North Korea Inside U.S. Companies

Barbed wire fence with North Korean flag behind.

A Ukrainian man’s identity theft marketplace funneled over $6.8 million directly into North Korea’s weapons programs while compromising America’s national security through a brazen scheme that placed enemy operatives inside dozens of U.S. companies.

Story Snapshot

Oleksandr Didenko operated Upworksell.com, selling 871 stolen U.S. identities to North Korean IT workers who infiltrated over 40 American companies
The scheme generated $6.8 million for North Korea’s hostile regime, directly funding weapons programs while violating sanctions
Didenko received a 5-year prison sentence in February 2026 after pleading guilty to wire fraud conspiracy and aggravated identity theft
Over 60 Americans had their identities stolen, while 300+ companies fell victim to data theft and potential extortion

Identity Theft Marketplace Enabled Enemy Infiltration

Oleksandr Didenko, a 29-year-old Ukrainian from Kyiv, ran Upworksell.com from early 2021 as a commercial marketplace selling stolen American identities to overseas IT workers. The operation managed 871 proxy identities, enabling primarily North Korean operatives to secure remote jobs at U.S. companies on platforms like Upwork. Didenko processed over $920,000 in payments tied to these fraudulent identities, knowing his clients included workers from North Korea, a hostile regime under strict sanctions. The scheme represents a chilling evolution of foreign infiltration, creating what U.S. Attorney Jeanine Ferris Pirro called “an enemy within” American businesses.

Laptop Farms Simulated American Workers Across Multiple States

The conspiracy operated physical “laptop farms” in Arizona, Virginia, Tennessee, and California, using 79 computers to simulate legitimate U.S.-based workers. North Korean operatives connected remotely from China and Russia, accessing corporate networks while appearing to work from American locations. Co-conspirator Christina Marie Chapman, an Arizona resident, hosted laptops and facilitated these connections, impacting over 60 stolen identities across 300+ companies. Chapman received a 102-month sentence in July 2025. These laptop farms allowed the operatives to bypass basic security checks, making the fraud difficult to detect and enabling prolonged access to sensitive corporate systems.

$6.8 Million Funneled to North Korean Weapons Programs

Between 2020 and 2023, the scheme generated over $6.8 million that flowed directly to North Korea’s regime, funding weapons programs in clear violation of international sanctions. The North Korean operatives, operating under aliases including Jiho Han, Haoran Xu, and Chunji Jin, earned salaries from unwitting U.S. companies while simultaneously stealing corporate data for espionage and extortion. Didenko used money transmitters to bypass banking restrictions, facilitating the transfer of funds outside legitimate financial channels. This represents a direct threat to American national security, as U.S. companies unknowingly paid enemy operatives who had access to proprietary information and sensitive systems.

Federal Authorities Dismantle Operation But Threat Persists

Didenko was arrested in Poland on May 7, 2024, and extradited to the United States later that year. The FBI seized Upworksell.com on May 16, 2024, redirecting its traffic as part of the enforcement action. In November 2025, Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft, agreeing to forfeit $1.4 million and pay $46,547 in restitution to victims. His February 2026 sentencing to 60 months imprisonment, followed by 12 months of supervised release, marks the latest conviction in an ongoing series of prosecutions targeting North Korean IT infiltration schemes.

Despite these enforcement actions, the threat continues to evolve. CrowdStrike reports a sharp rise in North Korean IT worker infiltrations posing as developers, while recent intelligence indicates operatives are now using authentic LinkedIn profiles to evade detection. The State Department has offered a $5 million reward for information on Chapman’s co-conspirators who remain at large. This persistent adaptation demonstrates the regime’s commitment to sanctions evasion and highlights the ongoing vulnerability of remote hiring practices in the IT sector.

Over 60 Americans Victimized by Identity Theft

The scheme devastated more than 60 American citizens whose stolen identities were used for years without their knowledge. These victims faced fraudulent tax filings, damaged credit, and the burden of proving they were not responsible for the North Korean operatives’ actions. The 300+ companies victimized by the scheme face a “triple threat,” according to cybersecurity researchers: sanctions violations for inadvertently paying North Korean workers, data theft from operatives with inside access, and potential extortion using stolen proprietary information. This case underscores the dangers of inadequate vetting in remote hiring and the real-world consequences when foreign adversaries exploit American openness for malicious purposes.