US DoJ dismantled remote IT worker fraud schemes run by North Korea

The U.S. DoJ arrested a Tennessee man for running a “laptop farm” that enabled North Korea-linked IT workers to obtain remote jobs with American companies.

The U.S. Justice Department arrested Matthew Isaac Knoot (38) from Nashville (Tennessee) for operating a “laptop farm” that facilitated North Korea-linked IT workers in obtaining remote jobs with American companies.

The man was arrested for his efforts to generate revenue for North Korea’s illicit weapons program, which includes weapons of mass destruction (WMD).

In May, the FBI also issued an advisory warning the public and private sector of the threat posed to the U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea). 

US authorities accuse Knoot of aiding North Korean IT workers in using a stolen identity to impersonate a U.S. citizen, hosting company laptops at his home, unauthorized software installation to facilitate access, and laundering payments for the remote work through accounts linked to North Korean and Chinese individuals.

“According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors.” reads the press release published by DoJ. “Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.”

North Korea has dispatched skilled IT workers abroad, mainly to China and Russia, to deceive global businesses into hiring them as freelance IT workers, generating revenue for its weapons programs. These IT workers use fake identities and online tactics to mask their true origins. According to a May 2022 advisory, they can earn up to $300,000 annually each.

An indictment in Tennessee reveals that Knoot aided North Korean IT workers by facilitating remote IT jobs at U.S. companies under the false pretense that they were U.S.-based. Knoot operated a “laptop farm” from July 2022 to August 2023, where he received laptops shipped to a fake identity, installed unauthorized software, and allowed North Korean workers in China to access U.S. company networks. Knoot was paid monthly by a foreign facilitator named Yang Di. His operations were raided in August 2023.

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023.  The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

“The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was stolen.” continues the press release.

It has been estimated that Knoot and his conspirators’ caused the targeted companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer the funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include accounts associated with North Korean and Chinese actors.

The victims companies believed they were hiring a legitimate U.S. worker and shipped laptops to Knoot’s home. Then Knoot installed unauthorized software on the laptops to allow the North Korean IT workers to remotely login from locations in China.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens.” concludes DoJ. “If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.””

In May, the Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.

The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.

The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.

Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.

She faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

Didenko allegedly ran a multi-year scheme creating accounts on U.S.-based freelance IT job platforms and money service transmitters using false identities, including those of U.S. persons. Then the man sold these accounts to overseas IT workers. He is the administrator of a website called upworksell.com, which was used to advertise these services along with credit card and SIM card rentals. The investigation revealed that Didenko managed about 871 proxy identities and provided accounts for three freelance IT platforms and three U.S.-based money service transmitters. He facilitated at least three U.S.-based laptop farms, hosting around 79 computers, and received or sent $920,000 since July 2018. The man admitted to assisting North Korean IT workers and was interconnected with other cells within the DPRK IT worker network. If convicted, Didenko faces up to 67.5 years in prison, including a mandatory minimum of two years for aggravated identity theft.

DoJ also unsealed charges against three other individuals John Doe 1, alias Jiho Han; John Doe 2, alias Haoran Xu; John Doe 3, alias Chunji Jin.

“Chapman and her co-conspirators allegedly compromised more than 60 identities of U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to DHS on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers. The department seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.” reads the press release published by DoJ.

Concurrent with DoJ’s announcement, the U.S. Department of State announced a reward of up to $5 million for information related to the above three individuals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter