The U.S. government on Aug. 8 charged a Nashville, Tenn., man for his role in a fraudulent scheme to assist "fake" overseas IT workers from North Korea to obtain remote work at U.S. companies that believed they were hiring U.S.-based employees.
In an indictment unsealed by the U.S. Attorney’s Office in Middle Tennessee, the government alleges that Matthew Isaac Knoot, 38, ran a “laptop farm” at his Nashville residences between July 2022 and August 2023, causing victim companies $500,000 in costs associated with auditing and remediating their devices, systems and networks.
The indictment said the victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residence. “Andrew M” was an actual U.S. person who had his identity stolen. The indictment alleged that upon receiving the laptops, Knoot would log on to the laptops, download and install unauthorized remote desktop applications, and access the victim companies’ networks, causing damage to the computers.
The remote desktop applications allegedly let the "fake" North Korean IT workers work from locations in China, while appearing to the victim companies in the United States that “Andrew M.” was working from Knoot’s residence in Tennessee. The indictment alleged that for his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di.
Knoot was charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens. He faces a maximum penalty of 20 years in prison if convicted, including a mandatory minimum of two years in prison on the aggravated identity theft count involving “Andrew M.”
Erich Kron, security awareness advocate for KnowBe4, which had similar issues with a remote IT worker from North Korea, pointed out that while Knoot was not the person that KnowBe4 dealt with, it demonstrated that this is an ongoing issue as opposed to a one-time event.
Kron said cybercrime and remote worker scams such as this are certainly being used by bad nation-state actors to help fund their cyber and military endeavors. Sanctions can be crippling to a country, as seen with North Korea, and so by planting fake employees within organizations, they can work around some of these sanctions and generate revenue they are otherwise denied.
“The growth of remote work and the global nature of modern business has made it much tougher for organizations to spot fake workers, many of which actually produce work just as well as real workers,” said Kron. “Because ultimately there’s someone behind the keyboard doing the required tasks and attending the required online meetings, there can be very little to tip off the organization that the worker is not who they seem to be, and their paycheck is being redirected to a potentially hostile foreign nation."
Kron added that these attacks are very difficult to protect against because of the resources available from the nation-states and because in a global economy we are used to hiring people who may not be located in the U.S. He said some steps that can help protect against these incidents include only shipping equipment to a pickup location where the receiver must show ID that matches their name, and wherever possible have at least one in-person interview with the potential candidate.
Guy Rosenthal, vice president, product at DoControl, said these cases are a wake-up call for HR departments and tech companies everywhere. While the global talent shortage in tech is real, it can't come at the expense of security and due diligence.
“What's particularly alarming here is the sophistication of these North Korean operations,” said Rosenthal. “They're not just sending out resumes — they're setting up entire fake identities, complete with AI-enhanced photos. It's a stark reminder that our adversaries are constantly evolving their tactics."
Rosenthal added that for HR teams, this means going beyond the usual background checks. We need to be implementing robust identity verification processes, especially for remote hires. This could include video interviews, real-time identity checks, and even AI-powered tools to detect potential identity fraud.
“But let's be clear — this isn't just an HR problem, it’s a cybersecurity issue that needs to be on every CISO's radar,” said Rosenthal. “These North Korean IT workers aren't just looking for a paycheck – they're potential insider threats with access to sensitive systems and data.”
Saran Gopalakrishnan, vice president at Netenrich, said these cases are certainly a wake-up call for the cybersecurity industry and a reminder of how sophisticated and advanced these threats have become.
“We need to raise the bar across the board,” said Gopalakrishnan said. “The days of relying on traditional security measures are long gone. We're now in the realm of advanced threat intelligence and real-time monitoring — it's not just a nice-to-have anymore; it's essential. Breaking down the silos is important. HR, IT, and security can't operate in isolation. They need to work together, especially when it comes to vetting processes. And, as this demonstrates, those vetting processes need a serious overhaul.”