The Two-Front War Using American TikTokers to Help North Korea Hack Wallets and Steal Paychecks

At first glance, Christina Chapman was just another TikTok personality trying to make it in the gig economy. But beneath the surface of her Minnesota home lay a covert cybercrime operation linked to one of the world’s most sophisticated state-sponsored heists.

Authorities say Chapman unknowingly became a crucial node in a massive North Korean scheme, operating a “laptop farm” that helped rogue IT workers land remote jobs with over 300 U.S. companies. Those jobs paid more than $17 million—and that was just the warm-up act.

The Laptop Lady Becomes an Unwitting Accomplice

Christina Chapman, a 50-year-old former waitress, was approached on LinkedIn to act as a U.S.-based liaison for foreign tech workers. She set up laptops in her home, filled out W-9s, handled job applications, and shipped devices abroad—all while taking a cut of the salaries. In reality, she was helping North Korean operatives launder identities and infiltrate corporate America.

“They secured jobs at more than 300 American companies, collecting $17.1 million in pay.”

By the time the FBI raided her home in October 2023, Chapman had funneled more than $177,000 to herself and unknowingly assisted a rogue nation. In February 2025, she pleaded guilty to identity theft and money laundering. But her laptop farm is just one piece of a much larger—and darker—puzzle.

The Remote Work Vulnerability: An Open Door for Spies

Chapman’s story reveals a sobering truth: the remote work revolution is vulnerable to exploitation. North Korea’s “IT warriors” operate in digital disguise, taking advantage of under-vetted hiring practices in the remote-first era. Some even hold multiple six-figure jobs at once, according to the FBI.

Once inside a company’s systems, these operatives aren’t just cashing paychecks. They’re gathering intel, accessing networks, and quietly opening the door for something much bigger: crypto theft on a global scale.

“These DPRK IT workers are absolutely able to hold down jobs that pay in the low six figures in U.S. companies.”

Following the Money: From Stolen Salaries to Stolen Crypto

According to Chainalysis, North Korean hackers are behind a staggering 61% of global crypto heists in the past year. Their tactics have evolved dramatically—from phishing campaigns to deep social engineering and even becoming part of the companies they plan to rob.

One of the most alarming examples? The $1.5 billion hack of Bybit, which now stands as the largest crypto heist in history. Investigators believe North Korean actors used a combination of phishing, network infiltration, and automation to drain funds in less than an hour.

“North Korea stole more than $6 out of every $10 lost by the crypto industry in 2024.”

These aren’t smash-and-grab jobs. They’re coordinated, patient, and backed by state-level intelligence. The stolen crypto is laundered through mixers like Sinbad.io, bridged across blockchains, converted to stablecoins, and ultimately cashed out via OTC brokers, some based in sanctioned jurisdictions like Russia or the UAE.

The Kraken Connection: Fighting Back on the Front Lines

While some firms fall victim, others are learning to fight back. Kraken has been one of several crypto companies working proactively to identify and root out bad actors. According to Chainalysis and TRM Labs, Kraken flagged suspicious job applicants and internal access requests traced back to North Korean-linked IP addresses.

They implemented new layers of identity verification, monitored behavioral anomalies, and shared threat intelligence with law enforcement. In one instance, they prevented access to dev tools after an applicant’s laptop behavior triggered an internal risk score above threshold.

Kraken’s approach demonstrates that it’s not just about firewalls—it’s about holistic vigilance, from HR screening to transaction monitoring.

Detection and Prevention: What Your Company Can Learn from Kraken

So what lessons can crypto companies, fintechs, and even traditional financial institutions learn from all this?

Here’s a five-point compliance checklist to mitigate the risk of infiltration and fraud:

1. Enhanced Remote Hiring Protocols: Screen candidates through multi-layered ID verification. Consider incorporating biometric checks and behavioral interviewing.
2. Limit Access by Role: Apply the principle of least privilege to dev tools, admin rights, and financial systems.
3. Monitor Endpoint Behavior: Use AI-based tools to flag unusual keystrokes, access times, or geolocation mismatches.
4. Sanctions Screening: Go beyond the basics—monitor not just names, but behavioral patterns and wallet associations with OFAC-listed entities.
5. Cross-Border Risk Assessment: Watch for remote workers or contractors routing access through high-risk jurisdictions or VPNs.

Crypto compliance isn’t just about KYC anymore. It’s about understanding your people, your platforms, and your perimeter.

The Bigger Picture: Understanding North Korea’s Cyber War

This isn’t just fraud. It’s geopolitics. North Korea has orchestrated a full-scale, multi-channel cyber war to fund its regime and bypass international sanctions.

They need roughly $6 billion a year to stay afloat. Crypto theft and remote job infiltration now account for a significant portion of that revenue. Every stolen token helps bankroll missiles and nuclear tests. And that makes crypto compliance a matter of international security.

“All wars in future years will be computer wars.”

That quote, attributed to Kim Jong Il, feels prophetic now.

Whether it’s through hacked cold wallets or unwitting TikTokers, the regime is rewriting the rules of cyber conflict. And that means crypto companies must rewrite the rules of defense.

At BitAML, we help crypto firms defend against threats you can’t see—from inside your code to halfway around the world. Schedule a complimentary discovery call, and let’s make sure your compliance strategy is fortified against the next wave of global cyber threats.