Ukrainian gets 5 years for helping North Koreans infiltrate US firms

Source: Bleeping Computer

Sentencing

39‑year‑old Oleksandr Didenko of Kyiv, Ukraine, pleaded guilty in November 2025 to aggravated identity theft and wire‑fraud conspiracy after being arrested in Poland in May 2024.
He was sentenced to 60 months in prison, 12 months of supervised release, and ordered to forfeit more than $1.4 million in cash and cryptocurrency seized from Didenko and his accomplices.

“Oleksandr Didenko participated in a scheme that stole the identities of hundreds of people, to include United States citizens, which were used by North Korea to fraudulently secure lucrative IT jobs,” said James Barnacle, Assistant Director in Charge of the FBI’s New York Field Office. “This massive operation not only created an unauthorized backdoor into our country’s job market, but helped fund the regime of an adversary.”

Scheme Overview

According to court documents, Didenko:

• Stole U.S. citizens’ identities and sold them to overseas IT workers through an online platform known as UpWorkSell (seized by the Justice Department).
• Enabled the fraudulent securing of jobs with 40 U.S. companies in California and Pennsylvania.
• Provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms.
• Facilitated the operation of at least eight “laptop farms” in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine, making the devices appear to be located in the United States.

Laptop Farms

One of the farms was run by Christina Marie Chapman, a 50‑year‑old woman from Arizona, from her home between October 2020 and October 2023. Chapman was charged in May 2024 and sentenced to 102 months in prison after a July 2025 guilty plea.

FBI Warnings and Sanctions

The FBI has been warning about the danger posed by North Korean threat actors impersonating U.S.-based IT staff since at least 2023:

• IC3 PSA – May 2024
• Repeated notices (e.g., IC3 PSA – Oct 2023)

North Korea maintains a large, well‑organized army of IT workers who use stolen identities to secure employment with hundreds of American companies.

Enforcement Waves

• July 2024 – U.S. authorities sanctioned, charged, or indicted 20 individuals and 8 companies across three separate enforcement waves.
• August 2025 – A fourth wave of sanctions targeted companies associated with North Korean IT‑worker schemes operated by Russian and Chinese nationals.

Recent Developments

In December 2025, security researchers revealed that operatives of the Famous Chollima (or WageMole) group—part of the Lazarus hacking group—used AI tools and stolen identities to trick recruiters and obtain positions at Fortune 500 companies. (BleepingComputer article)