Geopolitics & DefenseNational Security

US Crackdown Targets 'Laptop Farms' Aiding North Korea's Illicit IT Schemes

Analyst 207||Source: BleepingComputer
US government office with row of laptops, hinting at tech industry crackdown.
"These sentences hold accountable U.S nationals who enabled North Korea's illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies," said Assistant Attorney General John A. Eisenberg on Wednesday.

The sentences and the defendants

Two U.S. nationals, Matthew Isaac Knoot and Erick Ntekereze Prince, were each sentenced to 18 months in prison for operating so‑called "laptop farms" that enabled North Korean IT workers to obtain remote employment at nearly 70 American companies. The men are described by prosecutors as the seventh and eighth U.S.-based "laptop farmers" sent to prison since the start of the year, part of a federal initiative targeting North Korea's illicit revenue generation schemes.

In addition to prison terms, Knoot was ordered to pay $15,100 in restitution and forfeit an additional $15,100; Prince was ordered to forfeit $89,000. Prince pleaded guilty to wire‑fraud conspiracy in November, and Knoot was arrested and charged in August 2024, according to the court record summarized by prosecutors.

How the laptop farms operated

Prosecutors say the operations used stolen identities, company‑issued hardware, and remote access software to make foreign IT contractors appear to be legitimate, U.S.-based employees. Knoot ran a laptop farm from his Nashville residences between July 2022 and August 2023. He received company‑issued laptops addressed to a stolen identity, identified in court records as "Andrew M.," and installed unauthorized remote desktop software that allowed North Korean IT workers to appear as U.S.-based employees.

Prince operated through his company, Taggcar Inc., and enabled at least three North Korean IT workers to obtain remote employment at U.S. companies from approximately June 2020 through August 2024. According to prosecutors, the scheme routed the majority of salary payments overseas.

Financial losses and remediation costs

The financial impact on victim companies was significant and twofold: direct salary payments and follow‑on auditing and remediation expenses. Victim companies paid more than $250,000 to IT workers associated with Knoot's operation; those payments were falsely reported to the Social Security Administration and the Internal Revenue Service under stolen identities. Prince's cases involved more than $943,000 in salary paid to the IT workers he helped place, with most of that money routed overseas.

Beyond salaries, Knoot's actions caused more than $500,000 in auditing and remediation costs at victim companies. Prince's activity caused more than $1 million in remediation costs. Those downstream expenses were a substantial part of the federal prosecutorial narrative and were reflected in the restitution and forfeiture orders handed down by the court.

Earlier prosecutions and the federal initiative

Federal prosecutors framed the sentences as part of a broader effort to disrupt North Korea's illicit revenue streams. The FBI has been warning since at least 2023 that North Korea "maintains a large army of thousands of IT workers using identity theft to secure employment at hundreds of American companies each year," the public record states.

Recent related prosecutions include U.S. nationals Kejia Wang and Zhenxing Wang, who were sent to prison in April for helping North Korean remote IT workers pose as U.S. residents. The source material also notes that, last July, Christina Marie Chapman of Arizona was sentenced to 102 months in prison for running a laptop farm that helped North Korean IT workers get hired by 309 U.S. companies while using stolen identities.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The cases spotlight a persistent technique — routing company‑issued hardware to stolen identities and installing unauthorized remote desktop software — that security teams will need to detect and block to prevent foreign contractors from masquerading as domestic employees.
  • Policymakers and prosecutors: The sentences, forfeitures, and the characterization of these prosecutions as part of a federal initiative signal continued criminal enforcement as a tool to disrupt revenue flows to sanctioned actors and to deter intermediaries who facilitate identity fraud and payment routing.
  • Affected enterprises and procurement leaders: The reports underscore the dual financial exposure of payroll losses plus substantial auditing and remediation costs; companies that discover such placements can face both remediation bills and the administrative burden of correcting false filings with the Social Security Administration and the Internal Revenue Service.

The government framed these sentences as accountability for intermediaries who made North Korean IT labor appear domestic and who profited by steering salary payments overseas. With the FBI warning of a "large army of thousands" of IT workers using identity theft and with multiple prosecutions and a range of forfeiture and restitution orders already on record, the central question left by the sequence of cases is whether continued prosecutions and asset forfeitures will materially reduce the flow of illicit income — or whether the scale described by the FBI means more cases and costs for U.S. companies lie ahead.

Source: Americans sentenced for running 'laptop farms' for North Korea — BleepingComputer

Critical InfrastructureEmerging ThreatsInternational CooperationNation-StateNorth KoreaSupply Chain CompromiseUS EnforcementEconomic EspionageLaptop FarmsIllicit IT
Related Intelligence

Continue Reading

Type 45 destroyer docked with compact laser system in foreground.

UK Industry Partners Miniaturize DragonFire Laser for Type 45 Destroyer Debut

The UK's naval industry is making strides in laser technology, with QinetiQ, MBDA, and Leonardo teaming up to miniaturize the powerful DragonFire laser system for its debut on a Type 45 destroyer by 2027. This innovative partnership is shrinking the hardware to make the high-energy laser more feasible for naval deployment.

Analyst 207
US defense industrial facility with machinery and equipment producing defense-related objects.

Threats Expose Gaps in US Air-and-Missile-Defense Industrial Base

The US air-and-missile-defense system is struggling to keep up with today's threats, revealing gaps in real time, because its industrial base was designed for a bygone era. It's clear that we need a new approach, with more innovators and fresh ways to design, build, and deploy critical technologies like munitions and hypersonics.

Analyst 207
MQ-28 Ghost Bat drone on a runway with personnel in the background.

MQ-28 Ghost Bat Drone Deploys in Major Pacific Combat Exercise

The MQ-28 Ghost Bat drone made its debut in a major Pacific combat exercise, demonstrating its cutting-edge capabilities as a force multiplier that can fly alongside crewed fighters and extend their reach. This milestone marks a significant step forward in human-machine teaming and showcases the US commitment to a free and open Indo-Pacific.

Analyst 207
Satellite dish on a secure US military base with clear blue sky and clouds.

US Space Superiority at Risk as Acquisition Pace Lags

The battle for space superiority is heating up, with experts warning that the US is falling behind - and it's not just about being first, it's about control of the ultimate high ground that dictates success in every other domain, from air and sea to cyberspace. As one general put it, space operations are now vital to every military move, and the question is - can the US keep up?

Analyst 207