective. She got wrapped into actually getting paid for what she was doing, and she knew she was doing something wrong, but was looking the other way because she was getting paid for what she was doing, and so I think that was the motivator behind it is because she, she enjoyed getting that steady paycheck and didn't want to go, have to go back to looking for an additional job, and if she was facilitating some fraud or scheme, she was kind of turning a blind eye to that during this whole process because she was depositing checks that were not in her name. I mean she clearly took overt steps that were illegal activity, and she knew it and admitted to it.

[00:33:00] Bob: She clearly knew she was doing something illegal, and yet...

[00:33:05] Bob: Sorry, I have to say I just spent a bit of time going through a bunch of her TikTok videos, and I don't know you feel or if you're supposed to feel, this all seems really sad to me, like she seems like a pretty tragic character and the 177,000 isn't, didn't make her rich, but now she's going to spend 8 years in jail? It seems, it's a sad story.

[00:33:23] Bob McMillan: The North Koreans, if they have a superpower, it's identifying people who will do almost anything in task rabbit style for them. And you find that as you look into this scam, there are a lot of people who work for them who get hired like on those kind of upworker job-seeking sites. They can get reached out through LinkedIn, but they actually also target people through gambling sites. They target people who are at a point in their life where they, where the offer of some apparently easy money is just too good to refuse. They target the vulnerable and she definitely was vulnerable. She was, I think, a well-intentioned person who was just, just desperate and you do feel sad for her watching the videos because she didn't make a ton of money, she didn't appear to be, have any animus toward the United States. There's no evidence really that I've seen that she actually knew she was working for North Korea, but at a certain point, like it was clear, it was clearly, she clearly knew she was working on a scam.

[00:34:34] Bob: Clark Flynt-Barr thinks those early TikTok videos when she was explaining how hard her life was, showering in the gym and so on, well that helped make her a target.

[00:34:45] Clark Flynt-Barr: Yeah, I mean I think that's something that when I worked for the government, we were very aware of not sharing personal information that might make us more vulnerable to being a target either from a foreign adversary or other, other means. The more information you share online, the more easy it is to target you, especially if you're sharing information about needing money or for example when you're traveling, showing that you're traveling and that your house is empty. All of these things make you more vulnerable.

[00:35:17] Bob: Bob McMillan has been studying North Koreans hackers for a while, and in addition to their ability to identify vulnerable people, they have some tell-tale quirks.

[00:35:28] Bob McMillan: Oh, (chuckles) yeah, so there, there is this phenomena like I, I was having dinner at a, a cyber conference with a couple of researchers a couple of months ago, and they were talking about how Kevin was like the most popular name for the North Koreans they were investigating. They're like, what's up with the Kevin thing? And I looked into it and I found there was another researcher who said that she was doing an investigation into these North Koreans, and she started realizing that a ton of them were using these like minion, the Despicable Me minion icons in their GitHub and their Telegram channels. They seemed to love minions, and there were a couple of groups of these North Koreans that just seemed to be like minionophiles to the point where min--, and Kevin, of course, is the name of the, my favorite minion, the golf-playing minion, but it became, it got to the point where there were just enough of the North Koreans doing this that it became an indicator of compromise. Like if you, you started, you're investigating an employee and you looked at their GitHub, and you saw a minion, you'd be like, oh shit. Here we go. This could be a North Korean. And I just thought that was so funny because they are, they are minions. (laughs) And they love the minions. And I was like, do they see themselves as like minions? And I don't know that they do? I think they might just really like Despicable Me. I definitely was able to find reference to, to Despicable Me being broadcast in at least one of the, one of the films being broadcast in North Korea, and we, somebody provided us with a photo of an alleged North Korean fake IT worker standing in front of a, a Despicable Me display which was quite funny.

[00:37:15] Bob: Funny, and now a well-known clue among researchers.

[00:37:20] Bob McMillan: Here, there is, there is like a, just in terms of like how to identify them, I, there's certain phrases that they use and they kind of change, but like the way they talk about themselves. If you are able to, and I can't, it's a little bit complicated to explain. If you get one, a North Korean fake resume and then you start looking for the way they describe the jobs, you'll, other resumes will pop up because they use the same language over again. So there are groups of researchers who publish on the North Koreans and share information. There's a couple of accounts on X that are pretty prolific and tweeting about this stuff. And I think their tactics change a lot. But they can be identified just through some certain types of indications that Despicable Me characters are definitely a hint.

[00:38:11] Bob: Including their particular affection for Gru, the lovable supervillain from the movie series.

