Imaginary Employees, Actual Danger: How In-House Counsel Can Stop Remote Work Scams in Their Tracks

Imagine this scenario: You are an associate general counsel for a global technology company and were just alerted that a recently hired, fully remote employee has presented an identity document that appears to be fake. With the assistance of your IT security team, you investigate and uncover a troubling pattern, including login locations that do not match the employee’s claimed residence and a freight-forwarding address used for equipment delivery. An internal audit reveals an apparent remote work scam involving multiple employees hired through a third-party staffing firm.

Now what?

In today’s increasingly remote-first work environment, the flexibility and global reach of distributed teams have gone from a competitive advantage to a necessary part of a company’s business model. But with that flexibility comes a new and evolving threat of fraud—one that is increasingly drawing the attention of the US Department of Justice (DOJ) and other federal agencies.

Understanding the threat

The proliferation of remote work has introduced a new vector for fraud, one that exploits the digital hiring process and circumvents traditional safeguards. According to the US Bureau of Labor Statistics, in 2019, only 6.5% of US private sector workers worked primarily from home.  In an April 2024 report, the Congressional Budget Office estimated that figure had risen to 25% in 2022.  It is likely to be even higher now. This dramatic shift has expanded the surface area for fraud, making it easier for bad actors to manipulate virtual onboarding systems, impersonate legitimate candidates, and gain unauthorized access to revenue and sensitive information.  

Some of the most effective schemes have involved the use of stolen or synthetic identities, forged documentation, proxy infrastructure such as VPNs, and remote desktop tools. In some cases, schemes have centered on the use of “laptop farms,” physical locations where dozens of laptops are remotely controlled by threat actors outside the US. These setups often involve US-based collaborators (sometimes legitimate company employees, sometimes third parties), allowing overseas threat actors to appear as though they are working from within the United States by mimicking domestic IP addresses, time zones, and login behaviors. 

Recent action by the federal government 

On May 16, 2022, the State Department, Department of the Treasury, and the FBI issued “Guidance on the Democratic People’s Republic of Korea Information Technology Workers,” warning of the growing threat of North Korean IT workers seeking employment while posing as non-North Korean nationals. The guidance further warned of instances of North Korean nationals infiltrating companies across sectors—including defense, finance, and technology—generating revenue for the North Korean regime. 

In the wake of the 2022 guidance, federal authorities have launched a series of coordinated enforcement actions aimed at dismantling complex international schemes that exploit digital hiring practices. These cases, prosecuted by the DOJ in collaboration with the FBI, IRS, and other federal agencies, reveal the extent to which foreign actors and domestic enablers have infiltrated US companies under false pretenses. The following prosecutions illustrate several fraud patterns and the government’s evolving strategy to combat this multifaceted threat.

In what the DOJ has called the largest case of remote work fraud to date, Christina Marie Chapman, a US citizen, and Oleksandr Didenko, a Ukrainian national, were charged in May 2024 for orchestrating a sprawling scheme that enabled overseas IT workers to pose as US-based professionals. Chapman, a 49-year-old Arizona resident, allegedly ran a laptop farm out of her home, hosting dozens of company-issued computers that were remotely accessed by foreign workers using US IP addresses to fool employers. These workers infiltrated more than 300 US companies, including a major television network, a Silicon Valley tech firm, and an aerospace manufacturer. Chapman also processed payroll checks, forged documents, and laundered millions of dollars through her personal accounts, some of which were falsely reported to the IRS and Social Security Administration under the names of identity theft victims.

Didenko, meanwhile, operated the now-seized website upworksell.com, which openly advertised services to help individuals pose as US-based IT professionals. He created and sold fraudulent accounts on job platforms and money service transmitters, managing a network of nearly 900 proxy identities. His infrastructure included at least three US-based laptop farms, one of which hosted 79 computers, and he acknowledged in private messages that he believed he was assisting North Korean workers. The DOJ linked Didenko’s operation directly to Chapman’s, noting that one of his clients requested a laptop be shipped from his farm to hers. Together, their schemes not only compromised sensitive corporate systems but also exposed how remote work infrastructure can be weaponized to evade sanctions, steal identities, and funnel illicit revenue to hostile foreign regimes.

Beginning as early as 2021, Kejia Wang, a U.S. citizen and New Jersey resident, played a central role in a sprawling international scheme that helped North Korean IT workers infiltrate over 100 US companies under false identities. Working with co-conspirators in China, the UAE, and across the United States, Wang helped North Korean nationals pose as American software engineers by stealing the identities of more than 80 US citizens. These identities were used to apply for remote jobs at companies ranging from defense contractors to media firms. The fraud was elaborate: Wang and his associates created fake driver’s licenses and Social Security cards, submitted forged I-9 forms, and even registered shell companies to make the workers appear legitimate.

