The U.S. Department of Justice (DoJ) on Thursday charged a 38-year-old individual from Nashville, Tennessee, for allegedly running a "laptop farm" to help get North Koreans remote jobs with American and British companies.
Matthew Isaac Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens.
If convicted, Knoot faces a maximum penalty of 20 years in prison, counting a mandatory minimum of two years in prison on the aggravated identity theft count.
Court documents allege that Knoot participated in a worker fraud scheme by letting North Korean actors get employment at information technology (IT) companies in the U.K. and the U.S. It's believed that the revenue generation efforts are a way to fund North Korea's illicit weapons program.
"Knoot assisted them in using a stolen identity to pose as a U.S. citizen, hosted company laptops at his residences, downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception, and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors," the DoJ said.
The unsealed indictment said the IT workers used the stolen identity of a U.S. citizen named "Andrew M." to obtain the remote work, defrauding media, technology, and financial companies of hundreds of thousands of dollars in damages.
Recent advisories from the U.S. government have revealed that these IT workers, part of the Workers' Party of Korea's Munitions Industry Department, are routinely dispatched to live abroad in countries like China and Russia, from where they are hired as freelance IT workers to generate revenue for the hermit kingdom.
Knoot is believed to have run a laptop farm at his Nashville residences between approximately July 2022 and August 2023, with the victim companies shipping the laptops to his home addressed as "Andrew M." Knoot then logged into these computers, downloaded and installed unauthorized remote desktop applications, and accessed the internal networks.
"The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that 'Andrew M.' was working from Knoot's residences in Nashville," the DoJ said.
"For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot's laptop farm was executed in early August 2023."
The overseas IT workers are said to have been paid over $250,000 for their work during the same time period, causing companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, the DoJ noted, also falsely reported the earnings to the Internal Revenue Service (IRS) under the stolen identity.
Knoot is the second person to be charged in the U.S. in connection with the remote IT worker fraud scheme after Christina Marie Chapman, 49, who was previously accused of running a laptop farm by hosting multiple laptops at her residence in Arizona.
Last month, security awareness training firm KnowBe4 revealed it was tricked into hiring an IT worker from North Korea as a software engineer, who used the stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).
The development comes as the U.S. State Department's Rewards for Justice program announced a reward of up to $10 million for information leading to the identification or location of six individuals linked to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) who were sanctioned in connection with striking critical infrastructure entities in the U.S. and other countries.