[00:38:18] Bob McMillan: There's this funny thing when, when I was working on that story, there was one North Korean who had used like a, a GRU, a GRU-something email address, I think it was. And when that was disclosed, people thought maybe it was a Russian, 'cause the GRU is the military intelligence division of Russia's military intelligence. And but it was, but some, another person who had interacted with this North Korean produced evidence showing that they were just fans of minions and that's why they used the Gru part.

[00:38:53] Bob: There isn't anything charming about this very serious crime. It's important to note that in addition to evading US sanctions, criminals like Christina Chapman have hurt many regular people too.

[00:39:06] Bob McMillan: This seems awful, like a really awful part of this is that some of the victims just have their identity stolen and so they don't even know this is going on until one day they get a tax bill for the North Koreans are taking the minimum number of deductions, so they get these, it's been described, I haven't talked to somebody who this happened to, but I understand that there are a lot of Americans who are just suddenly getting out of the blue these massive tax bills because their identities have been stolen by the North Koreans and used to get jobs. And may--, maybe even multiple companies.

[00:39:36] Bob: And they won't find out for a year or two maybe even and then when they find out, they get this scary letter from the IRS, and I'm sure it's a huge hassle to clear it up.

[00:39:46] Robert McMillan: To, yeah, to say, to call up the IRS and say, hey, I think that was a fake North Korean who was actually working there. It wasn't me. Like they wouldn't even know that. They would just, how do you talk yourself out of that one? That just seems like a real hassle, yeah.

[00:40:00] Bob: I do want to make sure we get to this part, 'cause I think it's what Perfect Scam listeners can take away from it. Real people's identities are often used to take these jobs, and the whoever’s managing the laptop farm is pretending to be one person in order for this North Korean to take, take the job, and so that person is the victim of identity theft, they might end up with a tax liability they don't know about or other problems, and so real people are getting hurt in this crime too, right?

[00:40:25] Clark Flynt-Barr: Yes, and we hear about this from folks who call into AARP's Fraud Watch Network, that they have learned that their identity, they were a fraud victim, and now their identity is being used to commit fraud against other people.

[00:40:40] Bob: So if some part of you is used in the committing of a crime, even if there's no penalty that's still an awful thing to go through, right?

[00:40:45] Clark Flynt-Barr: Yes. Yeah, absolutely. I think it feels very violating to have, to know that somebody is pretending to be you to steal money from other people.

[00:40:56] Bob: Clearly companies are victims in this crime too. Still, it's a fair question to ask if companies are doing enough to vet their remote workers.

[00:41:05] Bob: I can't help but think if you could have an employee who's really in North Korea and do a job for you for a couple of years and not notice that there might be a bit of a management problem there?

[00:41:16] Bob McMillan: It's really about the onboarding. You are supposed to verify the identification documents. And so when Chapman was, when she finally was sentenced just last month, and when she was sentenced, the FBI released an example of a fake driver's license that was used in her scam. And you take a look at this driver's license and it's like the sex, the word S-E-X, is spelled S-A-X in the driver's license. There's, there's, so there are these flaws in it that are just like comically, it was just a comically bad forgery of a legit driver's license. So right away you look at that, you're like, somebody was not really doing due diligence just on the document inspection side. But then, you know I do have sympathy for people who are just like I think there are a lot of companies where software development is not necessarily their core competency, but they have to have some software, some coding done and so they, they hire these people who are pretty used to offshoring coding to, to other countries. They basically, all they care about is just make the software work. Do the magic, spread, spread the magic, software pixie dust and just get this done.

[00:42:35] Bob: So you have somebody working at your company for a year, and you just never asked them how their kids were? Or anything? How impersonal have we become?

[00:42:43] Robert McMillan: Yeah, you're right about that. The, so I mentioned earlier I'd interviewed a guy that only will hire people he's had lunch with. He developed a relationship with this North Korean coder where they considered themselves to, he considered him a friend, right. He knew about the guy's girlfriend and...

[00:43:00] Bob: That's fascinating.

[00:43:00] Bob McMillan: ... the whole, he claimed too that the, that they liked to go to the mall and they weren't like super close. Look it, a lot of software developers don't have the, they're not super chatty about their personal lives. Even there's a sense that sometimes it's just about the work with some of these relationships. And I don't know, I don't know that's ever going to change, but you're right. To know nothing about your employee after a year, that's, yeah, that's not good.

[00:43:25] Bob: And since we already know North Koreans are good at monetizing these kinds of hacks, what other kinds of trouble might they be causing once inside these companies?

