Security & Infrastructure Tools
Americans sentenced for running 'laptop farms' for North Korea
Two U.S. nationals were sentenced to 18 months in prison for running “laptop farms” that helped North Korean IT workers fraudulently obtain remote jobs at nearly 70 American companies. Matthew Knoot operated the scheme from Nashville (July 2022–August 2023) using stolen identities, while Erick Prince aided North Korean workers through Taggcar Inc (2020–2024). The case, part of a broader effort to disrupt North Korea’s illicit IT revenue, involved substantial victim payments and remediation costs, with restitution and forfeiture orders issued.
AMERICANS SENTENCED FOR RUNNING 'LAPTOP FARMS' FOR NORTH KOREA
OverviewTwo United States nationals were sentenced to 18 months in prison apiece after operating so‑called laptop farms that enabled North Korean IT workers to fraudulently obtain remote employment with nearly 70 American companies. The rulings mark the seventh and eighth U.S.–based individuals imprisoned in a federal crackdown targeting North Korea’s illicit revenue schemes and cyber-enabled activities. Prosecutors and law enforcement officials described the defendants as key enablers who helped disguise North Korean workers as legitimate U.S. employees, thereby compromising corporate networks and funding sanctioned government activities.
Case Profiles
Matthew Isaac Knoot
- Residence and operation: Knoot ran a laptop farm from his Nashville, Tennessee area home between July 2022 and August 2023.
- Mechanism: He received company-issued laptops addressed to a stolen identity (“Andrew M.”) and installed unauthorized remote desktop software, allowing North Korean IT workers to masquerade as U.S.-based employees.
- Financial impact on victims: Victim companies paid more than $250,000 to IT workers connected to Knoot’s operation. These payments were falsely reported to the Social Security Administration and the Internal Revenue Service under stolen identities.
- Costs and restitution: Knoot’s actions led to more than $500,000 in auditing and remediation costs for victim companies. He was sentenced to 18 months in prison and ordered to pay $15,100 in restitution, plus forfeit $15,100.
- Agency statements: The judge and prosecutors framed the case as part of a broader effort to disrupt North Korea’s illicit revenue streams by targeting individuals who facilitate the regime’s outreach and infiltration into U.S. networks.
Erick Ntekereze Prince
- Business role: Prince operated through Taggcar Inc., allegedly enabling North Korean IT workers to obtain remote employment at U.S. companies.
- Timeframe and scope: The scheme spanned approximately June 2020 through August 2024, with at least three North Korean IT workers hired to work remotely for U.S. firms.
- Financial impact on victims: The IT workers hired with Prince’s assistance earned salaries totaling more than $943,000, a substantial portion of which was routed overseas.
- Costs and restitution: Prince’s actions contributed to more than $1 million in remediation costs for affected companies. He also faced sentencing to 18 months in prison and forfeiture of $89,000.
- Guilty plea: Prince had previously pleaded guilty to a wire-fraud conspiracy, reflecting the broader pattern of North Korean operatives using stolen identities and fraudulent job arrangements to extract funds from U.S. employers.
Financial and Remediation Burdens
- Aggregate costs to victim companies: The operations associated with Knoot and Prince produced substantial remediation bills, including costs associated with auditing, security improvements, and incident response.
- Restitution and forfeiture: Knoot was ordered to pay and forfeit a total of $30,200 ($15,100 restitution + $15,100 forfeiture). Prince was ordered to forfeit $89,000 in connection with the charges.
- Broader financial impact: In addition to direct payments to IT workers, the schemes generated significant secondary costs for U.S. businesses, including investigations by security teams, commissions, and potential impacts to vendor and customer trust.
Context and Background
North Korea’s Illicit IT Worker Network
- The broader scheme involves a large cadre of North Korean IT workers who rely on identity theft to secure employment with hundreds of U.S. companies.
- FBI and other agencies have long warned that this network uses stolen identities and fraudulent documentation to obtain remote roles, enabling the regime to generate revenue despite international sanctions.
- Public statements have highlighted that thousands of North Korean IT workers can be mobilized to penetrate corporate networks, with recruitment and placement often orchestrated through intermediaries and shell companies.
Related Cases and Chronology
- April sentencing: Kejia Wang and Zhenxing Wang, U.S. nationals, were imprisoned for assisting North Korean remote IT workers in posing as U.S. residents and obtaining remote roles.
- Last July: Christina Marie Chapman, a 50-year-old from Arizona, received a lengthy sentence (102 months) for running a laptop farm from her home and helping North Korean workers secure employment at hundreds of U.S. companies using stolen identities.
- Ongoing pattern: The Department of Justice and federal agencies have repeatedly highlighted that North Korea maintains a substantial army of IT workers who leverage identity theft to gain access to U.S. corporate networks and services annually.
Official Commentary and Enforcement Context
- Public remarks from a senior official emphasized accountability for U.S. nationals who enabled North Korea’s illicit operations, underscoring the seriousness with which federal authorities view “laptop farming” as a conduit for illicit revenue and cyber intrusions.
- The enforcement effort reflects a bipartisan, cross‑agency approach to countering illicit finance and cyber threats linked to sanctioned regimes.
Impact on Victims and the Industry
- Corporate networks and security teams bear ongoing costs related to incident response, identity verification, and remediation when remote workers associated with such schemes are discovered.
- The cases illustrate how seemingly legitimate arrangements—remote employment, company-issued devices, and payroll processes—can be co-opted for illicit ends, necessitating robust vetting and continuous monitoring of contractors, vendors, and remote employees.
Broader Security Implications
- The Lenovo of remote work security: These cases highlight the vulnerability of organizations to remote-work arrangements that rely on identity verification, access controls, and secure device management.
- Importance of identity integrity: The use of stolen identities and compromised payroll reporting underscores the need for stronger anti–fraud controls in HR and IT systems.
- International crime linkage: Infiltration efforts tied to sanctioned regimes demonstrate how domestic business activity can be exploited to fund hostile activities abroad.
Closing Context
- The sentences reflect a growing emphasis on prosecuting individuals who facilitate illicit state-sponsored revenue streams through cyber-enabled employment fraud.
- While the case details are specific to Knoot and Prince, they sit within a larger, continuing effort to disrupt North Korea’s IT workforce operations and the ways they exploit U.S. corporate networks.
- The investigation underscores the ongoing vigilance required by companies to safeguard remote work environments, verify employee identities, and detect anomalies in payroll and remote-access patterns.
Key Takeaways
- Individual operatives can act as critical links between sanctioned regimes and U.S. corporate networks.
- Substantial remediation costs accompany breaches tied to these schemes, in addition to legal penalties for participants.
- Federal authorities continue to pursue a multi‑agency strategy to dismantle illicit IT worker networks and to deter similar schemes in the future.
