North Korean laptop farms have emerged as one of the most brazen sanctions-evasion schemes of the past five years, channeling millions of dollars directly into weapons programs by disguising foreign workers as American IT employees. Two US citizens recently received prison sentences for operating these operations, exposing a criminal ecosystem that exploited the remote work boom to defeat corporate vetting and generate over $17 million in illicit revenue.
Key Takeaways
- Christina Marie Chapman sentenced to 102 months prison for operating a North Korean laptop farm generating over $17 million in illicit revenue
- North Korean IT workers posed as US residents at 300+ American companies including tech giants, aerospace manufacturers, and media firms
- FBI seized hundreds of laptops from 29 domestic farms across 16 states in coordinated June 2025 raids
- Laptop farms rose sharply around 2020 when remote work became standard, creating ideal cover for sanctions evasion
- DOJ’s “DPRK RevGen” initiative, launched March 2024, specifically targets US-based facilitators of North Korean worker schemes
How North Korean Laptop Farms Actually Work
North Korean laptop farms operate through a deceptively simple mechanism: US citizens acquire company-provided laptops, install remote-access software, and ship them overseas to North Korean workers who then pose as American employees. The scheme exploits corporate hiring processes that rely on IP geolocation, device fingerprinting, and background checks—all of which can be spoofed when a laptop physically sits in the US while being accessed from Pyongyang. Christina Marie Chapman, a 50-year-old from Litchfield Park, Arizona, operated this exact setup from her home, hosting over 90 laptops seized during an October 2023 FBI search. She shipped 49 devices overseas, including to the China-North Korea border region, creating a pipeline for North Korean nationals to access remote positions at major US employers.
The scheme’s effectiveness hinges on corporate trust in remote work infrastructure. When a company sees login activity from a US-based IP address at reasonable business hours, it assumes an American employee is working. North Korean workers, often fluent in English and technically skilled, can pass initial vetting and maintain cover for months or years. Chapman’s operation alone placed North Korean IT workers at over 300 US companies, including a top-five television network, Silicon Valley tech firms, aerospace manufacturers, automotive companies, and luxury retailers. Each placement generated salary payments—typically $40,000 to $100,000 annually—that flowed back to North Korea’s government, effectively circumventing international sanctions designed to starve the regime of hard currency.
The Scale of Illicit Revenue and Government Reach
Chapman’s scheme generated over $17 million in total illicit revenue, with approximately $5 million flowing to North Korea over roughly three years. She personally received a portion of these earnings and was ordered to forfeit $284,555.92 to the US government and pay a $176,850 judgment. This represents just one operation. A related trio—Audricus Phagnasay, Jason Salazar, and active-duty US Army soldier Alexander Paul Travis—facilitated approximately $1.28 million in fraudulent salary payments from September 2019 to November 2022. Travis, despite earning only $51,000 personally, received a one-year prison sentence, while Phagnasay and Salazar faced three years of probation with $2,000 fines each. Additional facilitators like Erick Ntekereze Prince in Florida earned $89,000 by staffing US firms with North Korean workers between 2020 and 2024. Across multiple schemes, the DOJ has documented over $866,000 in fraudulent payments to 64 US companies spanning 2018 to 2024.
The FBI’s enforcement response escalated dramatically in mid-2025 when the agency conducted coordinated raids on 29 laptop farms across 16 states, seizing hundreds of devices, accounts, and associated websites. This operation, part of the DOJ’s “DPRK RevGen: Domestic Enabler Initiative” launched in March 2024, represents the most comprehensive federal crackdown on these schemes to date. The initiative explicitly targets US citizens and residents who knowingly facilitate North Korean worker placement, treating them as material supporters of a hostile regime’s revenue-generation apparatus.
Why Remote Work Created the Perfect Cover
The explosion of remote work around 2020 created unprecedented opportunities for sanctions evasion. Before the pandemic normalized distributed teams, a worker logging in from an unexpected location would trigger immediate red flags. By 2020, millions of Americans worked from home, and corporate security teams lacked the infrastructure to distinguish between a legitimate remote employee and a North Korean worker accessing a company laptop through a spoofed US IP. Vetting procedures designed for in-office hiring—drug tests, background checks, reference calls—could be circumvented through intermediaries or fabricated documentation. North Korean workers, many trained in software development and IT infrastructure, possessed the technical skills to perform genuine work, making them valuable hires despite the deception. Companies often did not discover the fraud until months or years later, if at all.
