Skip page header and navigation

Man allegedly ran ‘laptop farm’ to benefit North Korea, Feds say

CWS 3.0 - Contingent Workforce Strategies

Man allegedly ran ‘laptop farm’ to benefit North Korea, Feds say

Katherine Alvarez
| August 13, 2024
Image

main content

A Nashville, Tennessee man was charged on Aug. 8 for efforts to generate revenue for the Democratic People’s Republic of Korea’s (DPRK or North Korea) illicit weapons program, which includes weapons of mass destruction, the US Attorney’s Office for the Middle District of Tennessee reported.

Matthew Isaac Knoot allegedly ran a “laptop farm,” hosting computers inside his home that workers could use to appear they were working in the US.

According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign IT workers who were actually North Korean actors. Knoot assisted the workers in using stolen identities to pose as US citizens, hosted company laptops at his residences, downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception, and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.

“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” US Attorney Henry C. Leventis for the Middle District of Tennessee said in a press release. “Today’s indictment, charging the defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the United States’ national security interests.”

The case follows one announced in May in which two people were arrested on criminal charges in connected schemes for allegedly enabling North Korean IT workers to obtain remote positions at more than 300 US firms using false identities.

The scheme allegedly aimed to deceive US companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program, according to Assistant Attorney General Matthew G. Olsen of the National Security Division.

The US Department of Justice in October 2023 announced remote IT workers were being dispatched by North Korea to fund its weapons program. Federal authorities at the time had seized $1.5 million and 17 domain names as part of an ongoing investigation.

“This [Aug. 8] indictment should serve as a stark warning to US businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes,” Olsen said in a press release.

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023.  The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers.  The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens. If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

The FBI in May issued updated guidance regarding the North Korea IT worker threat,  which includes indicators to watch for that are consistent with the North Korea IT worker fraud and the use of US-based laptop farms.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond reasonable doubt in a court of law.