{
	"id": "492c1276-978a-43d7-9ad2-b52599978ee2",
	"created_at": "2026-04-07T14:43:14.633586Z",
	"updated_at": "2026-04-10T13:12:19.865731Z",
	"deleted_at": null,
	"sha1_hash": "656030529575fe53272cf868e5239cd22de725ff",
	"title": "Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61941,
	"plain_text": "Department Disrupts North Korean Remote IT Worker Fraud\r\nSchemes Through Charges and Arrest of Nashville Facilitator\r\nPublished: 2024-08-08 · Archived: 2026-04-07 12:50:13 UTC\r\nNASHVILLE – Matthew Isaac Knoot, 38, of Nashville, Tennessee, was charged today for his efforts to generate\r\nrevenue for the Democratic People’s Republic of Korea’s (DPRK or North Korea) illicit weapons program, which\r\nincludes weapons of mass destruction (WMD).\r\nAccording to court documents, Knoot, participated in a scheme to obtain remote employment with American and\r\nBritish companies for foreign information technology (IT) workers, who were actually North Korean actors.\r\nKnoot assisted them in using a stolen identity to pose as a U.S. citizen, hosted company laptops at his residences,\r\ndownloaded and installed software without authorization on such laptops to facilitate access and perpetuate the\r\ndeception, and conspired to launder payments for the remote IT work, including to accounts tied to North Korean\r\nand Chinese actors.\r\n“North Korea has dispatched thousands of highly skilled information technology workers around the world to\r\ndupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons\r\nprogram,” said United States Attorney Henry C. Leventis for the Middle District of Tennessee. “Today’s\r\nindictment, charging the Defendant with facilitating a complex, multi-year scheme that funneled hundreds of\r\nthousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the\r\nUnited States’ national security interests.”\r\n“As alleged, this defendant facilitated a scheme to deceive U.S. companies into hiring foreign remote IT workers\r\nwho were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program,” said\r\nAssistant Attorney General Matthew G. Olsen of the National Security Division. “This indictment should serve as\r\na stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the\r\nneed to be vigilant in their hiring processes.”\r\n“As today’s charges demonstrate, the FBI will relentlessly pursue those who aid the North Korean government’s\r\nillegal efforts to generate revenue,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Where\r\nillicit proceeds may be used to fund the regime’s kinetic capacity, we will prioritize our work to disrupt that flow\r\nof money. This indictment should demonstrate the risk faced by those who support the DPRK's malicious cyber\r\nactivity.”\r\nThe DPRK has dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the\r\naim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers to generate\r\nrevenue for its WMD programs. DPRK IT worker schemes involve the use of pseudonymous email, social media,\r\npayment platform and online job site accounts, as well as false websites, proxy computers, and witting and\r\nunwitting third parties located in the United States and elsewhere. As described in a May 2022 tri-seal public\r\nservice advisory\r\nhttps://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nPage 1 of 5\n\nreleased by the FBI, the Department of the Treasury, and the Department of State, such IT workers have been\r\nknown individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each\r\nyear, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved\r\nin the DPRK’s UN-prohibited WMD programs.\r\nThe indictment unsealed today in the Middle District of Tennessee alleges that Knoot participated in a scheme to\r\nassist overseas IT workers to obtain remote IT work at U.S. companies which believed that they were hiring U.S.-\r\nbased personnel. The IT workers, who were North Korean nationals, used the stolen identity of a U.S. citizen,\r\n“Andrew M.,” to obtain this remote IT work.  The scheme defrauded U.S. media, technology, and financial\r\ncompanies, ultimately causing them hundreds of thousands of dollars in damages.   \r\nAccording to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July\r\n2022 and August 2023.  The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s\r\nresidences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops,\r\ndownloaded and installed unauthorized remote desktop applications, and accessed the victim companies’\r\nnetworks, causing damage to the computers.  The remote desktop applications enabled the North Korean IT\r\nworkers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working\r\nfrom Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his\r\nservices by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop\r\nfarm was executed in early August 2023.\r\nThe overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between\r\napproximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service\r\nand the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was\r\nstolen.  Knoot and his conspirators’ actions also caused the victim companies more than $500,000 in costs\r\nassociated with auditing and remediating their devices, systems, and networks. Knoot, Di and others conspired to\r\ncommit money laundering by conducting financial transactions to receive payments from the victim companies,\r\ntransfer those funds to Knoot and to accounts outside of the United States, in an attempt both to promote their\r\nhttps://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nPage 2 of 5\n\nunlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include\r\naccounts associated with North Korean and Chinese actors.\r\nKnoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary\r\ninstruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity\r\ntheft and conspiracy to cause the unlawful employment of aliens. If convicted, Knoot faces a maximum penalty of\r\n20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.\r\nUnder the Department-wide “DPRK RevGen: Domestic Enabler Initiative,” launched in March 2024 by the\r\nNational Security Division and the FBI’s Cyber and Counterintelligence Divisions, Department prosecutors and\r\nagents are prioritizing the identification and shuttering of U.S.-based “laptop farms” – locations hosting laptops\r\nprovided by victim U.S. companies to individuals they believed were legitimate U.S.-based freelance IT workers –\r\nand the investigation and prosecution of individuals hosting them. Today’s announcement follows successful\r\naction taken by the Department in October 2023\r\nand May 2024\r\nhttps://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nPage 3 of 5\n\n, which targeted identical and related conduct.\r\nThe FBI Memphis Field Office, Nashville Resident Agency is investigating the case.\r\nAssistant U.S. Attorney Josh Kurtzman for the Middle District of Tennessee and Trial Attorney Greg Nicosia of\r\nthe National Security Division’s Cyber Section are prosecuting the case.\r\nThe FBI, along with the Departments of State and Treasury, issued a May 2022 advisory\r\nto alert the international community, private sector, and public about the North Korea IT worker threat. Updated\r\nguidance was issued in October 2023\r\nhttps://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nPage 4 of 5\n\nby the United States and the Republic of Korea (South Korea) and in May 2024\r\nby the FBI, which include indicators to watch for that are consistent with the North Korea IT worker fraud and the\r\nuse of U.S.-based laptop farms.\r\nAn indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\n#####\r\nSource: https://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nhttps://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and"
	],
	"report_names": [
		"department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and"
	],
	"threat_actors": [],
	"ts_created_at": 1775572994,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/656030529575fe53272cf868e5239cd22de725ff.pdf",
		"text": "https://archive.orkl.eu/656030529575fe53272cf868e5239cd22de725ff.txt",
		"img": "https://archive.orkl.eu/656030529575fe53272cf868e5239cd22de725ff.jpg"
	}
}