Inside the Laptop Farm: How a Ukrainian Operator Built a North Korean IT Worker Pipeline Into America's Companies

On February 19, 2026, a federal judge in Washington, D.C., sentenced Oleksandr Didenko, 29, of Kyiv, Ukraine, to 60 months in federal prison for orchestrating one of the most operationally sophisticated North Korean IT worker infiltration schemes ever prosecuted in the United States. The case, announced by U.S. Attorney Jeanine Ferris Pirro, exposes the full infrastructure behind how North Korea's remote worker army quietly embedded itself inside 40 American companies — and it should be required reading for every CISO, hiring manager, and HR department in the country.

Full DOJ press release

The Architecture of the Fraud

Didenko didn't just sell stolen identities. He built and operated a turnkey infiltration service for North Korean IT workers — handling virtually every logistical layer required to place a foreign national inside a U.S. company without detection. If you're not yet familiar with how these laptop farms physically operate, our deep-dive into North Korea's laptop farm remote job scam covers the mechanics from the hiring manager's perspective.

Starting as early as 2021 and operating under the domain Upworksell.com, Didenko offered overseas clients a full menu of fraud-as-a-service capabilities:

• Stolen and fabricated identities purchased or rented from real U.S. citizens
• Over 2,500 fraudulent accounts across freelance IT job platforms, money service transmitters, email services, and social media platforms
• Fake documentation, including counterfeit passports
• "Stand-in" actors hired to pose as the IT worker during video interviews or check-ins with employers
• U.S.-based laptop farms — physical locations where company-provided laptops were hosted, with remote access software installed so North Korean operators could appear to be working stateside
• Money routing infrastructure through Money Service Transmitters, allowing clients to receive U.S. employment income without opening a domestic bank account

At its peak, Didenko managed as many as 871 proxy identities and operated at least three laptop farms across Virginia, Tennessee, and California, paying American co-conspirators $100 per month per laptop hosted. Seventeen laptops were seized by law enforcement during raids in May 2024.

The Human Cost Behind the Scheme

While the geopolitical dimensions are significant, the personal damage inflicted on identity theft victims is often overlooked. Court documents reveal that at least 18 individuals had their identities stolen, and 13 of them had fraudulent tax liabilities created in their names — with the stolen workers' income falsely reported to DHS, the IRS, and the Social Security Administration.

Victims are still in ongoing negotiations with the IRS to resolve these false filings. At least one victim is mentally and physically disabled, and the theft of her identity disrupted her Social Security and food stamp benefits. All affected individuals are now flagged in the federal government's employment eligibility database, forcing them to clear additional hurdles every time they apply for a job.

This is not abstract national security harm. Real American citizens are dealing with financial and bureaucratic wreckage that may take years to fully resolve.

The North Korea Connection

The wages funneled through Didenko's network didn't disappear into personal bank accounts. They flowed into North Korea's weapons programs. This scheme is one piece of a much larger state-sponsored cybercrime empire — one we documented extensively in North Korea's Global Cybercrime Empire: The World's Most Sophisticated Digital Mafia, which traces how Pyongyang has turned IT worker infiltration into a multi-hundred-million-dollar revenue stream.

U.S. Attorney Pirro put it plainly: "Today, North Korea is not only a threat to the homeland from afar, it is an enemy within. By using stolen and fraudulent identities, North Korean actors are infiltrating American companies, stealing information, licensing, and data that is harmful to any business. But more than that, money paid to these so-called employees goes directly to munitions programs in North Korea."

The FBI's Counterintelligence and Espionage Division has been tracking this campaign for years. North Korea maintains a large, well-organized army of technically skilled workers who use stolen identities to secure employment at hundreds of American companies — not just for the salary, but for access to proprietary systems, source code, and sensitive internal data.

Didenko's location overseas made detection particularly difficult. Prosecutors noted that operating from Ukraine allowed him to exploit U.S. legal enforcement gaps while providing services that were, in their words, integral to making the entire scheme function: "The North Korean IT worker scheme would be much more difficult to execute without individuals like [Didenko], who essentially operated a business designed to facilitate virtually all aspects of the fraudulent scheme."

