Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Matthew Isaac Knoot Allegedly Hosted Laptop Farm in his Nashville Home
U.S. federal prosecutors charged a Tennessee man with abetting North Korea in an ongoing effort to obtain remote IT work for its nationals as a way of generating hard currency to fund the development of weapons of mass destruction.
See Also: OnDemand | Everything You Can Do to Fight Social Engineering and Phishing
An indictment unsealed Thursday against Nashville resident Matthew Isaac Knoot, 38, is the third arrest this year in a national crackdown against North Korean remote IT workers (see: US FBI Busts North Korean IT Worker Employment Scams).
When North Korean workers obtain remote employment under fraudulent circumstances, Pyongyang looks for Americans willing to host company-provided laptops through which remote workers connect from North Korea or neighboring cities in China. Knoot faces five criminal counts, including conspiracy and aggravated identity theft.
“North Korean IT workers are widespread in Fortune 500 companies, using their earnings to incentivize others to aid their operations,” said Michael Barnhart, a specialist in North Korea for threat intelligence company Mandiant. Closing down laptop farms “deals a significant blow to their operations and unravels months and months of time and energy put in by these North Korean threat actors.”
Prosecutors allege Knoot kept laptops at his residence for North Korean workers between July 2022 and August 2023. The indictment also says North Korea stiffed Knoot, paying him only $15,100 – substantially less than the $500 per month plus 20 percent of each remote worker’s salary promised him by Pyongyang handlers.
Knoot was in contact with a North Korean persona who went by the moniker “Yang Di.” North Korean hackers stole identity of U.S. citizen “Andrew M.” to create the character of a Georgia-based mid-level programmer. That identity earned at least $257,553 in wages from four companies during the time of Knoot’s participation in the conspiracy, prosecutors allege.
Three of the companies Andrew M. worked for have since spend more than half a million dollars auditing Andrew M.’s code and on legal fees. Prosecutors didn’t identify the companies other than describing them as a New York media company, a U.K. financial institution, an Oregon technology company and a Virginia media company.
The United Nations reportedly suspects North Korea of stealing approximately $3 billion between 2017 and 2023 to further weapons of mass destruction development. Many Pyongyang hacking operations, unlike other state-sponsored outfits, have a mandate to infuse cash into the rogue nation. North Korea has a well-established history of hacking for profit and inventive ways of circumventing economic sanctions that also include forced labor in Chinese factories, tobacco smuggling and false identities for cargo ships.