Federal law enforcement is continuing to target participants in ongoing North Korean schemes to get operatives hired as remote IT workers in the United States and elsewhere who use their positions to funnel money and information back to the regime.

Most recently, the U.S. Justice Department (DOJ) this month indicted a 38-year-old Nashville man for allegedly running a “laptop farm” at his residence as part of the sophisticated scam that stole hundreds of thousands of dollars from organizations and caused another $500,000 in costs to remediate their PCs, networks, and other systems after the operation was uncovered, according to authorities.

“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” Henry Leventis, U.S. attorney for the Middle District of Tennessee, said in a statement, adding that Matthew Isaac Knoot is charged with “facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors.”

The operation was one of a number of such scams being run by North Korean intelligence agencies to plant IT workers in businesses throughout the United States. The North Korean operatives will do the work for those businesses but also will send much of the money they earn back to the country’s leaders to bypass international sanctions and fund their nuclear and ballistic weapon programs. They also will install malware into their corporate-issued PCs to break into the network and steal in formation.

Stolen Identities and Fake Photos

The fake IT workers use stolen identities and AI-altered photos to convince organizations to hire them. In this case, many of the companies hired who they thought was “Andrew M.,” a real U.S. citizen person whose identity had been stolen. The companies, in both the United States and the UK, were directed to send the corporate laptops to Knoot’s residence, where he installed unauthorized remote desktop software that the North Korean IT workers used to appear as though they were working from Knoot’s home while actually being located in China.

He also helped to launder payments for the remote IT work into non-U.S. accounts that were tied to North Korean and Chinese bad actors, according to the DOJ. Knoot did this from about July 2022 to August 2023, the agency said.

He faces a range of conspiracy charges – to launder money, to damage protected computers by installing the unauthorized applications, and to commit wire fraud – and wire fraud, among others.

“What’s particularly alarming here is the sophistication of these North Korean operations,” Guy Rosenthal, vice president of product at cybersecurity firm DoControl. “They’re not just sending out resumes, they’re setting up entire fake identities, complete with AI-enhanced photos. It’s a stark reminder that our adversaries are constantly evolving their tactics.”

A High-Profile Victim

Cybersecurity firm KnowBe4 was caught in such a scheme in July, hiring what turned out to be a North Korean IT worker who had used a stolen identity and an AI-altered photo to pass as a U.S. citizen answering a want ad looking for a software engineer for the company’s internal IT team. Despite a background and reference check and four video-based interviews, KnowBe4 hired him, founder and CEO Stu Sjouwerman wrote in a blog post late last month. He was caught after loading malware onto the company-issued Mac almost immediately after receiving the device.

Years of Fake IT Worker Scams

North Korea is one of several countries – including Russia, China, and Iran – that U.S. intelligence agencies see as the top nation-state cyberthreats. The DPRK – the Democratic People’s Republic of Korea – has been running the fake IT worker scam for several years.

The FBI and departments of Treasury and State in 2022 published an advisory about the threat and a year later the United States and South Korea issued updated guidance. Earlier this year, the FBI published more information about the scams.

In October 2023, U.S. law enforcement agencies announced they had seized 17 web domains and almost $1.5 million in an initiative that shut down several North Korean operations.

In March, the DOJ’s National Security Division and the FBI launched their “DPRK RevGen: Domestic Enabler Initiative” that aimed identify and shut down U.S.-based laptop farms. Two months later, they indicted Christina Marie Chapman of Arizona for running a laptop farm inside her home in an operation similar to Knoot’s.

Craig Jones, vice president of security operations at SecOps platform vendor Ontinue, said that for these North Korean operatives, it’s not just about getting hired but also embedding themselves in organizations so they can operate undetected for extended periods.

“By infiltrating companies through seemingly legitimate means, these operatives are able to gain access to sensitive systems and data without raising immediate suspicion,” Jones said. “This really illustrates the lengths to which these groups are willing to go. Setting up laptop farms to facilitate these operations is a clear indication of the sophistication and determination behind these efforts.”