US Arrest Operator of IT Laptop Farm for North Korean IT Staff Scheme

The U.S. Department of Justice (DoJ) has charged Matthew Isaac Knoot, a Nashville resident, for his role in facilitating a North Korean scheme to fraudulently secure remote IT work for the Democratic People’s Republic of Korea (DPRK) operatives.

Knoot's actions, which included the use of a “laptop farm” to deceive companies into believing they had hired U.S.-based workers, were part of a broader effort to fund North Korea's weapons of mass destruction (WMD) programs.

According to the indictment unsealed yesterday, Knoot, 38, played a critical role in a multi-year conspiracy that enabled North Korean IT workers to obtain remote employment with American and British firms by posing as U.S. citizens. These workers, residing primarily in China, were able to access the companies’ systems remotely, using identities stolen from U.S. citizens.

Knoot facilitated this deception by hosting company-provided laptops at his residences in Nashville, installing unauthorized remote desktop software on them, and ensuring that the operatives could work from abroad while appearing to be located within the U.S.

Laptop farm for North Korea

The DoJ's investigation revealed that Knoot’s laptop farm operated between July 2022 and August 2023, during which time it enabled the North Korean IT workers to earn substantial sums—over $250,000 per worker. These earnings were funneled to accounts linked to North Korean and Chinese actors, directly contributing to North Korea's prohibited WMD programs. Knoot's actions caused the defrauded companies over $500,000 in damages, primarily related to auditing and remediating their compromised systems.

Assistant Attorney General Matthew G. Olsen highlighted the significant national security risks posed by this scheme, warning U.S. businesses of the growing threat from North Korea and emphasizing the need for vigilance in their hiring practices. This indictment follows the launch of the “DPRK RevGen: Domestic Enabler Initiative” in March 2024, a coordinated effort by the National Security Division and the FBI to identify and dismantle U.S.-based operations like Knoot’s laptop farm.

Knoot faces multiple charges, including conspiracy to cause damage to protected computers, money laundering, wire fraud, and aggravated identity theft. If convicted, he could be sentenced to up to 20 years in prison, with a mandatory minimum of two years for the identity theft charge.

A common tactic

This case is part of a broader pattern of North Korean cyber activity targeting U.S. businesses. Just last month, cybersecurity firm KnowBe4 thwarted an attempt by a North Korean hacker to infiltrate its IT systems. The hacker, posing as a software engineer, managed to pass extensive vetting processes, including video interviews and background checks, using a stolen U.S. identity.

The deception was uncovered when KnowBe4’s Security Operations Center (SOC) detected suspicious activity on the new hire's workstation, which was shipped to an address tied to a network of “IT mule laptop farms,” similar to the one operated by Knoot.

The increasing sophistication of North Korean cyber operatives, as demonstrated in both the Knoot case and the KnowBe4 incident, underscores the need for U.S. companies to enhance their security measures. This includes conducting more rigorous background checks, verifying the physical locations of remote workers, and scrutinizing discrepancies in shipping addresses and residence details.

Companies are also advised to implement robust monitoring for anomalies in remote access and to enhance their security awareness training to address social engineering threats.