The U.S. Justice Department arrested a Nashville man charged with helping North Korean IT workers obtain remote work at companies across the United States and operating a laptop farm they used to pose as U.S.-based individuals.
Matthew Isaac Knoot, 38, helped North Koreans use a stolen identity to pose as Andrew M., a U.S. citizen, provided housing for company-provided laptops, and helped launder payments for the remote IT work to North Korean and Chinese accounts.
“The victim companies shipped laptops addressed to ‘Andrew M.’ to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers,” a DOJ press release says.
“The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that ‘Andrew M.’ was working from Knoot’s residences in Nashville.”
The North Korean IT workers who used Knoot’s laptop farm generated revenue for North Korea’s nuclear weapons program and were each paid over $250,000 for their work between July 2022 and August 2023.
Knoot is facing multiple charges, including wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens. He could be sentenced to a maximum of 20 years in prison if found guilty.
In March 2024, the National Security Division and the FBI’s Cyber and Counterintelligence Divisions launched the “DPRK RevGen: Domestic Enabler Initiative,” which focuses on identifying and shutting down U.S.-based “laptop farms,” as well as on the prosecution of individuals who are hosting them.
Second American charged with running North Korean laptop farm
Knoot is the second American arrested and charged with helping North Korea’s hackers gain employment at American companies, further demonstrating how North Korea is stealing both jobs and funds from everyday citizens.
The U.S. Justice Department also arrested and charged Arizona woman Christina Marie Chapman for running another laptop farm in her own home to make it look as though North Korean workers’ devices were in the United States.
The case emphasizes the ongoing danger presented by North Korean threat actors who impersonate U.S.-based IT staff, something that the FBI has warned about since 2023.
As the law enforcement agency has repeatedly cautioned, North Korea maintains a well-organized army of IT workers who conceal their true identities to secure employment with hundreds of American companies.
“Based on the volume and scale of activity we’ve seen, North Korean IT workers are widespread in Fortune 500 companies, using their earnings to incentivize others to aid their operations,” Mandiant Principal Analyst Michael Barnhart told BleepingComputer.
“By neutralizing these laptop farms and arresting the facilitators, it deals a significant blow to their operations and unravels months and months of time and energy put in by these North Korean threat actors.”
Last month, American cybersecurity company KnowBe4 revealed that they had hired a Principal Software Engineer who turned out to be a North Korean malicious actor who immediately attempted to install information-stealing software on company-provided devices.
This happened even though KnowBe4 conducted background checks, verified references, and conducted four video interviews before hiring an individual. However, the company later discovered that the person had used a stolen identity to bypass these checks and AI tools to create a fake profile picture and mimic the face during video conference calls.