Inside North Korea's effort to infiltrate U.S. companies

In recent years, thousands of North Korean IT workers have used stolen and made-up US identities to pose as Western developers, engineers, and tech consultants to funnel hundreds of millions of dollars a year to Pyongyang’s military programs.  

“They're everywhere, all over the Fortune 500,” said Michael Barnhart, Principal i3 Insider Risk Investigator at cybersecurity firm DTEX.  

The North Koreans rely on help from open-source AI and even live face-masking software to hide their true identities and locations during video calls from countries such as China, Laos and Russia.  

But their ability to embed themselves in corporate America doesn’t rely on trickery alone. It requires help from inside the United States.

One American woman, Christina Marie Chapman, was last month sentenced to eight-and-a-half years in prison for helping these operatives land jobs at more than 300 companies, generating over $17 million for Kim’s heavily sanctioned regime.  

A prolific TikToker, Chapman charted her remarkable rise in public videos from poverty to international travel, courtesy of a new job in “a computer business,” that US investigators used to build their case.

Chapman is not the only US resident to have participated in the scheme.

Recently unsealed federal indictments show other US-based facilitators played a crucial role in the operation – laundering paychecks, stealing identities and running “laptop farms” that allowed North Korean workers to appear as if they were physically present inside the country.  

The stealthy operation has allowed North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), to circumvent international sanctions, exploit remote hiring practices, and quietly generate hundreds of millions of dollars annually, according to the US Department of Justice – often without employers ever realizing they’ve hired a North Korean operative. This puts them at risk of violating US sanctions which bar doing business with North Korean individuals or organizations.  

“If you take away looking at them as a government and start thinking of them more as kind of a mafia, everything falls into place,” said Barnhart.

The DPRK Foreign Ministry addressed the issue in July after the US offered a reward of up to $5 million for information on several North Korean nationals over the alleged IT worker scheme. Rejecting the allegations as an “absurd smear campaign,” the ministry accused the US of “fabricating groundless cyber drama.”  

Drawing on exclusive data sourced from North Korean computers, court records, and interviews with cybersecurity experts and US officials, a CNN investigation reveals the full scope of this scheme – showing how North Korea has turned remote work culture into an effective tool for generating foreign currency and funding its weapons programs, according to a US assessment, putting national security at risk.  

Kim Jong Un’s remote workforce

Unlike North Korea’s more high-profile cyber operations – like billion-dollar crypto thefts or ransomware campaigns – the IT worker scheme is a state-sponsored effort that seeks to place North Korean operatives in Western companies, not as saboteurs, but as employees, experts say.  

Evolving out of the North Korean scams of the 90s, like fake $100 bills under late leader Kim Jong Il, his son and successor has taken the scam operation online.

“Kim Jong Un is a millennial, and so he has gravitated toward technology a lot more than his father did,” said Barnhart. “The IT workers are a very large force that they are wanting to continue to beef up.”

Barnhart belongs to a group of tight-knit internet sleuths and cybersecurity professionals leading the charge in hunting down North Korean IT workers. For many of them it’s more than just a job – Barnhart has a tattoo for every DPRK cyber unit he has busted.  

With antiquated technology and little access to unrestricted internet within North Korea, most of these operations are run from abroad. Southeast Asia, and parts of China and Russia near the North Korean border are among the preferred staging areas thanks to their proximity and friendly relations with the regime, according to US prosecutors and cybersecurity experts.  

Fake resumes and rehearsed lines powered by AI

Exclusive datasets, including browser histories and ChatGPT searches from over a dozen North Korean computers, obtained by researchers through open-source analysis and shared with CNN reveal how they engage AI to create job-seeking personas.  

The datasets show the IT workers looking up LinkedIn and other job-seeking platforms thousands of times, in a matter of months, with some profiles applying for dozens of jobs.

Records of their browser histories also confirm what can be seen in their profiles and resumes – consistent use of AI faceswap software, VPNs, remote working software and a heavy reliance on ChatGPT and Google Translate.  

These operatives are not just using AI to write code or automate tasks – they're using it to fabricate identities, conduct interviews, mimic cultural fluency, and automate applications to apply for jobs en masse.  

“AI is very important to them,” said Barnhart. “It helps out everything else they’re doing.”

Outside the professional sphere, AI is also a cultural crutch – helping North Korean workers adapt to American customs and office small talk. ChatGPT records connected to North Korean computers show them asking for New Year’s resolutions, guidance on Thanksgiving greetings, and explanations of American football rules.

