• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

 | 

Former US Army member confesses to Telecom hack and extortion conspiracy

 | 

CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025

 | 

DDoS peaks hit new highs: Cloudflare mitigated massive 7.3 Tbps assault

 | 

U.S. CISA adds Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog

 | 

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Intelligence
  • US DoJ dismantled remote IT worker fraud schemes run by North Korea

US DoJ dismantled remote IT worker fraud schemes run by North Korea

Pierluigi Paganini August 13, 2024

The U.S. DoJ arrested a Tennessee man for running a “laptop farm” that enabled North Korea-linked IT workers to obtain remote jobs with American companies.

The U.S. Justice Department arrested Matthew Isaac Knoot (38) from Nashville (Tennessee) for operating a “laptop farm” that facilitated North Korea-linked IT workers in obtaining remote jobs with American companies.

The man was arrested for his efforts to generate revenue for North Korea’s illicit weapons program, which includes weapons of mass destruction (WMD).

In May, the FBI also issued an advisory warning the public and private sector of the threat posed to the U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea). 

US authorities accuse Knoot of aiding North Korean IT workers in using a stolen identity to impersonate a U.S. citizen, hosting company laptops at his home, unauthorized software installation to facilitate access, and laundering payments for the remote work through accounts linked to North Korean and Chinese individuals.

“According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors.” reads the press release published by DoJ. “Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.”

North Korea has dispatched skilled IT workers abroad, mainly to China and Russia, to deceive global businesses into hiring them as freelance IT workers, generating revenue for its weapons programs. These IT workers use fake identities and online tactics to mask their true origins. According to a May 2022 advisory, they can earn up to $300,000 annually each.

An indictment in Tennessee reveals that Knoot aided North Korean IT workers by facilitating remote IT jobs at U.S. companies under the false pretense that they were U.S.-based. Knoot operated a “laptop farm” from July 2022 to August 2023, where he received laptops shipped to a fake identity, installed unauthorized software, and allowed North Korean workers in China to access U.S. company networks. Knoot was paid monthly by a foreign facilitator named Yang Di. His operations were raided in August 2023.

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023.  The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

“The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was stolen.” continues the press release.

It has been estimated that Knoot and his conspirators’ caused the targeted companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer the funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include accounts associated with North Korean and Chinese actors.

The victims companies believed they were hiring a legitimate U.S. worker and shipped laptops to Knoot’s home. Then Knoot installed unauthorized software on the laptops to allow the North Korean IT workers to remotely login from locations in China.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens.” concludes DoJ. “If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.””

In May, the Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.

The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.

The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.

Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.

She faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

Didenko allegedly ran a multi-year scheme creating accounts on U.S.-based freelance IT job platforms and money service transmitters using false identities, including those of U.S. persons. Then the man sold these accounts to overseas IT workers. He is the administrator of a website called upworksell.com, which was used to advertise these services along with credit card and SIM card rentals. The investigation revealed that Didenko managed about 871 proxy identities and provided accounts for three freelance IT platforms and three U.S.-based money service transmitters. He facilitated at least three U.S.-based laptop farms, hosting around 79 computers, and received or sent $920,000 since July 2018. The man admitted to assisting North Korean IT workers and was interconnected with other cells within the DPRK IT worker network. If convicted, Didenko faces up to 67.5 years in prison, including a mandatory minimum of two years for aggravated identity theft.

DoJ also unsealed charges against three other individuals John Doe 1, alias Jiho Han; John Doe 2, alias Haoran Xu; John Doe 3, alias Chunji Jin.

“Chapman and her co-conspirators allegedly compromised more than 60 identities of U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to DHS on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers. The department seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.” reads the press release published by DoJ.

Concurrent with DoJ’s announcement, the U.S. Department of State announced a reward of up to $5 million for information related to the above three individuals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)


facebook linkedin twitter

Hacking hacking news information security news IT Information Security North Korea Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 16, 2025
Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network
Read more
Pierluigi Paganini July 16, 2025
Former US Army member confesses to Telecom hack and extortion conspiracy
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

    Intelligence / July 16, 2025

    Former US Army member confesses to Telecom hack and extortion conspiracy

    Cyber Crime / July 16, 2025

    CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025

    Hacking / July 16, 2025

    DDoS peaks hit new highs: Cloudflare mitigated massive 7.3 Tbps assault

    Security / July 16, 2025

    U.S. CISA adds Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 16, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT