August 8, 2024 – Matthew Isaac Knoot, 38, of Nashville, Tennessee, was arrested on August 8 for his attempts to generate revenue for the Democratic People’s Republic of Korea (DPRK or North Korea)’s illicit weapons program, which includes weapons of mass destruction (WMD).

The FBI, along with the Departments of State and Treasury, issued an alert in May 2022 to alert the international community, the private sector, and the public to the threat posed by North Korean IT workers. In October 2023, the United States and the Republic of Korea (South Korea), and in May 2024, the FBI issued updated guidance that includes indicators to look for consistent with North Korean IT worker fraud and the use of laptop farms in the United States.

According to court documents, Knoot was involved in a plot to recruit foreign IT employees, who were actually North Korean actors, to work remotely at American and British companies. Knoot is alleged to have helped them pose as U.S. citizens using stolen identities; he is alleged to have hosted company laptops in his homes; he is alleged to have downloaded and installed software on those laptops without authorization to facilitate access and maintain the deception; and he is alleged to have laundered payments for remote IT work, including to accounts linked to North Korean and Chinese actors.

“As alleged, this defendant facilitated a conspiracy to induce U.S. companies to hire foreign IT workers who received hundreds of thousands of dollars that were then funneled to the Democratic People’s Republic of Korea for its weapons program,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This indictment should serve as a stark warning to U.S. companies that employ IT workers in remote locations about the growing threat posed by the Democratic People’s Republic of Korea and the need to be vigilant in their hiring practices.”

“North Korea has deployed thousands of highly skilled IT workers around the world to deceive unsuspecting companies and evade international sanctions so it can continue to fund its dangerous weapons program,” said U.S. Attorney Henry C. Leventis for the Middle District of Tennessee. “Today’s indictment, which charges the defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the latest example of our office’s commitment to protecting the national security interests of the United States.”

“As today’s indictments demonstrate, the FBI will relentlessly pursue those who support the North Korean government’s illicit revenue-generating efforts,” said Bryan Vorndran, assistant director of the FBI’s Cyber ​​Division. “When illicit proceeds could be used to fund the regime’s kinetic capacity, we will focus our work on disrupting that flow of funds. This indictment serves to highlight the risk faced by those who support the Democratic People’s Republic of Korea’s malign cyber activities.”

The DPRK has sent thousands of skilled IT professionals overseas, primarily to China and Russia, with the goal of deceiving U.S. and other companies worldwide into hiring them as freelance IT workers to generate revenue for its weapons of mass destruction programs. The DPRK IT workers’ schemes include the use of pseudonymous email, social media, payment platform, and online job board accounts, as well as fake websites, proxy computers, and knowing and unwitting third parties in the United States and elsewhere. As described in a three-seal public notice issued in May 2022 by the FBI, the Department of the Treasury, and the Department of State, such IT workers individually earn up to $300,000 per year and collectively generate hundreds of millions of dollars per year on behalf of specific entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs.

The indictment, unsealed on August 8 in the Middle District of Tennessee, alleges that Knoot was involved in a scheme to help foreign IT workers get remote IT jobs at U.S. companies that believed they were hiring U.S.-based personnel. The IT workers, who were North Korean citizens, used the stolen identity of a U.S. citizen named “Andrew M.” to get these remote IT jobs. The scheme defrauded U.S. media, technology, and financial companies, ultimately causing them hundreds of thousands of dollars in damages.

According to court documents, between approximately July 2022 and August 2023, Knoot operated a “laptop farm” at his Nashville residences. The affected companies sent laptops addressed to “Andrew M.” to Knoot’s residences. After receiving the laptops, Knoot logged into the laptops without authorization, downloaded and installed unauthorized remote desktop applications, and accessed the affected companies’ networks, causing damage to the computers. The remote desktop applications allowed the North Korean IT employees to work from locations in China while making it appear to the affected companies as if “Andrew M.” was working from Knoot’s Nashville residences. For his participation in the scheme, Knoot received a monthly fee for his services from a foreign-based intermediary named Yang Di. In early August 2023, a court-authorized search of Knoot’s laptop farm was conducted.

Overseas IT employees associated with Knoot’s cell each received over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and Social Security Administration in the name of the actual U.S. citizen, Andrew M., whose identity was stolen. Knoot and his co-conspirators’ actions also caused victim companies to incur over $500,000 in costs related to auditing and remediation of their equipment, systems, and networks. Knoot, Di, and others conspired to launder money by conducting financial transactions to receive payments from victim companies and transferring those funds to Knoot and to accounts outside the United States to both further their unlawful activities and conceal that the funds transferred were the proceeds thereof. The accounts outside the United States include accounts associated with North Korean and Chinese actors.

Knoot is charged with conspiracy to damage protected computers, conspiracy to launder money, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to illegally employ aliens. If convicted, Knoot faces a maximum sentence of 20 years in prison, including a mandatory minimum sentence of two years in prison for aggravated identity theft.

As part of the Department-wide DPRK RevGen: Domestic Enabler Initiative, launched in March 2024 by the FBI’s National Security Division and Cyber ​​and Counterintelligence Divisions, Department prosecutors and agents are prioritizing identifying and shutting down U.S.-based “laptop farms” – places where laptops from U.S. companies are distributed to people they believe to be legitimate freelance IT workers in the U.S. – and investigating and prosecuting the individuals who host these farms. Today’s announcement follows successful Department actions in October 2023 and May 2024 targeting identical and related conduct.

The FBI is investigating the case.

Assistant U.S. Attorney Josh Kurtzman for the Middle District of Tennessee and Trial Attorney Greg Nicosia of the National Security Division’s Cyber ​​Section are prosecuting the case.

An accusation is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Source: Justice.gov