Justice Department accuses Nashville man of helping North Koreans get tech jobs in US

August 9, 2024Ravi LakshmananNational Security / Identity Theft

The U.S. Department of Justice (DoJ) on Thursday charged a 38-year-old man from Nashville, Tennessee, with running a “laptop farm” that allegedly helped North Koreans find remote work at American and British companies.

Matthew Isaac Knoot was charged with conspiracy to damage protected computers, conspiracy to commit money laundering, conspiracy to commit telecommunications fraud, willful damage to protected computers, identity theft and conspiracy to engage in the illegal employment of aliens.

If convicted, Knoot faces up to 20 years in prison, including a mandatory minimum of two years for identity theft.

Court documents allege that Knoot engaged in an employment fraud scheme by facilitating employment with information technology (IT) companies in the UK and the US for North Korean agents. The scheme is believed to be designed to generate revenue to fund North Korea’s illegal weapons programme.

“Knoot assisted them in using stolen identities to impersonate U.S. citizens, made company-issued laptops available at their residences, downloaded and installed unauthorized software on such laptops to facilitate access and perpetuate the fraud, and conspired to launder money for remote IT work, including to accounts linked to entities in North Korea and China,” the Justice Department said.

An unsealed indictment alleges that IT workers used the stolen identity of a U.S. citizen named “Andrew M.” to obtain remote work, defrauding media, technology and financial companies of hundreds of thousands of dollars in compensation.

Recent US government warnings have revealed that IT workers from the Workers’ Party of Korea’s Defense Industry Department are regularly sent overseas to countries such as China and Russia, where they are hired as freelance IT workers to generate income for the insular kingdom.

Knoot is believed to have operated a laptop farm at his Nashville residences between July 2022 and August 2023, with victim companies shipping laptops to his home at an address named “Andrew M.” Knoot would then log into those computers, download and install unauthorized remote desktop applications, and access internal networks.

“The remote desktop applications enabled North Korean IT workers to work from locations in China, while the affected companies believed that ‘Andrew M.’ was working from Knoot’s residence in Nashville,” the Justice Department said.

“For his participation in the program, Knoot received a monthly fee for his services from an overseas intermediary who went by the name Yang Di. In early August 2023, a court-authorized search of Knoot’s laptop farm was conducted.”

The foreign IT workers were reportedly paid more than $250,000 for their work during the same period, causing the companies to incur more than $500,000 in costs related to auditing and repairing devices, systems, and networks. Knoot, the DOJ noted, also falsely reported earnings to the Internal Revenue Service (IRS) under a stolen identity.

Knoot is the second person charged in the U.S. in connection with a telecommuting scam involving IT workers, following Christina Marie Chapman, 49, who was previously charged with running a “laptop farm” by placing multiple laptops in her Arizona home.

Last month, security training company KnowBe4 revealed it had fallen victim to a scam that had hired a North Korean IT worker as a software engineer who used the stolen identity of a U.S. citizen and enhanced his image using artificial intelligence (AI).

The announcement comes after the U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of six individuals associated with the Islamic Revolutionary Guard Corps Cyber ​​Command (IRGC-CEC), who have been sanctioned for attacks on critical infrastructure entities in the U.S. and other countries. The U.S. Department of State’s Rewards for Justice program announced a reward of up to $10 million for information leading to the identification or location of six individuals associated with the Islamic Revolutionary Guard Corps Cyber ​​Command (IRGC-CEC).