- Bankrupt EV maker Fisker was the target of a North Korean IT worker scam
- The automaker engaged with the employee for nearly a year before they were alerted by the FBI
- Ill-gotten wages were used to fund North Korea's ballistic missile program, among other things
Call it Karma, but Fisker's latest blunder reads more like a spy novel than real life. It turns out that the automaker was one of dozens of U.S. companies caught in a cyber espionage saga that involved inadvertently hiring a worker from North Korea into its technology team.
I know what you're asking yourself—what would a spy from North Korea want with Fisker? Surely the country wouldn't bother sniffing around for Fisker's secret sauce when it has the brand new sleek, four-door, range-topping Madusan EV that just debuted in Pyongyang earlier this year. Spoiler: it wasn't.
As uncovered by the Danish publication The Engineer, those bad actors from North Korea were targeting Fisker as part of an elaborate money laundering scheme. The kicker? The U.S. Department of Justice says that Fisker's hard-earned cash used to pay the rogue employee engaged in this ruse was used to fund the DPRK's ballistic missile program.
It all started in October 2022 when Fisker hired a remote IT employee named Kou Thao. The employee listed his home address as a house in Arizona. Nothing screamed subterfuge to Fisker. After all, it's not out of the ordinary for a global company to contract with or hire remote IT workers. Except there was an elaborate scam happening behind the scenes that nobody caught, because it wasn't Thao who lived there—it was a woman named Christina Chapman.
According to court filings, Chapman was approached by a North Korean agent on LinkedIn in 2020. The agent asked Chapman to "be the U.S. face" of their company which would help overseas IT workers gain employment from U.S. companies with what Chapman would eventually call "borrowed identities". The 19 agents then utilized more than 60 stolen and borrowed identities to gain employment at companies and staffing agencies, listing Chapman's address as their own.
Once hired, the companies shipped a laptop to Chapman's Arizona residence addressed to the fake identity. Chapman would allegedly arrange to set up the laptops in the home-grown laptop farm so they could be used by the North Korean threat actors who accessed the computers remotely from Russia and China. The agents would have their paychecks shipped to the Chapman and ultimately funneled back to their home country to avoid the sanctions otherwise imposed on the DPRK. Reportedly, Chapman also assisted by procuring, delivering, and signing forged documents.
The FBI and other U.S. government agencies became aware of the orchestrated scam. They began issuing advisories and guidance on the ongoing threat to help safeguard other companies and the public. When it became aware that Fisker was a victim, a local field office reached out to warn the automaker—that's when Fisker dug into the employee and subsequently terminated his employment in September 2023.
Reportedly, this is where Kou Thao's involvement with Fisker ends, but it's not always where North Korea stops this scam. When these threat actors were fired, that's when they played their Trump card.
See, the fake employees weren't actually working (or, at least not all of the time). They were instead abusing their privileged access to internal systems so they could exfiltrate sensitive data before they were let go. They then used this information to extort the company, demanding ransoms often upwards of six figures.
Fisker doesn't appear to be the only automaker affected by North Korea's antics. Another, simply identified in a DOJ filing as "a Fortune 500 iconic American automotive manufacturer located in Detroit, Michigan," had a North Korean operative contracted through a staffing agency where they earned $214,596—though it's not clear just how much the spy earned through the Fisker or the unnamed automaker alone.
Preliminary complaints uncovered $6,323,417 in ill-gotten wages between 2021 and 2023 from companies in the automotive, technology, cybersecurity, aerospace, media, retail, and food delivery industries. In total, the DOJ revealed that more than 60 identities were used in the scheme. The total wages eventually reached over $6.8 million and impacted more than 300 U.S. companies. The bad actors also attempted to gain access to positions contracted with the U.S. government, including the Department of Homeland Security, Immigration and Customs Enforcement, and the General Services Administration.
When reached for comment, Fisker CEO Henrik Fisker told The Engineer that he had no comment as the case "is with the FBI." The company denied knowing of any material cybersecurity threats in its 2023 year-end report despite reportedly being alerted of the nation-state actor from North Korea employed in its IT team for more than a year.
"In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition." wrote Fisker in its 2023 annual report filed with the U.S. Securities and Exchange Commission.
It seems like this threat wasn't exactly a show-stopper for Fisker anyway. The company clearly had some bigger issues going on, which is one of the reasons it's now facing a very rocky bankruptcy. But the broader implications ring a wake-up call for the entire auto industry.
Cars are becoming increasingly connected back to their motherships. After all, the software-defined car is the current buzzword for automakers. This particular event should serve as a reminder that designing a secure environment for these connected cars from the ground up is paramount—and being able to monitor, detect, and respond to modern threats is critical. Today, a rogue IT worker could be responsible for leaked company secrets. Tomorrow? Maybe waking up to a ransomware demand on your car's infotainment screen.
