Security

CSO

US 'laptop farm' man accused of outsourcing his IT jobs to North Korea to fund weapons programs

American and Brit firms thought they were employing a Westerner, but not so, it's alleged


The FBI today arrested a Tennessee man suspected of running a "laptop farm" that got North Koreans, posing as Westerners, IT jobs at American and British companies.

It's claimed this swindle helped generate cash toward Pyongyang's weapons programs.

According to US prosecutors, Matthew Isaac Knoot, 38, of Nashville, defrauded multiple US and UK companies by applying for remote technology jobs, and then secretly outsourced those jobs to North Koreans.

From July 2022 to August 2023, Knoot worked at an unspecified number of "US media, technology, and financial companies," who thought they had hired a one Andrew M, a US citizen whose identity had been stolen, it is claimed. 

Those firms allegedly sent Knoot work laptops that he subsequently set up so that Norks could remotely log into them and do his work for him. That would be the alleged laptop farm. It saves having to ship PCs off to North Korea or similar places and have people there use VPNs or equivalent to cover up the true location of the machines.

Prosecutors allege the laptops in this case were pooled in the US by Knoot, North Korean ghost workers connected in remotely to do the work he was tasked with, and as far as the UK and US employers were concerned, they were employing a guy in America using American broadband.

It's claimed each of those outsourced jobs raked in more than $250,000 during that year or so period, and that the money went via North Korean and Chinese accounts to the Kim Jong Un government.

The North Korean regime's industrial-scale use of laptop farming generates hundreds of millions annually, and exists to fund the impoverished hermit nation's programs to develop weapons of mass destruction, according to the Justice Dept.

(It's very interesting to see Uncle Sam repeatedly assert a connection between sanctions-busting outsourced IT workers and the funding of weapons of annihilation.)

Knoot was allegedly paid every month by a person named Yang Di for keeping his part of the scam running; prosecutors doesn't go into too much detail about who Di is, merely saying that he paid Knoot and that he was involved to some degree.

The alleged swindle may have chugged along to this day and beyond, were it not for the Feds searching Knoot's home and shutting down what's said to be a laptop farm in August last year.

It goes unsaid how long ago the FBI caught wind of Knoot's alleged misdeeds, though it might have something to do with the Nashville resident allegedly reporting his income to the IRS in Andrew M's name. It's possible the tax agency thought it was a little weird that one person was working multiple six-figure jobs at the same time.

In addition to allegedly siphoning all that employment income from the defrauded firms, investigations into Knoot and Di and subsequent clean up work apparently cost those businesses half a million bucks.

'How not to hire a North Korean plant posing as a techie'

TOP TIPS

Knoot is charged with a variety of crimes, including conspiracy to unlawfully employ foreigners. The Tennessee citizen could face up to 20 years in prison, with a minimum of two years if he's at least convicted for aggravated identity theft.

"As alleged, this defendant facilitated a scheme to deceive US companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the Democratic People's Republic of Korea for its weapons program,” thundered Assistant Attorney General Matthew Olsen.

"This indictment should serve as a stark warning to US businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes."

The Feds have been working to disrupt and dismantle despotic Kim's laptop farms for some time now. In May, an Arizona woman was snared for allegedly infiltrating over 300 companies to acquire jobs for North Koreans. Her scheme made $6.8 million, it was claimed. ®

Send us news
19 Comments

North Korea's fake IT worker scam hauled in at least $88M over six years

DoJ thinks it's found the folks that ran it, and some of the 'IT warriors' sent out to fleece employers

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

Lights out for 18 more DDoS booters in pre-Christmas Operation PowerOFF push

Holiday cheer comes in the form of three arrests and 27 shuttered domains

What do ransomware and Jesus have in common? A birth month and an unwillingness to die

35 years since AIDS first borked a PC and we're still no closer to a solution

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting