Law enforcement authorities in the U.S. have arrested a Tennessee man accused of running a “laptop farm” that helped North Korean IT workers secure remote jobs at American companies.
According to court documents, 38-year-old Matthew Isaac Knoot operated a scheme that assisted North Koreans posing as U.S.-based IT professionals by using the stolen identity of an American citizen.
The Justice Department said the companies, believing they were hiring a legitimate U.S. worker, shipped laptops to Knoot’s Nashville home. The agency accused Knoot of installing unauthorized software on the laptops, allowing the North Koreans to remotely login from locations in China.
This is the second major arrest linked to North Koreans infiltrating American companies as remote IT workers. Earlier this year, the Justice Department charged Arizona resident Christina Marie Chapman for allegedly helping North Korean IT workers with getting jobs in the United States between October 2020 and October 2023.
Chapman allegedly helped them pose as US persons, and ran a laptop farm at her residence to make it appear that the computers used by the North Koreans were logging in from the United States. Chapman is also accused of helping transfer the money generated by the scheme outside of the US.
Authorities say the ongoing schemes helped North Korean IT workers get jobs at Fortune 500 companies, including a major TV network, a car manufacturer, a Silicon Valley tech firm, an aerospace manufacturer, a luxury retail store, and a media and entertainment company. The IT workers, who earned at least $6.8 million, even attempted to obtain jobs at two US government agencies.
The U.S. government believes North Korea has dispatched thousands of highly technical workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its weapons program.
“Today’s indictment, charging the defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the United States’ national security interests,” said U.S. Attorney Henry C. Leventis.
If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on an aggravated identity theft count.
The latest arrest follows an admission by Florida security awareness training firm KnowBe4 that it was tricked into hiring a North Korean as a Principal Software Engineer and narrowly avoided a major security incident.
KnowBe4 said the North Korean operative spent the first 25 minutes on the job attempting to plant malware on a company workstation.
KnowBe4 said its security team detected suspicious activities coming from a newly hired Principal Software Engineer’s workstation and quickly determined the malicious insider was using a Raspberry Pi to download malware, manipulate session history files, and execute unauthorized software.
“We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” KnowBe4 chief executive Stu Sjouwerman said.
Related: KnowBe4 Hires North Korean IT Worker, Catches New Employee Planting Malware
Related: North Korean IT Workers Infiltrating Hundreds of US Firms
Related: North Korean APT Caught Hacking Security Researchers
Related: Mandiant Catches Another North Korean Gov Hacker Group
Related: North Korean Gov Hackers Caught Rigging Legit Software
