Americans Sentenced for Hosting Laptop Farms for N. Korean Worker Scams
Two more U.S. citizens this week were sentenced to 18 months in prison for running laptop farms as part of North Korea’s notorious IT worker scams that, in these cases, victimized almost 70 companies and generated more than $1.2 million for the rogue country’s government.
Both Matthew Isaac Knoot, of Nashville, Tennessee, and New York resident Erick Ntekereze Prince over the last couple of years were arrested for their roles in the schemes, which followed the usual pattern of the IT scams. The Democratic People’s Republic of Korea (DPRK) has been running them for several years to get around international sanctions and bring in money for their weapons programs and other efforts.
Knoot and Prince received and hosted laptops sent to their addresses from companies in the United States that believed their newly hired workers lived at. They also installed remote desktop applications on the laptops, which allowed those new employees to work remotely overseas while seemingly working from the addresses the computers were sent to.
The U.S. Justice Department (DOJ) indicted Knoot in 2024 for allegedly running the laptop farm from 2022 and 2023 as well as for helping the fake IT workers pose as U.S. citizens by using stolen identities and conspiring to launder payments for the remote IT work, including sending the money to accounts tied to North Korean and Chinese actors.
Companies Paid $1.2 Million to Fraudsters
The U.S. companies victimized by the scheme involving Knoot paid the North Korean workers more than $250,000 for their work, and had to spend another $500,000 in auditing and system remediation costs. Most of the $250,000 was falsely reported to the IRS and Social Security Administration in the name of the U.S. citizen whose identity was stolen and used by the bad actors.
Prince was one of five people – two U.S. citizens, two from China, and the fifth from Mexico – indicted early last year for similar crimes. In his case, Prince helped at least three North Korean workers land work, including by using his company, Taggcar, to supply the workers to the victim U.S. companies. Those companies eventually paid the fake workers at least $943,069, causing more than $1 million in additional costs.
Prince was forced to forfeit the $89,000 the North Koreans paid him. Knoot had to give up the $15,100 he was paid.
DOJ Racks Up the Sentences
“This scheme shows how national security threats now enter through ordinary business systems,” U.S. Attorney Jason A. Reding Quiñones said in a statement. “These defendants helped North Korean IT workers pose as legitimate employees, gain access to American companies, and generate money for a sanctioned regime. These were not paperwork violations. They were deliberate acts that exposed U.S. businesses, compromised trust, and supported one of the world’s most dangerous adversaries.”
Knoot and Prince were the seventh and eighth people sentenced in the last five months for running such a laptop farm, according to the DOJ.
Much has changed at the DOJ since the Trump Administration returned to the White House early last year, but the department has continued the aggressive prosecution of those involved in the IT worker scams that was seen under President Biden. That’s good, because the threat continues to grow.
The Fraud Is Spreading
The United Nations in 2024 said in a report that North Korea’s government gets anywhere from $250 million to $600 million a year from the fraud. In a report late last year, Okta researchers said the schemes seen by IT and cryptocurrency firms in the United States were expanding into other countries, including Great Britain, Canada, Germany, and India, and other industries, such as healthcare, finance, and public administration.
The researchers wrote that the findings showed that the scam “is not a niche threat confined to large technology companies. It’s a widespread, long-term campaign targeting organizations across almost every vertical. This means any organization offering remote or hybrid roles – especially in software development, IT services, or other knowledge-worker disciplines – is a potential target.”
Two months later, Amazon echoed the warning about the widespread nature of the threat after admitting to being victimized by it. The North Korean imposter was working as a remote systems administrator when the hyperscaler noted a lag in the fraudsters input keystroke.
Steve Schmidt, senior vice president and chief security officer at Amazon, said companies need to require in-person interviews and ensure that cybersecurity teams review new hires.