The North Koreans were early adopters of AI tools such as ChatGPT, according to Evan Gordenker, Consulting Director of Unit 42, the threat intelligence arm of cybersecurity firm Palo Alto Networks. He said they were such prolific users of early open-source AI models that they made significant contributions to training and developing the AI we use today.  

“Just ask them about who they are and they fall apart”

Once you’ve learned how to spot a North Korean on a job-seeking site, it’s hard to not see them everywhere, but the sheer number of automated applications they submit can inundate companies that often outsource their recruiting.  

Human risk management company KnowBe4 estimates they’ve received at least 100 applications from suspected North Korean IT workers in the past year.  

And last summer, they inadvertently hired one.  

The company needed a software engineer for its internal IT AI team and posted a job advertisement on the company’s website as well as external platforms.  

After going through the usual recruitment process, they hired a person and mailed them their work laptop. As soon as the laptop was received on the other end, it began downloading malware.  

Brian Jack, KnowBe4’s chief information security officer, suspects an American facilitator set off internal alarms by downloading remote working software.

The company immediately terminated the new employee and asked for the return of the laptop. It came back in its original packaging with one key addition – a post-it note with the word “KnowBe4” stuck on it, which Jack said indicates it may have come from a laptop farm.  

Since that day, Jack said he’s been tasked with making sure a North Korean never slips through the cracks again, and KnowBe4 is now known as one of the leading companies in tracking DPRK workers.

Rather than choosing to expose suspected North Korean applicants by asking them about Kim Jong Un or the DPRK regime, Jack prefers a more subtle approach – asking them about their favorite restaurants and hobbies.  

“Just ask them about who they are and they fall apart,” Jack said. Most North Koreans’ lives are heavily regulated by the state, with no connection to the outside world under the Kim family rule.

The North Korean IT workers certainly enjoy a degree of freedom and privilege compared to their compatriots back home, but experts say it’s hard to discern how closely they are being monitored, or if their families are being used as leverage.

Photos shared by DTEX of a North Korean IT worker office show a CCTV camera looking over a small room, with bare, white walls, where a handful of workers are using computers at cluttered desks.  

A North Korean tech worker poses inside an office. DTEX

There’s a watercooler in the corner, and what appears to be laundry drying on a rack.

“There are North Korean victims in this, too,” said Jack. “People don't get to choose where they're born, so they just got to make the best of what they're doing.”  

But to make this scheme work, the North Koreans needed help – from within the US.  

Rags to riches

To her 100,000 TikTok followers, Chapman seemed to be a typical suburban, middle-aged American.  

She shared healthy eating tips in selfie videos posted online. Off camera, she was engaged in covert activity that could have seen her jailed for life.  

According to a 2024 indictment, Chapman became entangled in the IT worker scheme around October 2020, just as the Covid-19 pandemic was sweeping the US, and companies were quickly transitioning to remote work.  

In a LinkedIn message, Chapman was approached by someone asking her to “be the US face” of a company and assist in helping remote IT workers secure jobs in the US, despite having no experience in the tech industry herself.

Around that time Chapman had been posting about her financial struggles on TikTok.

Shortly after, her North Korean contacts began applying to US companies and government agencies, submitting false information from Chapman to the Department of Homeland Security as proof of employment eligibility, according to the indictment.

Simultaneously, Chapman sent false information to verify these workers’ identities to the companies and, once the North Koreans had secured jobs, received their company-issued laptops.

Using login details supplied by their new employers, Chapman installed remote working software on the laptops, allowing the North Koreans to access them from outside the US.  

By early 2023, Chapman’s TikTok videos showed a very different life. Work was picking up.

Photos published by the DOJ show what appears to be Chapman's office in 2023. Rows of labeled laptops sit on open shelves in a small room that federal investigators say she used to perpetrate a "staggering fraud on a multitude of industries." At one point, Chapman handled as many as 90 laptops for the DPRK IT workers, the DOJ said.  

Among the companies targeted was the shoe giant Nike, which unwittingly paid more than $75,000 to a North Korean employee and subsequently conducted a review to confirm there was no data breach.  

Of the 68 stolen identities that Chapman and her group of North Korea IT workers used, CNN was able to trace one identity with computer data provided by Palo Alto Network’s Unit 42.  

"Breeyan Cornelius” was a stolen identity used by several North Korean IT workers, according to Gordenker, Consulting Director at Unit 42.

He told CNN the real Cornelius was a bus driver living in California. CNN reached out to Cornelius but did not receive a response.

CNN reviewed computer data belonging to the North Koreans operating under the name “Breeyan Cornelius” and found dozens of IT-related job applications and searches at American companies. In some cases, companies replied and even offered job interviews to the North Korean.