[00:43:35] Bob McMillan: It's bad that these North Koreans are getting access to corporate networks, right? That's just hands-down, a bad thing. The motivation to date has mostly been to get the paychecks. However, when they get found out, it's becoming increasingly common that they will do that at exfiltration. And so you have to wonder if there is a, an entity, like if you're a defense contractor, aviation company, missile company, and you have one of these employees, then I think there's some national security questions around that. But the data exfiltration typically happens in order to further extort the victim, right? They what, they take the data down and then they say, we're going to dump this unless you pay us some more money after you fire them. So that's something that we've definitely heard of happening. I'm not aware, in the crypto world, there were, there were definitely backdoor type things that were added. In the kind of regular software world, I don't know about, I have, I don't know. I've not heard that that has happened. It's definitely something that could happen.

[00:44:43] Bob: So what are companies doing to combat this epidemic of fake remote workers? Well believe it or no, some companies have taken to requiring a peculiar kind of test from new workers.

[00:44:55] Bob: I actually heard the phrase liveness test recently about this topic which seems, again, this, what an age we live in, you have to do liveness tests for employees before they start.

[00:45:04] Clark Flynt-Barr: Right. Because before we're, when we applied for jobs, we did so in person. But for example, when I applied for this job, that whole hiring process was online. So you really have to take extra due diligence and make sure you're verifying that the applicants are who they say they are to prevent these companies from being a victim of one of these types of scams.

[00:45:28] Bob McMillan: If you are interviewing the person, make sure that you have them on camera, right? Now we know that the North Koreans have used AI to create these like fake avatars that they do on camera interviews with, so they actually look like people, who they're not. But if you look at the, you could find them on the internet, there are a couple of examples of them. They're pretty badly done, and then there's this, there's this one like dealbreaker for when you have an AI interview going on where you ask the person with the fake AI to like put their hand in front of their face, and of course, that's impossible to do in, with a fake avatar. The, it can't render a hand in front of one of the faces, so it, that stops the interview right there. But you can also get to know your employees. You can ask them if they claim to be from San Francisco. You can ask them what their favorite football team...

[00:46:21] Bob: What's your favorite restaurant? I mean...

[00:46:23] Bob McMillan: Yeah, and if they, so yeah, people who are working at Vladivostok may not know the, they may not know what the weather is right there. They can actually figure that out pretty, but yeah, if you ask about a restaurant or the football team or you could ask them to just show, let, can I look out your window? And they're just questions you can ask. But bear in mind that as these interviews, job interviews are happening, like it's insane what's going on in the other side, like these, these candidates are, they have prompts right next to them, they're getting answers for the, the questions you're asking them from the internet as you ask them. So you've got to be clever with those gotcha questions because if they can just like google it or just ask ChatGPT or something, some product like that for the answer, they might be able to answer it for you. Like your restaurant question, I'm thinking, or even your favorite football team like that, they, they could, that they could get that answer. But I, I interviewed a guy who hired one of these people and had him work for a while at his company. And he said, from now on, if I'm going to hire you, I'm going to meet you face-to-face and we're going to have lunch together. And that's his way of getting around it.

[00:47:31] Bob: The good news is laptop farms are now squarely in the focus of the FBI. A DOJ press release from June indicates that search warrants were executed on 29 different laptop farms all around the country, and there was actually a guilty plea in Massachusetts.

[00:47:47] Clark Flynt-Barr: Yeah, I think law enforcement has done a good job of talking about this more publicly. They've put out a lot of alerts for businesses and I'll talk about the FBI for example, because I used to work there. But they have an Office of the Private Sector, then they also have a Public Affairs Office, and both of those offices do a lot of work to work with communities and make sure they are aware of the different types of crime that are happening and what the trends are, and so they're working constantly with different businesses to make sure they're up to speed on the latest trends. And this is, this is a great example of that.

[00:48:26] Bob: The FBI has some specific recommendations now.

[00:48:30] Joe Hooper: We put out a um, public service announcement earlier this year in, in the summer that identifies tips to protect your business and that's essentially for organizations to scrutinize, identifying, verify, uh, verification documents, you know, misspellings, different photographs, contact information. In many cases these individuals will not meet in person or if it's a remote Zoom, their camera appears to be broken. They will agree to meet in person, but there will always be some sort of excuse as to why they, they can't make that meeting or it can't be in person, and they can do it online or via the phone, but they can't have their face up. And so that's a, that's definitely a uh, a red flag. Making sure that you're talking to the same person over and over, I think in interviewing one of uh, one of the victim organizations, our agents were able to pull out of, of that company that they had noticed every time they talked to that person, it just seemed like a different voice, um, but they never really brought it up because they were talking about the same stuff. And so drilling down on, on some of those little nuances could help detect a person essentially who's in your organization that, that shouldn't be. Analyzing addresses, so if the individual provides information on where they live and then going to ship them equipment and it's getting shipped to a different address could be a flag especially if that address is in a completely different state which is usually what happens, can be a way to, to detect this.

[00:50:16] Bob: And of course, we have some advice for you too.

