09-08-2024Ravie LakshmananNational Security / Identity Theft

The U.S. Department of Justice (DoJ) on Thursday charged a 38-year-old Nashville, Tennessee, man with allegedly running a “laptop farm” to help North Koreans find remote jobs at U.S. and British companies.

Matthew Isaac Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to commit money laundering, conspiracy to commit internet fraud, intentional damage to protected computers, aggravated identity fraud and conspiracy to commit illegal employment of foreigners.

If Knoot is found guilty, he faces a maximum prison sentence of 20 years, of which at least two years must be for identity fraud.

Court documents allege that Knoot participated in a fraud scheme that involved defrauding North Korean employees into finding jobs at IT companies in the UK and the US. It is believed that the proceeds from the scheme were used to fund North Korea’s illegal weapons programme.

“Knoot assisted them by using a stolen identity to pose as a U.S. citizen, hosted company laptops at his home, downloaded and installed software on those laptops without authorization to facilitate access and perpetuate the deception, and conspired to launder payments for the outside IT work, including payments to accounts linked to North Korean and Chinese actors,” the DoJ said.

The unsealed indictment alleges that the IT workers used the stolen identity of a U.S. citizen named “Andrew M.” to obtain the remote work, depriving media, technology and financial companies of hundreds of thousands of dollars in damages.

Recent US government advisories have revealed that these IT workers, who are part of the Munitions Industry Department of the Korean Workers’ Party, are regularly sent to live abroad in places such as China and Russia, from where they are hired as freelance IT workers to generate income for the hermit kingdom.

It is believed that between approximately July 2022 and August 2023, Knoot operated a laptop farm at his Nashville residences. The companies that shipped the laptops to his home were named “Andrew M.” Knoot would then log into these computers, download and install unauthorized remote desktop applications, and gain access to the internal networks.

“The remote desktop applications allowed North Korean IT employees to work from locations in China, while appearing to victims as if ‘Andrew M.’ was working from Knoot’s residence in Nashville,” the U.S. Department of Justice said.

“For his participation in the program, Knoot was paid a monthly fee for his services by an overseas-based facilitator known as Yang Di. In early August 2023, a court-authorized search of Knoot’s laptop farm was conducted.”

The foreign IT workers were reportedly paid more than $250,000 for their work during the same period, costing companies more than $500,000 in costs to monitor and repair their devices, systems and networks. Knoot, the DoJ noted, also falsely reported the income to the Internal Revenue Service (IRS) under the stolen identity.

Knoot is the second person to be charged in the U.S. in connection with the remote IT worker fraud. She is the second person to be charged, following Christina Marie Chapman, 49, who was previously accused of running a laptop farm, hosting multiple laptops at her Arizona home.

Last month, KnowBe4, a security awareness training company, announced that it had been scammed into hiring a North Korean IT worker as a software developer. The worker used the stolen identity of a U.S. citizen and enhanced his or her photo using artificial intelligence (AI).

The development comes after the U.S. State Department’s Rewards for Justice program announced a reward of up to $10 million for information leading to the identification or location of six individuals associated with Iran’s Islamic Revolutionary Guard Corps’ Cyber-Electronic Command (IRGC-CEC), who have been sanctioned in connection with attacks on critical infrastructure in the U.S. and other countries.