US Sentences Two ‘Laptop Farmers’ in North Korea IT Worker Fraud Scheme

The US Department of Justice (DoJ) has sentenced two US nationals for helping North Korean information technology workers infiltrate American companies through fraudulent remote working schemes designed to generate revenue for the Democratic People’s Republic of Korea (DPRK). The prosecutions form part of an escalating US crackdown on DPRK-linked cyber-enabled sanctions evasion operations that increasingly exploit remote working models, stolen identities and outsourced IT recruitment channels to access corporate networks and generate foreign currency for the North Korean regime.

Matthew Isaac Knoot of Nashville, Tennessee, and Erick Ntekereze Prince of New York were each sentenced to 18 months in prison for operating so-called “laptop farms” that enabled North Korean IT workers to appear as though they were working remotely from within the United States. According to the DoJ, the two separate schemes generated more than $1.2 million for the DPRK and affected nearly 70 US companies. Both defendants received laptops shipped by victim employers and installed remote desktop software that allowed overseas workers to access corporate systems while concealing their true location.

US authorities framed the prosecutions as national security cases rather than conventional employment fraud. Assistant Attorney General for National Security John A Eisenberg said the defendants enabled North Korean operatives to “masquerade as legitimate employees” while compromising US corporate networks and helping finance a “heavily sanctioned and rogue regime”. The cases demonstrate how DPRK operatives continue to exploit weaknesses in remote hiring, identity verification and endpoint security controls to obtain access to Western companies while bypassing sanctions restrictions.

The sentencing of Erick Ntekereze Prince in the Southern District of Florida highlighted the growing sophistication of these operations. Prosecutors said Prince used his company, Taggcar Inc., to place fraudulent IT workers with US firms between June 2020 and August 2024, despite allegedly knowing the workers were located overseas and operating under stolen or false identities. Authorities said Prince hosted company-issued laptops at residences in New York and installed unauthorised remote access software so North Korean workers could create the appearance of operating domestically from within the United States.

The Florida case allegedly involved at least three DPRK IT workers and more than 64 US victim companies, which collectively paid over $943,000 in salary payments. The DoJ said the companies suffered additional losses exceeding $1 million through forensic audits, remediation work and wider network security investigations after discovering the compromise of their systems and devices. Prince was sentenced by US District Court Judge Darrin P Gayles to 18 months in prison followed by three years of supervised release and ordered to forfeit $89,000 connected to the scheme.

Several individuals linked to the same network remain before the courts or outside US custody. US national Emanuel Ashtor is awaiting trial, while Mexican national Pedro Ernesto Alonso de los Reyes is being held in the Netherlands pending extradition proceedings. Two North Korean nationals named in the indictment remain fugitives. The cross-border nature of the case reflects the increasingly international structure of DPRK revenue-generation operations, which routinely combine facilitators, financial intermediaries and remote infrastructure spread across multiple jurisdictions.

In a separate case in the Middle District of Tennessee, Matthew Isaac Knoot admitted operating a laptop farm from residences in Nashville between July 2022 and August 2023. According to prosecutors, Knoot received laptops addressed to a stolen identity connected to a fictitious worker identified as “Andrew M.” and installed unauthorised remote access software that enabled a North Korean operative working from China to access US corporate networks while appearing to log in from Tennessee.

The victim companies linked to Knoot’s operation reportedly paid more than $250,000 for the fraudulent work arrangements, while the wider security and remediation costs exceeded $500,000. Prosecutors also alleged that Knoot attempted to obstruct the FBI investigation by making false statements and destroying evidence after federal agents executed a court-authorised search of his property in August 2023. US District Judge Eli Richardson sentenced Knoot to 18 months in prison followed by one year of supervised release, while also ordering him to pay $15,100 in restitution and forfeit an additional $15,100 tied to payments received from the scheme.

The prosecutions were brought under the DPRK RevGen: Domestic Enabler Initiative, a joint programme between the FBI and the National Security Division focused on disrupting North Korean illicit revenue generation networks and the US-based facilitators supporting them. The initiative reflects growing concern among Western governments that DPRK-linked remote IT worker schemes are no longer simply sanctions evasion mechanisms but also potential cyber espionage and data theft risks capable of providing hostile state actors with privileged access to sensitive commercial systems.

US authorities have repeatedly warned that North Korean IT workers use stolen identities, online job platforms, proxy devices, shell companies and unwitting intermediaries to secure employment with Western firms. Previous government advisories have also linked DPRK remote workers to data theft, extortion and the exfiltration of proprietary corporate information. According to earlier US government assessments, individual North Korean IT workers can generate up to $300,000 annually, collectively producing hundreds of millions of dollars each year for entities connected to the DPRK government and its weapons programmes.

The cases also reinforce the increasing regulatory and compliance pressures facing multinational companies employing remote contractors or outsourced IT personnel. Financial institutions, technology firms and multinational employers are expected to strengthen due diligence around recruitment, identity verification, device management and remote access monitoring as regulators and law enforcement agencies intensify scrutiny of DPRK-linked employment fraud and sanctions evasion activity.

Read the press release here.