How the Operation Unraveled

The beginning of the end came through co-conspirator Christina Marie Chapman, a 50-year-old Arizona woman who ran a laptop farm out of her own home from October 2020 through October 2023. In late 2023, Didenko shipped a computer directly to Chapman's farm — a move that would ultimately expose the broader network.

Chapman was arrested in May 2024. The DOJ simultaneously seized the Upworksell.com domain and redirected all traffic to FBI-controlled servers. Polish authorities arrested Didenko shortly thereafter, and on December 31, 2024, he was extradited to the United States. Chapman was sentenced in July 2025 to 102 months in federal prison.

Didenko pleaded guilty on November 10, 2025, to wire fraud conspiracy and aggravated identity theft. In addition to his 60-month sentence, he was ordered to:

• Forfeit more than $1.4 million, including approximately $181,438 in USD and cryptocurrency
• Pay $46,547.28 in restitution
• Serve 12 months of supervised release following his prison term

In a handwritten letter to the court, Didenko claimed he didn't know his clients were North Korean until 2024, when South Korean intelligence agents revealed the truth. "The shame was unbearable. I carry the burden of being a traitor — an indelible mark upon my conscience," he wrote. The court was not moved enough to deviate significantly from prosecutorial recommendations.

A Broader Enforcement Push

This case is not an isolated prosecution. The DOJ has been systematically dismantling the North Korean IT worker infiltration network:

• In July 2024, U.S. authorities sanctioned, charged, or indicted 20 individuals and 8 companies across three enforcement waves targeting North Korean IT worker schemes.
• In August 2025, a fourth wave of sanctions targeted companies with ties to North Korean schemes operated by Russian and Chinese nationals.
• Multiple U.S. nationals — including Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis — have each pleaded guilty to wire fraud conspiracy for hosting North Korean-operated laptops in their homes.
• Erick Ntekereze Prince, whose company Taggcar was contracted to supply "IT workers" to victim companies, helped North Korean operators earn nearly $950,000 across 64 U.S. companies.

Cumulatively, just in recent months, guilty pleas in related cases have impacted more than 136 U.S. victim companies.

What This Means for Your Organization

The Didenko case is a textbook illustration of why remote hiring processes have become a critical attack surface. If your organization hires remote IT contractors through freelance platforms, you need to be asking hard questions right now. For a real-time look at exactly what these operators do once they gain access to a developer environment, our coverage of the Lazarus Group honeypot operation is essential reading — researchers captured North Korean operators live on camera working inside a sandbox they believed was a legitimate employer laptop.

Red flags documented in this and related cases include:

North Korean IT workers often refuse or make excuses to avoid live video, send substitutes to video calls, or use AI-manipulated video feeds. Multiple accounts may share the same physical address, IP address range, or payment destination. Salary payments are frequently redirected to cryptocurrency or international wire transfers immediately upon receipt. The worker's technical skills may appear inconsistently matched to their claimed background or resume. Company-provided laptops may be shipped to a third-party address rather than the worker's stated residence.

Recommended controls:

Every organization hiring remote IT workers should be conducting live, unscheduled video verification, validating laptop delivery addresses against employee-stated addresses, monitoring for unusual data exfiltration patterns — especially during early employment — and cross-referencing contractor identity documents against multiple authoritative sources. For high-sensitivity roles, consider in-person identity verification before granting system access.

The FBI's Counterintelligence Division continues to warn that this campaign is active, sophisticated, and expanding. The fact that North Korean operatives successfully placed workers inside 40 U.S. companies through a single operator's network should be a sobering data point for security leaders.

The Bottom Line

The Didenko sentencing is a significant law enforcement win, but it's also a stark reminder of how creatively adversarial nation-states exploit the seams in modern remote work infrastructure. A single Ukrainian national with a website, some co-conspirators, and a willingness to facilitate identity theft built a pipeline that funneled American paychecks directly into North Korea's weapons budget — all while sitting in Kyiv.

The FBI put it plainly: this created "an unauthorized backdoor into our country's job market." Closing that backdoor requires more than prosecutions. It requires every organization that hires remote workers to treat identity verification as a national security function, not just an HR checkbox.

Sources: U.S. Department of Justice, FBI Counterintelligence and Espionage Division, court records from the U.S. District Court for the District of Columbia

Case investigated by the FBI New York Field Office with assistance from FBI Norfolk, San Diego, and Knoxville Field Offices