Tennessee Man Helped DPRK Workers Get Jobs at US Orgs, Fund WMDs

The US Department of Justice (DoJ) charged a Tennessee resident for helping North Koreans obtain IT jobs at US companies under false pretenses.

In August 2023, FBI agents raided the "laptop" farms 38-year-old Matthew Isaac Knoot operated out of his Nashville residences. From his laptops, North Korean and Chinese individuals overseas could connect to corporate networks in the US and UK, perform their jobs, and funnel their salaries back to their country's ruling party. According to authorities, this money helps fund North Korean leader Kim Jong-Un's nuclear weapons programs.

For his farming, Knoot has been charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens. Those charges carry a maximum penalty of 20 years in prison.

North Koreans Infiltrate US Companies Across the Spectrum

When the COVID-19 pandemic spurred companies to go remote, the Kim regime spotted an opportunity. Since then — and in Knoot's case, since July 2022 — DPRK government agents have been flooding the US job market, with the aim of sending their lucrative earnings back to the government.

The operations have been growing more sophisticated year by year. As Mandiant’s North Korean threat hunting team leader Michael Barnhart explains, "There'll be 10 people living in a house, with each person in the house running seven, eight, 10 profiles — getting seven, eight, 10 paychecks, 70 paychecks for one apartment. That money does stack up."

Another sign of improvement: Where once they mainly targeted freelance tech jobs, recently, these workers have been earning higher-level roles at specific companies. "You see [they go for] a lot of senior lead-type engineering roles. Why? That's who has the most access to data that you can extort, and you can sell, and you can let your buddies in to do stuff they're looking to do," he says.

The DoJ has observed cases across some of the largest companies in the Fortune 500, spanning industries: finance, media, technology, cybersecurity, and more. At the same time, agents have also been known to infiltrate even small mom-and-pop operations.

"At Black Hat, I talked to five different executives who had hired North Korean employees," reports Roger Grimes, data-driven defense evangelist at KnowBe4, which itself accidentally hired a North Korean agent just recently. "One was a 20-person company, one was a 12-person company. Every company is subject to this sort of attack."

Where Americans Come In

When a North Korean agent living in China or Russia applies for a US job, they don a stolen identity, plus a host of assumed personal assets: a pseudonymous email, social media account, payment account, online job site account, a fake personal website, and more. 

Next, they need a way to connect to corporate networks domestically. That's where a US citizen comes into the picture. "The lures, from what we've seen, have never been: 'Hey, I'm a North Korean. Let's run this scam,' Barnhart explains. "It's 'You want to make a couple hundred bucks a day by just working from home?' Things like that. 'We have a brand new startup company, but it's overseas. We'd like for you to be the face of the franchise in the US.'"

Agents who worked through Knoot's farm shared the persona of a real US citizen referred to by the DoJ as "Andrew M." Once they landed a job, Andrew M. would direct companies to send their new work laptop to Knoot's address. Upon receiving the laptop, Knoot would log in, connect to company networks, and, without permission, install remote desktop applications. These apps allowed North Koreans to connect from overseas, and earn more than $250,000 each per year, simply by performing their actual jobs.

Knoot, in turn, earned a monthly fee from a handler who went by the name Yang Di.

The case mirrors a larger one revealed in May, involving a middle-aged Arizona woman, a Ukrainian, and three other foreign nationals. That operation earned millions of dollars from more than 300 different companies.

How to Spot a North Korean Worker

There are certain characteristic signs that your applicant may not be who they claim they are.

"A big commonality I've heard from people was that the job seeker really has a hard time getting on camera. If the company asks them, they then have some excuse about why they can't," Grimes explains. 

Besides that, he adds, "They'll say they work for some big, valid company, but their references [always have] a Gmail or Hotmail address. Their profiles on LinkedIn and other websites have a staleness to them, a simpleness to them that doesn't look quite natural. If their company provides equipment, all of a sudden they'll say you need to ship it to another address that wasn't listed in their résumé or their application. They make up an excuse."

To try and pick out fake applicants, companies need to be on the lookout for signs like these and others — for example, applicants who provide Voice over Internet Protocol (VoIP) phone numbers. "The number one thing for every company — I don't care what your size is — is you need to now think about and update your HR hiring practices to take into account these potential fake employees," Grimes says, "and try to put in controls that make it harder for them to be successful."