To complete the illusion, Wang operated a laptop farm, implementing remote desktop software and keyboard-video-mouse (KVM) switches, which allowed the overseas workers to access these machines from abroad, bypassing geolocation and security controls. In one case, a North Korean worker posing as a US citizen gained access to a defense contractor’s internal systems and exfiltrated data controlled under the International Traffic in Arms Regulations (ITAR). Wang also helped launder millions in illicit wages through US bank accounts and money transfer services, personally pocketing over $400,000. The scheme not only compromised sensitive corporate systems but also defrauded the IRS and Social Security Administration, leaving a trail of financial and national security damage in its wake.

Between late 2020 and early 2022, four North Korean nationals—Kim Kwang Jin, Jong Pong Ju, Chang Nam Il, and Kang Tae Bok—executed a coordinated scheme to infiltrate US and foreign blockchain firms under false identities and siphon off over $900,000 in cryptocurrency. Operating as a co-located team outside North Korea, the defendants posed as developers from countries such as Portugal and Malaysia, using forged identity documents and aliases, including “Bryan Cho” and “Peter Xiao.” They gained remote employment at companies in Georgia and Serbia, earned trust through legitimate work, and then exploited that access to manipulate smart contracts and funding pools on Ethereum and Polygon blockchains.

The thefts were not only technical but deeply deceptive. In one instance, Kim Kwang Jin modified smart contract code to change withdrawal rules, enabling the unauthorized transfer of thousands of tokens. When confronted, he denied wrongdoing via encrypted Telegram messages, even as stolen funds were traced to his wallet. The group laundered the proceeds through Tornado Cash, a cryptocurrency mixer designed to obscure transaction origins, and funneled assets through accounts opened with fraudulent documents. The case underscores how remote work, anonymity tools, and decentralized finance have converged to create new vulnerabilities at the intersection of cybersecurity, financial fraud, and national security.

What In-house counsel should do

Faced with a complex and evolving fraud landscape, in-house counsel must be prepared to protect their organizations from exploitation. The following measures can help mitigate risk and demonstrate a strong compliance posture in the event of an investigation.

• Strengthen identity verification: Companies should require video interviews where candidates are asked to display their government-issued ID on camera. In-person Form I-9 verification should be conducted whenever possible, avoiding remote or third-party verifications. Biometric logins and geo-location tracking on company-issued devices can help ensure that employees are working from their claimed locations. Remote desktop access and VPN use should be prohibited or strictly limited unless explicitly authorized and monitored.
• Conduct robust due diligence: Third-party staffing firms must be thoroughly vetted, with transparency demanded in their background check processes. Education and employment history should be independently verified using trusted sources. Resumes should be scrutinized for inconsistencies and overly generic portfolio sites that may indicate fraudulent activity.
• Monitor for red flags: Counsel should work with IT and HR teams to monitor for warning signs, such as refusal to appear on video, requests for payment in cryptocurrency, use of freight-forwarding addresses, and inconsistent login times or IP addresses. Insider threat monitoring tools can help flag suspicious behavior before it escalates.
• Prepare for enforcement and reporting: All hiring and verification steps should be carefully documented. Suspicious activity should be reported to the FBI’s Internet Crime Complaint Center (IC3) or other relevant authorities. Contracts and internal policies should be reviewed to ensure compliance with sanctions laws and other applicable regulations.
• Engage outside counsel: Experienced outside counsel can assist by facilitating an effective internal investigation that will surface key issues through document review,  analysis, and witness interviews.  This internal investigation can be prepared into a report or presentation and delivered to the US Attorney’s Office with appropriate jurisdiction, which, with the assistance of the FBI and local law enforcement, can bring the fraud actors to justice. Additionally, outside counsel can serve as effective thought partners for any remediation efforts, including trainings delivered to company personnel.    

Conclusion

For in-house counsel managing an evolving array of business and legal risks, understanding the complex intersection of cybersecurity, employment law, and national security is essential.  But in-house lawyers need not (and should not) walk this path alone. They should seek out legal partners with experience building robust compliance programs, conducting internal investigations, and responding to enforcement actions from the DOJ, FBI, and other agencies. The threat is real, and the consequences are serious. But with the right legal partner, in-house counsel—the company’s first line of defense—can stay ahead of the curve and keep their companies out of the headlines.