Nashville man arrested for aiding North Korean remote IT worker fraud
A Nashville resident was arrested Thursday on charges of facilitating a remote IT-worker scheme that funneled hundreds of thousands of dollars to North Korea’s illicit weapons program.
Matthew Isaac Knoot, 38, allegedly assisted North Korean IT workers in getting hired by U.S. and British companies under false identities. The indictment, unsealed in the Middle District of Tennessee, details a complex operation where Knoot allegedly used stolen identities to obtain remote work for North Korean nationals, who were masquerading as U.S. citizens.
These workers, based abroad, gained six-figure salaries which were laundered through international transfers to disguise their origins. Knoot, acting alongside others, including a facilitator named Yang Di, allegedly enabled these schemes through the use of unauthorized software installations on company-provided laptops. While the work was completed on U.S.-based computers, Knoot and co-conspirators earned a percentage of the salary, with the rest sent abroad.
Knoot faces multiple charges, including conspiracy to damage protected computers and money laundering, carrying a maximum potential sentence of 20 years in prison if convicted.
The recurrence of these North Korean-led remote work schemes has been a problem for both the U.S. government and the cybersecurity industry. In May, the Justice Department charged an Arizona woman in a similar scheme that defrauded over 300 U.S. companies through U.S.-based payment platforms, online job site accounts, and proxy computers. In July, security awareness training company KnowBe4 revealed that it had discovered and removed a newly hired software engineer on its internal IT team after it realized it was actually a persona controlled by a North Korean threat actor.
Earlier this week, CrowdStrike detailed in its 2024 Threat Hunting Report that remote IT workers with ties to North Korea targeted more than 30 U.S.-based companies, including aerospace, defense, retail and technology organizations.
“This indictment should serve as a stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes,” Assistant Attorney General Matthew G. Olsen said in a press release.
You can read the full indictment here.