A Tennessee man has been arrested for allegedly working to raise money for North Korea’s weapons program, the Justice Department said on Thursday.
Matthew Isaac Knoot, 38, is accused of helping North Korean workers “pose as a US citizen” as part of a scheme to gain employment at American and British tech companies, and of conspiring to launder money earned by the workers to financial accounts tied to North Korean and Chinese individuals, the Justice Department said.
Knoot also allegedly ran a “laptop farm” from his residences in Nashville that granted the North Koreans access to US internet connections to make it appear as if they were logging into work from the US rather than China, where they were based, according to prosecutors.
The scheme defrauded unnamed US media, tech and financial companies, ultimately costing them hundreds of thousands of dollars in damages, the department said.
Knoot’s case is allegedly just the latest example of a phenomenon that US national security officials have been trying to thwart for years: Thousands of North Korean overseas IT workers are trying to subvert sanctions and send hundreds of millions of dollars back to Pyongyang each year.
Some of those IT workers work closely with North Korean hackers, who are also a rich source of revenue for the regime, according to experts. About half of North Korea’s missile program has been funded by cyberattacks and cryptocurrency theft, a White House official said last year.
The IT workers associated with Knoot were paid over $250,000 for their work between about July 2022 and August 2023, much of which was falsely reported to the IRS and the Social Security Administration in the name of another person’s stolen identity, the Justice Department said.
CNN could not immediately identify an attorney for Knoot.
It’s the second time in three months that an American has been charged with allegedly helping facilitate a wide-ranging North Korean fraud scheme. The Justice Department in May charged an Arizona woman with participating in a similar scheme that helped foreign IT workers pose as Americans and earn $6.8 million in revenue that could benefit the North Korean regime.
North Korea’s sanctions-evasion schemes are rampant, according to experts, and thwarting them has become a national security priority for the Biden administration.
A previous CNN investigation found that the founder of a California-based cryptocurrency startup had unwittingly paid tens of thousands of dollars to a North Korean engineer. The entrepreneur was unaware of the situation until the FBI notified him, he said.
And North Korean illustrators and graphic designers appear to have helped produce work for US animation studios unbeknownst to those companies, independent researchers told CNN in April. The researchers discovered a trove of cartoon sketches on an open computer server on the North Korean portion of the internet.
North Korean IT workers play an “important role … in not just revenue generation but also … cyber operations for the North,” Cynthia Kaiser, deputy assistant director of the FBI’s Cyber Division, told CNN in an interview this week.
The FBI continues to see North Korean IT workers applying for jobs at US companies and the bureau is working with job-posting websites to flag suspicious activity that might be tied to the North Koreans, Kaiser said.
She described North Korea as a “semi-criminal state who is also a capable nation-state adversary within cyberspace that … is causing and has the potential to cause greater harm to America.”
Last month, KnowBe4, a prominent Florida-based cybersecurity company, announced that it had unknowingly hired a North Korean worker who used a stolen identity and an AI-enhanced photo to apply for a software engineering job at the company.
“We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” KnowBe4 said in a blog post about the incident, which the company said it contained before the North Korean worker was able to do any damage.