[00:50:21] Bob: What do you think our Perfect Scam listeners or just AARP members in general should take away from this laptop farm story?

[00:50:28] Clark Flynt-Barr: One thing I would highlight actually is that more than half of business owners in the US are over the age of 55. Our demographic disproportionately owns businesses and may be targeted by bad actors who are trying to gain access to either money, proprietary information, customer information. So I think it's really important to be doing your due diligence when you're hiring and ensure that you have strong security systems in place to protect yourself.

[00:50:58] Bob: And if you aren't a business owner, what should you learn from this story?

[00:51:03] Bob McMillan: There is like a, just, it's like an environmental disaster really. The, the leaking of our information, the poor stewardship of it, the consequences being passed on to individuals; it's just gotten to the point where it's, it's just a scandal, really. And I think that you know I do sorry about my private information being accessed by other people, but I believe it is 100% available to anyone who wants it, and I think that's probably the case for the vast majority of Americans. And that's just, I mean that's disheartening. I think it, there, there are a couple of things. One is given that's the state of affairs, you have to really be thoughtful about how scams are going to affect you and how you could be affected by a scam. What I tell people is, just given that your infor--, so much of your information is out there, of your Social, everything like that, lock your credit. Just go to a credit agent, go to the three credit major credit agencies, and just freeze your credit and unfreeze it when you need it. That's a pretty good system, and it prevents at least one, one type of fraud, people taking out credit cards or applying for things in your name from happening. I don't think it would help you with this particular scam. But it would, it's something to do given that this catastrophe of information availability. The other thing is, like the IRS, and in particular Social Security, are two entities where you can set up accounts and do that before the hackers do it, make... I have heard of people who have had Soc--, Social Security accounts set up for them in their name, but by, by criminals, and then the criminals, when the person turns 62, they start drawing. And they have no idea that their Social is being emptied until they might be waiting till they're 65 or whatever to do it. Those are a couple of things that I just think everybody should do. Just register those accounts, freeze your credit, and just get ahead of this.

[00:53:03] Bob: And of course, the most important way to protect yourself is, be careful what job you take.

[00:53:09] Joe Hooper: As was demonstrated by in this case, somebody got sucked into something and definitely got in over their head on what they had kind of it appears that they had set out to do. But along the way, there were indicators that this was an illegal scheme, so finding, (clears throat) if people are concerned or they feel like something may be too good to be true, bouncing that situation off of a trusted contact whether that's a relative or a close friend, as far as a sanity check as to whether you know this situation or idea passes the sniff test is a, is a good first step. In this case, these actors are specifically looking for US-based personnel. They're looking for a US-based internet connection to set up some sort of infrastructure, laptops, different protocol, be able to download software and I, you know that in, in some cases may seem higher, could be more complicated to some than, than others, but they'll pivot to, okay, well we don't necessarily need maybe a, a full setup of, of a computer, but we do need an address where we can ship stuff to that may need to be reshipped either to another location in the United States or, or abroad. Also, they may ask for the setup of financial accounts and then uh, as a part of setting up these financial accounts, the individual will get a cut or some sort of a fee and proceeds earned for each one of those being, being set up. They'll look for accounts being set up on, on different job sites so the North Korean IT workers will task US people to set up accounts on popular job search sites that the North Koreans can use to make it appear to be more, more legitimate. They'll also ask for the purchase of and funding of web services such as AI models, background check programs that the IT workers may not have access to from their location, but we do here in, in the United States. And then also potentially attending virtual interviews and meetings on behalf of other people, that's a huge red flag, and then uh, the creation of US-based businesses that is front companies purporting to offer, you know, short-term technical contract, IT work. Uh, those are some of the big flags that, that we've identified that these IT workers are, are looking for and/or they will try and drive the conversation towards some of those to try and get people, or try to quote/unquote hire people to conduct these activities.

[00:56:03] Bob: And if you are worried you might be having an interaction with a criminal online about a job opening, you can contact your local FBI office by looking it up at FBI.gov or you just call 1-800-callFBI, or you can visit the Internet Crime Complaint Center at IC3.gov, and of course, you can all the AARP Fraud Watch Network Helpline at 1-877-908-3360. For The Perfect Scam, I'm Bob Sullivan.

(MUSIC SEGUE)

[00:56:44] Bob: If you have been targeted by a scam or fraud, you're not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. To learn more about the Fraud Watch Network volunteers and the fraud survivors they've helped, check out the new video series, Fraud Wars, on AARP's YouTube channel. Our email address at The Perfect Scam is: theperfectscampodcast@aarp.org, and we want to hear from you. If you've been the victim of a scam or you know someone who has, and you'd like us to tell their story, write to us. That address again is: theperfectscampodcast@aarp.org. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Becky Dodson; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

END OF TRANSCRIPT