The Department of Justice this week announced that it charged a Nashville man for running what it called a “laptop farm” out of his home and being part of a vast conspiracy that connects North Korean tech workers with jobs at large American and British companies looking for remote employees.
According to the FBI, the salaries paid to the IT workers—who were doing real work—were illegally funneled to North Korea to fund its illicit weapons programs.
Matthew Isaac Knoot, 38, allegedly helped the IT workers, who were North Korean nationals living there, Russia or China, by using his residence to host numerous laptops. He is also accused of stealing the identity of a man in Georgia who authorities identified as “Andrew M.” Through Knoot the North Korean tech workers used Andrew M.’s driver’s license and identity to get well-paying contract jobs at American companies, authorities alleged.
After the tech workers got the remote-work jobs, Knoot had companies ship work laptops to his address in of Nashville, Tenn., according to the DOJ. He would then log in, install remote desktop applications, and then access company networks. The remote desktop app disguised the location of the North Korean IT workers living abroad, so that it looked like they were working at Knoot’s Nashville address under Andrew M. identity, authorities said.
Knoot would also launder the tech workers' salaries—some as high as $300,000 a year, authorities said—and then transfer the money to accounts associated with North Korean and Chinese nationals, according to a DOJ statement. The indictment did not name the specific companies but described them as a media company in New York City, a UK financial institution, a tech company in Portland, and a media company in McLean, Va.
“As alleged, this defendant facilitated a scheme to deceive U.S. companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program,” said Assistant Attorney General Matthew Olsen of the national security division in a statement, referring to North Korea's formal name as the Democratic People’s Republic of Korea. “This indictment should serve as a stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes.”
For his part in the scheme that ran from July 2022 to August 2023, Knoot got paid every month by a facilitator named Yang Di, according to the indictment. Di allegedly paid Knoot a flat rate of for each laptop he hosted at his home and a percentage of the salaries. Knoot faces a maximum penalty of 20 years in prison, plus a mandatory two years for one count of aggravated identity theft.
The DOJ and the FBI have been investigating laptop farms funded by North Korea for the past three years. The scheme to generate money to fund its weapons of mass destruction program generates hundreds of millions each year, authorities said. It involves the use of pseudonyms, fake emails, social media profiles, and websites to scour online job listings. A UN report found that lower-paid workers involved in the scheme are allowed to keep 10% of their salaries, while higher-paid employees keep 30%. The UN estimated the workers generate about $250 million to $600 million per year.
“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” said U.S. Attorney Henry Leventis for the Middle District of Tennessee in a statement.
Knoot appears to be the second U.S. citizen arrested in a laptop farming operation involving the thousands of North Korean IT workers sent around the world to raise funds for its weapons programs in recent years. In May 2024, the DOJ unsealed charges against four people living abroad and one Arizona woman, Christina Marie Chapman, 49.
Chapman, who lived on the outskirts of Phoenix, allegedly ran a laptop farm that assisted North Korean IT workers who had remote jobs at more than 300 companies, authorities said. The companies included “well-known Fortune 500 companies, U.S. banks, and other financial service providers,” according to the U.S. attorney’s office. Chapman’s farm allegedly exploited the identities of 60 people in the U.S. used by the tech workers to disguise themselves as Americans.
The companies where the IT workers had jobs included a top-five TV network, a Silicon Valley tech company, aerospace manufacturer, car company, and a luxury retail store—all of which are in the Fortune 500, according to court records. Those who had their identities stolen had false tax bills in their names totaling at least $6.8 million in the scheme facilitated by Chapman, said the DOJ.
Tech firm KnowBe4 disclosed last month that it unknowingly hired a software engineer for its internal AI team who was actually a North Korean IT worker. In a blog post, the company said its recruiter held four video interviews and confirmed the person matched the photo on the job application. A background check also came back clean, the company said. In reality, the person was using a stolen identity and had used AI to enhance a stock photo.
KnowBe4 discovered the truth about its new hire, which it did not identify, after the attacker started manipulating and transferring files and using unauthorized software. He also downloaded malware.
“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” wrote KnowBe4 CEO Stu Sjouwerman in the post. “I don't have to tell you about the severe risk of this.”
The company reported the employee to cybersecurity experts and the FBI to confirm its findings, and an FBI investigation is ongoing, the company said.
Attempts to reach Knoot, Di, and Chapman were unsuccessful.