The timing was critical to North Korea’s survival. International sanctions imposed after nuclear weapons tests and missile launches had severely restricted the regime’s access to foreign currency. Traditional revenue streams—counterfeiting, drug trafficking, and cryptocurrency theft—remained viable but carried higher risk of international law enforcement action. Remote work fraud offered a seemingly low-risk alternative: legitimate salaries paid through normal corporate channels, with minimal digital footprint compared to cryptocurrency theft or malware operations. North Korean nationals could work from secure facilities in Pyongyang, insulated from direct law enforcement exposure, while US facilitators bore the legal risk.
Comparing Schemes: Facilitators vs. Operators
The criminal ecosystem behind North Korean laptop farms divides into two tiers: overseas operators (North Korean nationals and their handlers) and US-based facilitators. Chapman represents the high-level facilitator—she acquired hardware, managed logistics, and maintained the infrastructure that enabled dozens of fraudulent placements simultaneously. The related trio—Phagnasay, Salazar, and Travis—operated at a lower tier, providing physical space and technical assistance without managing the broader scheme. A third category includes identity brokers like Ukrainian national Oleksandr Didenko, who pleaded guilty to selling genuine US identities to fake IT workers, facilitating fraud at 40 US companies. This tiered structure allows North Korea to insulate its direct operators from US jurisdiction while leveraging American infrastructure and personnel to execute the scheme. Disrupting any tier—whether Chapman’s logistics network or Didenko’s identity pipeline—weakens the entire operation, which explains why the DOJ has pursued charges across multiple facilitator categories.
What Happens to Companies Caught in the Scheme
Employers who unknowingly hired North Korean workers face significant security and compliance risks. Workers with access to proprietary code, customer data, or internal communications could exfiltrate valuable intellectual property or conduct espionage on behalf of the North Korean regime. In some cases, the fraudulent employees maintained legitimate job performance, making detection difficult until a background check or security audit uncovered inconsistencies. Companies affected by Chapman’s scheme included major television networks, aerospace manufacturers, and tech firms—sectors where data theft poses national security implications. The FBI and DOJ have not publicly disclosed whether any data exfiltration occurred in documented cases, but the potential for such breaches underscores why these schemes warrant aggressive federal prosecution.
The FBI’s Enforcement Strategy Going Forward
The “DPRK RevGen: Domestic Enabler Initiative” represents a shift in federal strategy from prosecuting individual facilitators to dismantling entire networks. By targeting laptop farms themselves—seizing equipment, freezing accounts, and shutting down websites—the FBI aims to raise the operational cost of running these schemes and deter potential facilitators. The June 2025 raids across 16 states, which seized hundreds of devices and accounts, suggest the FBI has developed reliable indicators for identifying active farms: patterns of equipment purchases, suspicious shipping addresses, and metadata linking multiple laptop devices to the same geographic location. Charging US citizens with conspiracy to commit wire fraud and aggravated identity theft, rather than only charging them with sanctions violations, broadens the prosecutorial toolkit and makes conviction more straightforward. This approach mirrors law enforcement strategies against other transnational criminal networks: disrupt the supply chain, prosecute enablers aggressively, and make the cost of participation exceed the potential reward.
FAQ
How much money did North Korean laptop farms generate?
Documented schemes generated over $17 million in total illicit revenue, with Chapman’s operation alone accounting for that amount. Approximately $5 million flowed to North Korea from Chapman’s scheme over roughly three years. Additional schemes facilitated by other US citizens generated millions more, including $1.28 million in fraudulent salaries and $866,000 across multiple operations.
Why did remote work make these schemes possible?
Remote work normalized logging in from unexpected locations and eliminated the need for physical office presence, making it difficult for companies to verify that an employee was actually in the United States. Corporate vetting procedures designed for in-office hiring could be circumvented through intermediaries, and IP geolocation spoofing became far more effective when millions of legitimate remote workers had variable login locations.
What sentences did the US citizens receive?
Christina Marie Chapman received 102 months (8.5 years) in prison. A related trio—Phagnasay, Salazar, and Travis—received sentences ranging from one year (Travis) to three years of probation with fines (Phagnasay and Salazar). Sentences varied based on the degree of involvement and personal earnings from the scheme.
North Korean laptop farms exposed a critical vulnerability in how American companies hire and manage remote workers. The schemes generated tens of millions in illicit revenue that directly funded North Korea’s weapons programs, making the FBI’s enforcement campaign not merely a cybercrime matter but a national security imperative. As remote work remains standard across US industries, companies must implement stronger verification protocols—including periodic IP geolocation audits, device fingerprinting checks, and background verification at hire and during employment—to prevent future infiltration. The DOJ’s aggressive prosecution of US facilitators sends a clear message: knowingly enabling North Korean worker placement carries serious federal penalties, and the era of low-risk sanctions evasion through laptop farms is closing.
Edited by the All Things Geek team.
Source: Tom's Hardware


