U.S. prosecutors on Thursday brought charges against Matthew Isaac Knoot, a Tennessee resident, who is charged with helping North Korean spies pose as I.T. specialists in the United States. The man is believed to have helped the North Korean saboteurs gain illegal employment in the United States as part of an effort to support the North Korean nuclear weapons program.
Knoot’s methods are unorthodox but proved successful – for a while, anyway. Knoot is believed to have run what’s known as a “laptop farm” out of his Nashville home. His operation required companies to send him laptops under the presumption that they would be used by American workers. Those workers then provided I.T. services to American companies. Instead of hiring American workers, however, Knoot outsourced the roles to people from all over the world – including North Korean employees working out of China. Those workers then provided their services under Knoot’s name, making his clients – and employers – believe that he was providing the services.
It was a lucrative business, too. Knoot knew that companies would pay big bucks for people with his – or his outsourced specialists’ – skills. Prosecutors allege that companies paid over $250,000 for each worker they hired from Knoot’s operation between July 2022 and August 2023. Knoot actively covered up the fact that he was using outsourced workers to work under his name, with investigators revealing that he reported the income to the IRS under his name.
A statement issued by the Office of Public Affairs at the U.S. Department of Justice described how Knoot was arrested on August 8 “for his efforts to generate revenue for the Democratic People’s Republic of Korea’s illicit weapons program.”
It comes after the FBI and the Departments of State and Treasury issued an advisory in May 2022 to alert the private and public sectors about the threat of North Korean IT workers posing as Americans and infiltrating the U.S. tech workforce. Further guidance was issued in October, 2023, by the governments of the United States and South Korea, warning businesses – in particular, laptop farms – about the threat of hiring North Korean workers.
Court documents reveal how Knoot was fully aware of the fact that his outsourced workers were not U.S. citizens and that he “assisted them” in using a stolen identity. The Department of Justice also said that Knoot “downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception,” and that he also conspired to launder payments for the remote work.
Assistant Attorney General Matthew G. Olsen from the National Security Division of the Department of Justice said that the money earned by the North Korean workers was “funneled to the DPRK for its weapons program.” Olsen also said that the indictment should serve as a warning to American businesses who ignore guidance about the threat.
A Growing National Security Threat
In May, 2024, reports revealed how North Korean IT workers were believed to have infiltrated over 300 American companies using aliases. The foreign workers allegedly earned as much as $6.8 million from their remote work opportunities which was then funneled back to the North Korean government.
The news came from a Justice Department statement that was designed to serve as a warning to American companies. The statement followed the unsealing of charges against a number of American professionals, including a woman from Arizona who was charged with helping North Korean IT workers perform remote roles for American companies by using stolen or borrowed identities.
It’s not just small-to-medium-sized IT business who are being impacted, either. The U.S. government understands that leading U.S. companies are being tricked by North Korean workers, and that some American citizens working for the companies are cooperating with the North Korean workers. The Department of Justice previously stated that a “premier” Silicon Valley tech companies, an “iconic” car manufacturer, and one of the biggest media and entertainment companies in the world have all been caught up in the scandal.
Speaking this week, U.S. Attorney Henry C. Levintis of Tennessee’s Middle District described how “thousands of highly skilled information technology workers” have been dispatched by the North Korean government all over the world to “dupe unwitting businesses” and evade international sanctions that prevent them working from Western businesses.
How Businesses Can Identify North Korean IT Workers
If you work in the tech business, it’s important to know what to look out for. The U.S. government has been extremely forthcoming about what IT companies must look out for when hiring new employees. In a public service announcement published by the FBI and the Department of State, companies are warned that outsourcing IT work to third-party vendors “can face additional vulnerabilities since these companies are removed from the direct hiring process.”
The official guidance explained how all IT workers in North Korea are required to submit their earnings to the regime, which is controlled by dictator Kim Jong Un. The vast majority of these workers are subordinate to the DPRK’s weapons of mass destruction and ballistic missile programs, as well as their advanced conventional weapons programs. A seemingly mid-level IT worker, therefore, may provide valuable financial assistance to a weapons program that directly threatens the United States.
“An overseas DPRK IT worker earns at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas,” the guidance explains. “DPRK IT workers can individually earn more than USD 300,000 a year in some cases, and teams of IT workers can collectively earn more than USD 3 million annually.”
Companies looking to outsource IT work should be mindful of applicants looking to provide tech support and services related to hardware and firmware development, virtual reality and augmented reality programming, general IT support, graphic animation, online gambling programs, mobile games, dating applications, mobile applications, web applications, and currency exchange platforms.