On July 24, 2025, the U.S. Department of Justice announced the sentencing of Christina Chapman, an Arizona woman who helped North Korean IT workers infiltrate more than 300 American companies. Her “laptop farm” scheme involved receiving company-issued computers, disguising them as U.S.-based devices, and then sending them abroad. Over three years, the operation generated more than $17 million for North Korea, despite extensive global sanctions.
At first glance, this story is about remote work fraud. But for anyone in the digital asset space, it should feel familiar. The tactics that made Chapman’s scheme effective — stolen identities, intermediaries, obfuscation, and the illusion of legitimacy — are the same ones that sanctioned actors use in the crypto economy. This was not a blockchain case, but it could have been. And the lessons are directly relevant to how law enforcement, regulators, and businesses approach crypto compliance today.
Chapman’s role was simple: she acted as the domestic cover that gave foreign operatives the appearance of legitimacy. By staging laptops in her Arizona home, she created a false trail that made North Korean workers look like ordinary U.S. hires. Employers didn’t question it because nothing about the payroll process seemed unusual.
The same principle drives illicit finance in crypto. Adversaries rarely go through the strongest controls; they look for the weakest link. It might be a lightly regulated exchange, a DeFi protocol without sanctions screening, or a bridge with poor oversight. Once inside, they can pass off illicit funds as ordinary transactions. Just like payroll, laundering often hides in plain sight.
What made Chapman’s scheme effective was how ordinary it looked. Payroll is one of the most routine, least scrutinized parts of business operations. In this case, North Korean operatives were hired under false identities and placed on the payroll of unsuspecting U.S. companies. Because salaries are seen as legitimate business expenses, payments were processed automatically, then routed to accounts controlled by North Korea. From the company’s perspective, it appeared they were paying regular employees. In reality, those funds were being siphoned abroad in violation of sanctions. By hiding within a trusted business process, the scheme moved millions of dollars without drawing attention.
Crypto laundering follows the same playbook. Hackers move stolen funds through dozens of wallets, swaps, and OTC brokers until the flow resembles ordinary user activity. The entire goal is to look unremarkable. Whether it is a salary payment or a token transfer, illicit finance thrives when it looks boring.
Remote work is built on digital identities: résumés, interviews, login credentials. In Chapman’s case, those identities were stolen or fabricated, allowing operatives to pass as U.S. workers. Crypto systems face the same challenge. Wallet addresses, KYC data, and onboarding processes are all proxies for identity. If they are weak, adversaries can easily slip through. This is where verified, blockchain-based digital identity systems could play a critical role — offering tamper-resistant credentials that are harder to fake, and giving both businesses and regulators stronger assurance about who is on the other side of a transaction.
For compliance teams, the Chapman case underscores the importance of identity verification. Whether you are hiring a remote worker or onboarding a wallet, verifying who is really behind the screen is the frontline defense against sanction evasion.
Chapman herself acted as a money mule. She received equipment, staged it domestically, and moved funds through her accounts before transferring them abroad. She took a cut while enabling North Korea’s operatives to remain hidden.
In crypto, intermediaries take many forms: mule wallets, complicit brokers, or liquidity providers who knowingly facilitate tainted flows. They often serve as the bridge between illicit actors and legitimate systems. Detecting those intermediaries is often the key to shutting down entire networks of laundering activity.
More than 300 companies unknowingly funded North Korea through this scheme. They were victims of fraud, but they also became conduits for sanction evasion. The same risk exists in crypto. Exchanges, custodians, and protocols that process sanction-linked funds, even without realizing it, expose themselves to reputational harm and regulatory action.
The clear takeaway is that “not knowing” is no longer a defense. Just as payroll must be monitored for hidden risks, crypto transactions must be continuously screened for sanction exposure.
Authorities eventually uncovered Chapman’s operation, but only after years of activity and millions already lost. That delay mirrors what happens when crypto investigations start only after funds have been laundered through multiple chains and mixers.
Proactive monitoring is the solution. At Merkle Science, we design tools to help organizations detect these red flags early. Compass provides predictive risk monitoring to prevent sanctions violations. Tracker enables investigators to follow illicit flows across 10,000+ assets and 200 bridges. With our Data Platform powering custom investigations and Onchain Pulse monitoring ecosystem risks, organizations can identify high-risk tokens, wallets, and counterparties early, before problems escalate.
Sanctioned actors are creative, persistent, and opportunistic. They will exploit payroll, banks, or blockchains — whatever system offers the easiest path. The challenge for businesses is to stay one step ahead.
The Chapman case may not have involved crypto directly, but it demonstrates how quickly sanctioned actors adapt and how effectively they exploit weak points. For the digital asset ecosystem, the parallels are unmistakable. Remote work was the loophole this time. Next time, it could be your protocol, your exchange, or your customers.
Schedule a demo with Merkle Science to learn how our predictive blockchain analytics platform can help your organization detect and disrupt sanction evasion before it’s too late.