In a fake resume, “Breeyan Cornelius” claimed to be a “Well-qualified Full Stack Developer familiar with wide range of programming utilities and languages.” The resume also claimed he graduated from The University of Tennessee at Chattanooga with a Bachelor of Science in Computer Science in 2014.  

Under work history, the profile also claimed previous employment at Bank of America and German pharmaceutical giant Bayer.  

“We understand he operates in Liaoning,” Gordenker said, referring to the Chinese province that shares a lengthy border with North Korea.

A few years into her new job, Chapman was enjoying the new income stream, travelling to Fukuoka and Tokyo to watch – and meet – a Japanese boyband.  

Videos from the trip show her marveling at the “chic” lobby, touring her “adorable” hotel room and gushing about all the new Japanese foods she’d been trying.  

Text messages from around the same time show her growing nervous about handling federal documents, according to the indictment. “I can go to FEDERAL PRISON for falsifying federal documents,” she said in one message in August 2023, to a group that included several co-conspirator overseas IT workers.  

Shortly after, her life began to unravel.  

In late October 2023, the FBI executed a search warrant at her home in Litchfield Park.  

By March 2024, Chapman posted a TikTok video describing her struggles:  

“I need help and I’m really bad at asking,” she said. “I haven’t worked since the end of October, and that’s not by choice, I lost my job and I’ve gone through all of my savings.”  

She was arrested in May 2024, and legal proceedings began.  

By August, the toll was evident. She posted another plea on TikTok:  

“I have been struggling quite a bit financially, and I did lose my house, I have to be out by tomorrow morning,” she said. “If anyone is willing, five, 10 dollars.”  

Around this time, she began selling products on various websites, including artwork, books, custom poems, and “credit fixing assistance.”  

In February 2025, Chapman ended her legal troubles by waiving her right to a jury trial and pleading guilty to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments. The DOJ said she claimed she wasn’t aware she was working for the North Koreans, but Acting Assistant Attorney General of the Criminal Division Matthew Galeotti told CNN that that was “irrelevant.”  

“She knew that she was working for individuals abroad. She knew that they were using false identities. She knew that she was forging documents for her bank accounts. She knew that some of the addresses that she was sending hardware to were on the border of China and North Korea,” he said.  

“The safety of our nation is at issue”

In late June, the DOJ conducted sweeping raids and searches at 29 known or suspected laptop farms across 16 states, seizing around 200 laptops.  

With all North Korean workers located outside the US, in countries without extradition treaties with the US, these raids are one of the few tangible ways authorities can disrupt the scheme, Galeotti said.  

“You will be prosecuted to the fullest extent of the law. The defendant in this case [Chapman] made perhaps just north of $170,000. It's not worth it,” he warned.  

Chapman arrived at her sentencing hearing at a US District Court in Washington DC on July 24 wearing dark glasses and accompanied by a camera crew. Inside the court, public defender Alexis Gardner argued for the lowest possible sentence. “She’s a pawn in this whole scheme,” Gardner told the court.  

Speaking through tears, Chapman told the court she began running the laptop farm because her mother was ill at the time. She expressed remorse for the harm she had caused people whose identities were stolen and used by the North Koreans.  

“The fact that I was part of something that caused so much damage to somebody,” Chapman said, sobbing. “I really hate myself because of that.”

Judge Randolph Moss acknowledged she seemed “genuinely remorseful” but handed down a sentence of 102 months in prison and 36 months of supervised release.  

“The safety of our nation is at issue,” he said.  

US authorities have vowed to track down other American citizens knowingly or unknowingly helping the Kim regime evade international sanctions, offering millions of dollars in rewards in exchange for information.  

US officials said it’s not just money the North Koreans are after – they warn the scheme is evolving, and that as operatives gain access to sensitive roles or become exposed, they may turn malicious and launch malware or ransomware attacks.

In a press briefing after Chapman’s sentencing, US Attorney for the District of Columbia Jeanine Ferris Pirro sent a direct message to corporate America: “This is a code red.” “Your tech sectors are being infiltrated by North Korea. And when big companies are lax and they're not doing their due diligence, they are putting America's security at risk,” she said.  

Experts say the scheme is too big to take down, powered by a regime with no shortage of compliant workers, aided by US facilitators recorded in every state except Hawaii.    

“For everyone that we do catch and for every laptop farm that the FBI raids, it is an element of whack-a-mole,” said Gordenker, noting that the alias Breeyan Cornelius is still active and was last seen applying for a job at a large insurance company in May 2025.

“There is no silver bullet,” Gordenker said. “This is an inherent risk in doing business... you run the risk of hiring a North Korean.”