Federal authorities have apprehended a Nashville resident accused of orchestrating a fraudulent scheme involving laptops at his home to mislead US companies into hiring North Korean remote IT workers. This operation allegedly funneled hundreds of thousands of dollars into North Korea’s weapons program.
According to federal prosecutors, the scheme involved deceiving US companies into hiring North Korean nationals, who used the stolen identity of a Georgian individual to pose as US citizens. The US government prohibits hiring North Korean nationals under current sanctions. Once hired, the companies sent their laptops to Matthew Isaac Knoot, 38, of Nashville, Tennessee. Court documents also reveal the involvement of a foreign individual using the alias Yang Di in the conspiracy.
Prosecutors detailed:
As part of the conspiracy, Knoot received and hosted laptops issued by US companies intended for Andrew M. at Knoot’s residences in Nashville. This was designed to make the companies believe Andrew M. was working from within the US. Knoot then accessed these laptops without permission, installing remote desktop applications to enable Di to work from outside the US, specifically China, while maintaining the appearance of being located in Knoot’s residences. Knoot charged Di monthly fees for his services, including a flat rate per laptop and a percentage of Di’s salary, thus profiting from the scam. The arrest follows a recent incident where security-training firm KnowBe4 unknowingly hired a North Korean national using a false identity for an internal IT role. The new hire’s suspicious activities led to the discovery of the fraud, despite thorough background checks and multiple interviews.
In May, federal prosecutors charged Christina Marie Chapman, 49, from Litchfield Park, Arizona, for a similar scheme involving $6.8 million to fund North Korea’s weapons program. Chapman and her co-conspirators compromised over 60 US identities to secure IT jobs for North Koreans across more than 300 US companies.
The FBI and the Departments of State and Treasury issued advisories in May 2022, with updates in October 2023 and May 2024, warning about the North Korean IT worker fraud and US-based laptop farms.
Prosecutors claim the North Korean IT workers using Knoot’s laptop farm earned over $250,000 each from July 2022 to August 2023, with much of the revenue directed toward North Korea’s weapons program, including weapons of mass destruction.
Knoot faces charges of wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to unlawfully employ aliens. He could face up to 20 years in prison if convicted.