Tennessee man charged over role in North Korea IT worker scheme

A 38-year-old man from Nashville, Tennessee was charged on Thursday for his alleged role in helping the North Korean government get officials hired in IT roles at American and British companies. 

The Justice Department said Matthew Knoot helped an undisclosed number of North Koreans use stolen identities to pose as U.S. citizens and hosted company laptops at his home. To facilitate the scheme, Knoot downloaded software that allowed North Korean actors to log in from China — running what the Justice Department called a “laptop farm.”

According to the indictment, the workers used the stolen identity of a U.S. citizen who the Justice Department called “Andrew M.” The workers were hired at U.S. media, technology and financial companies. 

Knoot additionally helped launder money from the remote IT jobs to accounts “tied to North Korean and Chinese actors,” the Justice Department said.

United States Attorney Henry Leventis said Knoot helped funnel hundreds of thousands of dollars to the North Korean government through the scheme.

Knoot allegedly ran the laptop farm from his homes in Nashville from July 2022 to August 2023. The companies shipped laptops addressed to “Andrew M.” to the homes.

The Justice Department said Knoot was paid a monthly fee by a facilitator named Yang Di and a raid on Knoot’s home in August 2023 uncovered that each worker was paid more than $250,000 for their IT work. Knoot also paid taxes for the earnings under the stolen identity.

If convicted, Knoot is facing a maximum sentence of 20 years in prison based on several charges including money laundering, wire fraud and identity theft.

“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” Leventis explained. 

Assistant Attorney General Matthew Olsen of the National Security Division added that the money gained through the scheme was used for North Korea’s weapons program. 

The Justice Department said North Korea has sent thousands of skilled IT workers to live in China, Russia and other countries with the end goal of obtaining employment at U.S. companies.The workers use fake emails, social media accounts, and a web of fake websites, proxy computers and third parties across the U.S. like Knoot. 

Previous advisories from U.S. law enforcement agencies have said some of the workers earn up to $300,000 annually, collectively generating hundreds of millions for the North Korean regime and its weapons programs. 

Several federal law enforcement agencies launched an initiative in March 2024 designed to shutter the U.S. laptop farms. 

U.S. officials previously shut down 17 website domains and seized $1.5 million last year in an operation targeting the infrastructure used by the North Korean government to facilitate the IT worker scheme. 

Knoot is the second American charged after the Justice Department arrested U.S. national Christina Chapman in May for running a similar laptop farm in Arizona. U.S. officials also offered a reward of up to $5 million for information on a larger network of people charged with scamming companies of nearly $7 million on behalf of North Korea.

Last year, the U.S. Treasury Department announced sanctions on four entities that employ thousands of North Korean IT workers who help illicitly finance the regime's missile and weapons-of-mass-destruction programs. 

Several U.S. law enforcement agencies and international organizations have warned in recent years of North Korean IT workers posing as citizens from other countries to obtain work. Their positions were either used to generate funding for North Korea’s regime or infiltrate organizations with access to funds and information. 

Two weeks ago, cybersecurity firm KnowBe4 admitted that it hired a worker last year that it later discovered was part of the same North Korean scheme. 

Michael Barnhart, who leads the North Korean threat hunting team at cybersecurity firm Mandiant, said the takedowns of these laptop farms helps unravel “months and months of time and energy put in by these North Korean threat actors.”

"Based on the volume and scale of activity we've seen, North Korean IT workers are widespread in Fortune 500 companies, using their earnings to incentivize others to aid their operations,” he said.