Matthew Isaac Knoot, 38, of Nashville, Tennessee, was arrested today for his alleged involvement in generating revenue for the Democratic People’s Republic of Korea’s (DPRK or North Korea) illicit weapons program, including weapons of mass destruction (WMD).
The FBI, along with the Departments of State and Treasury, issued a May 2022 advisory to alert the international community, private sector, and public about the North Korean IT worker threat. Updated guidance was issued in October 2023 by the United States and South Korea and in May 2024 by the FBI. These updates include indicators consistent with North Korean IT worker fraud and the use of U.S.-based laptop farms.
According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers who were actually North Korean actors. Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.
“As alleged, this defendant facilitated a scheme to deceive U.S. companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This indictment should serve as a stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes.”
“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” said U.S. Attorney Henry C. Leventis for the Middle District of Tennessee. “Today’s indictment, charging the defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the United States’ national security interests.”
“As today’s charges demonstrate, the FBI will relentlessly pursue those who aid the North Korean government’s illegal efforts to generate revenue,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Where illicit proceeds may be used to fund the regime’s kinetic capacity, we will prioritize our work to disrupt that flow of money. This indictment should demonstrate the risk faced by those who support DPRK's malicious cyber activity.”
The DPRK has dispatched thousands of skilled IT workers abroad primarily in China and Russia with an aim at deceiving U.S. businesses worldwide into hiring them as freelance IT workers generating revenue for its WMD programs. DPRK IT worker schemes involve pseudonymous email accounts, social media profiles, payment platforms, online job site accounts as well as false websites proxy computers witting unwitting third parties located in United States elsewhere described May 2022 tri-seal public service advisory released by FBI Department Treasury Department State such individually earn up $300000 annually generating hundreds millions collectively each year behalf designated entities like North Korean Ministry Defense others directly involved UN-prohibited WMD programs.
The indictment unsealed today alleges Knoot participated scheme assist overseas IT workers obtain remote work US companies believed hiring US-based personnel these were North Korean nationals used stolen identity US citizen Andrew M obtain this defrauded media technology financial ultimately causing them hundreds thousands damages.
According court documents Knoot ran laptop farm Nashville residences between approximately July 2022 August 2023 victim shipped addressed Andrew M following receipt without authorization logged downloaded installed unauthorized remote desktop applications accessed networks causing damage computers enabled locations China while appearing working residences participation paid monthly fee services foreign-based facilitator Yang Di court-authorized search executed early August 2023.
Overseas associated cell each paid over $250000 their work between approximately July 2022 August 2023 much falsely reported Internal Revenue Service Social Security Administration name actual person Andrew M whose identity stolen actions caused more than $500000 costs associated auditing remediating devices systems networks conspired commit money laundering conducting financial transactions receive payments transfer funds outside attempt promote unlawful activity hide transferred proceeds non-US include associated Chinese actors.
Knoot charged conspiracy cause damage protected computers monetary instruments wire fraud intentional aggravated identity theft unlawful employment aliens convicted faces maximum penalty 20 years prison mandatory minimum two years aggravated count.
Under Department-wide DPRK RevGen Domestic Enabler Initiative launched March 2024 National Security Division FBI Cyber Counterintelligence Divisions prosecutors agents prioritizing identification shuttering US-based laptop farms locations hosting provided victim believed legitimate freelance investigation prosecution individuals hosting Today announcement follows successful action taken October May targeted identical related conduct.
FBI investigating case.
Assistant U.S Attorney Josh Kurtzman Middle District Tennessee Trial Greg Nicosia National Security Division Cyber Section prosecuting case.
An indictment merely allegation All defendants presumed innocent until proven guilty beyond reasonable doubt court law.
___