The US Department of Justice on Thursday indicted a 38-year-old man from Nashville, Tennessee. He is accused of running a “laptop farm” to provide North Koreans with remote work jobs at American and British companies.
Matthew Isaac Knoot is charged with conspiracy to damage protected computers, conspiracy to commit money laundering, conspiracy to commit wire fraud, willful damage to protected computers, aggravated identity theft, and conspiracy to illegally employ aliens.
If convicted, Knoot faces a maximum sentence of 20 years in prison, with a minimum sentence of two years in prison for the aggravated identity theft charge.
According to court documents, Knoot was involved in an employee fraud scheme by placing North Korean actors in jobs at IT companies in the UK and the US. These revenue-generating efforts are believed to be a way to fund North Korea’s illegal weapons program.
“Knoot helped them impersonate U.S. citizens using a stolen identity, hosted company laptops in his residences, downloaded and installed software on those laptops without authorization to facilitate access and maintain the deception, and conspired to launder payments for remote IT work, including to accounts linked to North Korean and Chinese actors,” the Justice Department said.
The unsealed indictment alleges that the IT employees used the stolen identity of a U.S. citizen named “Andrew M.” to obtain remote work and defrauded media, technology and financial companies of hundreds of thousands of dollars in damages.
Recent reports from the US government indicate that these IT employees, who are part of the Munitions Industry Department of the Workers’ Party of Korea, are regularly sent abroad, for example to China or Russia, to earn money as freelance IT employees for the isolated kingdom.
Knoot is alleged to have operated a laptop farm at his Nashville homes between approximately July 2022 and August 2023, with the affected companies shipping the laptops to his home with the address “Andrew M.” Knoot then logged into these computers, downloaded and installed unauthorized remote desktop applications, and accessed the internal networks.
“The remote desktop applications allowed North Korean IT employees to work from locations in China, while making it appear to the affected companies that ‘Andrew M.’ was working from Knoot’s residence in Nashville,” the Justice Department said.
“For his participation in the plot, Knoot received a monthly fee for his services from an overseas-based intermediary named Yang Di. In early August 2023, a court-ordered search of Knoot’s laptop farm was conducted.”
During the same period, the foreign IT employees are said to have received over $250,000 for their work, which cost the companies over $500,000 to test and remediate their equipment, systems and networks. According to the Justice Department, Knoot also falsely reported the income to the Internal Revenue Service (IRS) under the stolen identity.
Knoot is the second person to be charged in the U.S. in connection with the remote IT employee fraud scheme, following 49-year-old Christina Marie Chapman, who was previously accused of running a laptop farm by hosting multiple laptops at her Arizona residence.
Last month, security awareness training company KnowBe4 announced that it had tricked North Korean IT worker into hiring him as a software developer by using the stolen identity of a U.S. citizen and enhancing his image using artificial intelligence (AI).
This development comes after the US State Department, through its Rewards for Justice program, offered a reward of up to $10 million for information leading to the identification or location of six individuals associated with the Iranian Revolutionary Guard Corps’ Cyber-Electronic Command (IRGC-CEC) who have been sanctioned for carrying out attacks on critical infrastructure facilities in the US and other countries.
