According to the FBI, the salaries of the IT employees – who did real work – were illegally channeled to North Korea to finance its illegal weapons programs.

Matthew Isaac Knoot, 38, is believed to have helped the IT workers, who were North Korean citizens living in Russia or China, by storing numerous laptops in his home. He is also accused of stealing the identity of a man in Georgia whom authorities identified as “Andrew M.” Through Knoot, the North Korean technicians used Andrew M’s driver’s license and identity to get well-paying contract jobs at American companies, authorities said.

After the technicians got the telecommuting jobs, according to the Justice Department, Knoot had companies ship work laptops to his address in Nashville, Tennessee. He then logged in, installed remote desktop applications and then accessed company networks. The remote desktop app masked the location of the North Korean IT workers living abroad, making it look like they were working under the identity of Andrew M. at Knoot’s Nashville address, authorities said.

Knoot also laundered tech employees’ salaries – some as much as $300,000 a year, authorities said – and then transferred the money to accounts linked to North Korean and Chinese nationals, according to a statement from the U.S. Department of Justice. The indictment did not name the specific companies, but described them as a media company in New York City, a British financial institution, a tech company in Portland and a media company in McLean, Virginia.

“As alleged, this defendant facilitated a plot to induce U.S. companies to hire foreign IT workers who received hundreds of thousands of dollars that were then funneled to the Democratic People’s Republic of Korea for its weapons program,” Assistant Attorney General Matthew Olsen of the National Security Division said in a statement, referring to North Korea’s official name as the Democratic People’s Republic of Korea. “This indictment should serve as a stark warning to U.S. companies that employ IT workers about the growing threat posed by the Democratic People’s Republic of Korea and the need to be vigilant in their hiring practices.”

For his role in the scheme, which ran from July 2022 to August 2023, Knoot was paid every month by an intermediary named Yang Di, according to the indictment. Di allegedly paid Knoot a flat fee of $100,000 for each laptop he hosted at his home, as well as a percentage of salaries. Knoot faces a maximum sentence of 20 years in prison, plus a mandatory two years for one count of aggravated identity theft.

The U.S. Department of Justice and the FBI have been investigating laptop farms funded by North Korea for three years. The scheme to raise money for its weapons of mass destruction program generates hundreds of millions annually, authorities say, using pseudonyms, fake emails, social media profiles and websites to scour online job listings. A UN report found that low-income workers involved in the scheme are allowed to keep 10 percent of their salary, while higher-paid workers keep 30 percent. The UN estimates that the workers generate between $250 million and $600 million annually.

“North Korea has deployed thousands of highly skilled IT workers around the world to deceive unsuspecting companies and evade international sanctions so it can continue to fund its dangerous weapons program,” U.S. Attorney Henry Leventis for the Middle District of Tennessee said in a statement.

Knoot is apparently the second U.S. citizen arrested as part of a laptop farming operation involving thousands of North Korean IT workers who have been sent around the world in recent years to raise money for the country’s weapons programs. In May 2024, the Justice Department filed charges against four people living abroad and an Arizona woman, Christina Marie Chapman, 49.

Chapman, who lived in a Phoenix suburb, allegedly ran a laptop farm that supported North Korean IT employees working remotely at more than 300 companies, authorities said. The companies included “well-known Fortune 500 companies, U.S. banks, and other financial services providers,” according to the U.S. Attorney’s Office. Chapman’s farm allegedly used the identities of 60 people in the U.S., which the technicians used to pose as Americans.

The companies that employed the IT workers included a top-five television network, a Silicon Valley technology company, an aerospace company, an automaker and a luxury retail store – all Fortune 500 companies, court records show. The identity thieves had issued false tax statements totaling at least $6.8 million in their names as part of the scheme, which Chapman facilitated, the Justice Department said.

Technology company KnowBe4 revealed last month that it had unknowingly hired a software developer for its internal AI team who was actually a North Korean IT worker. In a blog post, the company said its recruiter conducted four video interviews and confirmed the person matched the photo on the application. A background check also came up empty, the company said. In reality, the person was using a stolen identity and had used AI to enhance a stock photo.

KnowBe4 discovered the truth about its new employee that it was not disclosing after the attacker began tampering with and transferring files and using unauthorized software. He also downloaded malware.

“The scam is that they actually do the work, get paid well, and give North Korea a large amount to fund its illegal programs,” KnowBe4 CEO Stu Sjouwerman wrote in the post. “I don’t have to tell you how big the risk is.”

The company reported the employee to cybersecurity experts and the FBI to confirm its findings, and an FBI investigation is ongoing, the company said.

Attempts to reach Knoot, Di and Chapman were unsuccessful.