Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Feds Arrest Man for North Korean Remote IT Worker Scam

Matthew Isaac Knoot Allegedly Hosted Laptop Farm in his Nashville Home
US Feds Arrest Man for North Korean Remote IT Worker Scam
A North Korean soldier standing guard at the Korean Demilitarized Zone in 2011. (Image: Shutterstock)

U.S. federal prosecutors charged a Tennessee man with abetting North Korea in an ongoing effort to obtain remote IT work for its nationals as a way of generating hard currency to fund the development of weapons of mass destruction.

See Also: Webinar | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

An indictment unsealed Thursday against Nashville resident Matthew Isaac Knoot, 38, is the second arrest this year in a national crackdown against North Korean remote IT workers (see: US FBI Busts North Korean IT Worker Employment Scams).

When North Korean workers obtain remote employment under fraudulent circumstances, Pyongyang looks for Americans willing to host company-provided laptops through which remote workers connect from North Korea or neighboring cities in China. Knoot faces six criminal counts, including conspiracy and aggravated identity theft.

"North Korean IT workers are widespread in Fortune 500 companies, using their earnings to incentivize others to aid their operations," said Michael Barnhart, a specialist in North Korea for threat intelligence company Mandiant. Closing down laptop farms "deals a significant blow to their operations and unravels months and months of time and energy put in by these North Korean threat actors."

Prosecutors allege Knoot kept laptops at his residence for North Korean workers between July 2022 and August 2023. The indictment also says North Korea stiffed Knoot, paying him only $15,100 - substantially less than the $500 per month plus 20 percent of each remote worker's salary promised him by Pyongyang handlers.

Knoot was in contact with a North Korean persona who went by the moniker "Yang Di." North Korean hackers stole identity of U.S. citizen "Andrew M." to create the character of a Georgia-based mid-level programmer. That identity earned at least $257,553 in wages from four companies during the time of Knoot's participation in the conspiracy, prosecutors allege.

Three of the companies Andrew M. worked for have since spend more than half a million dollars auditing Andrew M.'s code and on legal fees. Prosecutors didn't identify the companies other than describing them as a New York media company, a U.K. financial institution, an Oregon technology company and a Virginia media company.

The United Nations reportedly suspects North Korea of stealing approximately $3 billion between 2017 and 2023 to further weapons of mass destruction development. Many Pyongyang hacking operations, unlike other state-sponsored outfits, have a mandate to infuse cash into the rogue nation. North Korea has a well-established history of hacking for profit and inventive ways of circumventing economic sanctions that also include forced labor in Chinese factories, tobacco smuggling and false identities for cargo ships.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.