Geopolitics & DefenseNational Security

US Duo Sentenced for Hosting Laptop Farms for North Korean IT Workers

Analyst 207||Source: CyberScoop
Courthouse interior with natural light, official seals blurred in background.

“The FBI and our partners will continue to disrupt North Korea’s ability to circumvent sanctions and fund its totalitarian regime,” Brett Leatherman, lead of the FBI’s Cyber Division, said in a statement.

Sentences, forfeitures and timelines for the two U.S. facilitators

Two U.S. nationals, Matthew Issac Knoot and Erick Ntekereze Prince, were each sentenced to 18 months in prison for running laptop farms that supported North Korea’s remote IT worker scheme, the Justice Department said. Knoot, of Nashville, Tennessee, was sentenced May 1 and was ordered to pay “$15,1000 in restitution to the victim companies” and forfeit an additional $15,100, which the Justice Department described as equivalent to his direct take from the scheme. Prince, of New York, was sentenced on a Wednesday in the same announcement and ordered to forfeit $89,000 — the amount he netted personally.

The formal records in the Justice Department release establish a clear timeline: Prince’s firm, Taggcar, was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024. He pleaded guilty in November 2025 to wire fraud conspiracy for his multi‑year involvement; he and alleged co‑conspirators were indicted in January 2025. Knoot was arrested in August 2024, a year after the FBI searched his home. Victim companies paid North Korean workers linked to Knoot’s laptop farm more than $250,000 from July 2022 to August 2023; investigators say the remote workers sent those funds to Knoot and to accounts tied to North Korean and Chinese nationals.

How the laptop farms worked: remote desktops, hosted machines, deceptive appearances

According to prosecutors, both Knoot and Prince received laptops from unsuspecting U.S. companies and physically hosted those devices at their residences. They installed remote desktop applications on the machines so co‑conspirators could work from elsewhere while the devices—and the network connections—appeared to show employees located in the United States. That deception allowed North Korean operatives to masquerade as legitimate remote employees to secure and maintain work for U.S. companies.

Financial impact: dollar figures and the broader revenue picture

The Justice Department attributed a combined $1.2 million in revenue from the two schemes to the North Korean regime. The Prince‑linked network of co‑conspirators obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments, the statement said. Knoot’s operations accounted for more than $250,000 in payments to North Korean workers during the specified period. The release also places these convictions in a wider context: authorities say the overall scheme generates “hundreds of millions of dollars annually” for North Korea’s military and organizations involved in its weapons programs.

Enforcement tools and the growing list of facilitators prosecuted

Prosecutors and investigators are deploying multiple countermeasures, the Justice Department said — seizing cryptocurrency tied to thefts and pursuing U.S.‑based facilitators who supplied forged or stolen identities and hosted laptop farms. The announcement placed Knoot and Prince among others already sentenced for enabling the scheme: Keija Wang and Zhenxing Wang; Audricus Phagnasay, Jason Salazar and Alexander Paul Travis; and Oleksandr Didenko and Christina Chapman.

“These sentences hold accountable U.S nationals who enabled North Korea’s illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies,” John A. Eisenberg, assistant attorney general for national security, said in a separate statement. “These defendants helped North Korean ‘IT workers’ masquerade as legitimate employees, compromising U.S. corporate networks and helping generate revenue for a heavily sanctioned and rogue regime.”

What this means for technologists, policymakers, and affected companies

  • Technologists and security teams: teams that manage remote access and endpoint devices will be watching for indicators described in the case — laptops physically hosted at third‑party residences and the installation of remote desktop software to mask geographic origin.
  • Policymakers and prosecutors: the Justice Department’s actions — indictments, guilty pleas, forfeitures and asset seizures including cryptocurrency — signal an enforcement approach that pairs criminal prosecution with financial remedies to disrupt revenue streams to the regime.
  • Affected enterprises and procurement leaders: companies that rely on third‑party staffing or contractor intermediaries — the release cites Taggcar’s multi‑year contracting work — will face renewed pressure to verify worker location and the provenance of devices used to access corporate systems.

The sentences for Knoot and Prince close two more facilitators’ chapters in a sprawling scheme, but prosecutors’ own language underscores that the problem is far from solved: the laptop‑hosting tactic has infiltrated an undetermined number of businesses, including “hundreds of Fortune 500 companies,” and authorities continue to pursue those who enable the network. As prosecutors put it, hosting laptops for DPRK IT workers is a federal crime — and these cases are intended as both punishment and deterrent.

https://cyberscoop.com/north-korea-it-worker-scheme-laptop-farm-facilitators-sentenced/

CybercrimeEmerging ThreatsFbiNation-StateSanctions EvasionEconomic EspionageNorth Korean ITUS Justice DepartmentRemote Work Scams
Related Intelligence

Continue Reading

Satellite on display at aerospace facility with people discussing in background.

Boeing Secures $2B Space Force Contract for MUOS Satellites

Boeing has landed a whopping $2 billion contract with the Space Force to develop two new Mobile User Objective System satellites, expanding the military's narrow-band communication capabilities. This major deal cements Boeing's role in supporting the Space Force's communication needs, following a competitive bid process that drew in industry heavyweights.

Analyst 207
Naval shipyard with MEKO vessels in background and abandoned dock in foreground.

Germany Scraps F126 Frigate Program, Shifts to MEKO Vessels

Germany is ditching its F126 frigate program, a costly endeavor that was projected to balloon to over €18 billion, and is instead turning to Meko vessels in a sudden overhaul of its surface fleet plans. The cancellation comes after delays and a potential contractor change threw the original €10 billion project off track.

Analyst 207
Representatives from different regions meet in a serene setting with blended Eastern and Western architectural elements.

EU, Australia Forge Inter-Regional Framework to Counter Hybrid Threats

A recent review by the Australian Strategic Policy Institute uncovered 40 regional security initiatives, with many involving Australia, highlighting both the impressive level of cooperation and the significant gaps that leave the Indo-Pacific vulnerable to complex threats. These initiatives, though numerous, often focus on specific geographic areas or themes, lacking the cross-domain reach needed to effectively counter hybrid threats.

Analyst 207
Government officials gather in a formal hearing room with daylight pouring in through tall windows.

US Seeks $67 Billion Defense Boost in $87.6 Billion Supplemental Request

The White House is seeking a massive $87.6 billion supplemental spending boost, with a whopping $67.1 billion dedicated to defense costs related to the war in Iran, in a bid to further secure the region and counter the regime's growing threats. This dramatic increase in defense spending comes on the heels of a major operation that successfully deterred a nuclear-armed Iran and crippled its regional influence.

Analyst 207