TLDR
A North Korean IT worker scheme ran for years from homes in Nashville and New York. Two American hosts have just gone to prison for 18 months apiece. They let DPRK IT workers pose as US-based staff for nearly 70 companies. The fraud generated over $1.2 million for Pyongyang’s coffers. For IT security teams, this case shows just how fragile remote hiring controls really are.
The Two Laptop Farms That Were Busted
Matthew Knoot worked from his Nashville flat. Erick Prince operated out of New York. The pair never met, but both ran the same con.
Each man hosted company-issued laptops for North Korean IT workers. They installed remote desktop tools so the actual workers could log in from China. The victim firms thought “Andrew M.” and other fake personas sat happily in the States.
Knoot’s farm ran from July 2022 until August 2023. The FBI raided his place and brought things to a halt.
Prince kept his setup going for four years, from June 2020 to August 2024.
Both men were sentenced on 6 May 2026. Knoot pays $15,100 in restitution and forfeits the same amount. Prince forfeits $89,000, which is what the DPRK paid him for his trouble.
Why North Korean Laptop Farms Keep Popping Up
The Justice Department calls this the DPRK RevGen: Domestic Enabler Initiative. That title is a mouthful, but the goal is simple. Catch the Americans helping North Korea earn sanctions-busting cash.
These are the seventh and eighth convictions inside five months. Eight people running similar setups, all jailed in less than a year. That’s a proper pattern, not a coincidence.
Pyongyang’s IT operation pulls in hundreds of millions of dollars annually. Individual workers can earn up to $300,000 each. Most of that money flows straight into weapons programmes.
Stolen Identities Power The Scam
Every North Korean IT worker scheme relies on real American identities. Operators apply for jobs using stolen names paired with fake emails and bogus social security numbers. They build polished LinkedIn profiles and pass video interviews with the help of deepfakes.
When firms offer them work, the laptops ship to the farm host. Actual workers then log in from abroad. From the outside, everything looks routine.
Where Companies Got It Wrong
Let’s be honest, the victim firms weren’t being especially careless. They followed standard remote hiring practices. The trouble is that standard remote hiring practices weren’t built for this threat.
Most spotted a few odd signals during the process. Mismatched timezones during interviews. Reluctance to switch on cameras. Quick swaps between contractors who all wrote suspiciously similar code.
None of these on their own scream “state-sponsored fraud.” Stack them up, though, and a pattern emerges.
The Audit Trail Hurts More Than The Wages
The salary payments aren’t even the biggest loss. Prince’s victims spent over $1 million on audits and remediation. Knoot’s victims paid another $500,000 in clean-up bills.
Every fake hire triggers a deep code review and a full incident response engagement. Networks need a rebuild. Credentials need rotating. Customer trust takes a real battering.
Expert View From William Fieldhouse
William Fieldhouse, Director of Aardwolf Security Ltd, sees the same gaps across many clients. “Hiring is now part of your attack surface, full stop. If your onboarding doesn’t include proper geolocation checks and live document verification, you’re trusting the CV blindly. That’s not good enough in 2026.”
Building Defences Against Fake Remote IT Workers
So what should security teams actually do? Tightening things up needs effort across HR, IT, and the SOC. The good news is most of the changes cost very little.
Cross-Check The Shipping Details
Confirm the courier address matches the candidate’s payroll record. Run the address through public records and electoral roll data.
A laptop heading to a third-party address is a massive red flag. Don’t let HR sign off without a security review.
Verify Identity With Live Interaction
Insist on at least one camera-on interview with a senior engineer. Ask candidates to share their workspace briefly on camera.
Watch for hesitation, unnatural pauses, or background details that don’t match the claimed location. Deepfakes are getting better, but real environments are still hard to fake at length.
Monitor Endpoint Behaviour Post-Hire
Once a contractor starts, watch their endpoint properly. EDR should flag commercial remote desktop tools installed outside the standard build.
Repeated logins from unexpected ASNs should trigger an alert, not just sit in a log file. Treat early anomalies seriously.
If you’re not sure your detection chain catches this stuff, you’ll need to test it. Working with the best penetration testing company gives you a chance to stress-test the lot. A good red team can mimic the exact tradecraft DPRK operators use today.
The Bigger Picture On DPRK IT Worker Fraud
This isn’t a small-time scam by any stretch. Sanctioned by every major Western government, North Korea uses IT workers as a financial workaround. Every dollar these workers earn ends up funding nuclear and missile development.
The State Department offers up to $5 million for tips that disrupt these operations. That tells you how seriously Washington takes the problem.
For UK firms, the lesson translates directly. British companies are just as exposed if they hire remote IT staff without proper vetting. The Atlantic doesn’t stop these workers from applying.
Final Thoughts
The North Korean IT worker scheme model is cheap, scalable, and brutally effective. Two convictions won’t shut it down. The DPRK will simply recruit fresh domestic enablers and crack on.
For IT security teams, the priority is clear. Treat remote hiring as a security process, not just an HR one. Build identity checks, hardware tracking, and behavioural monitoring into the workflow from day one.
See how Aardwolf Security can help your business with a no obligation penetration test quote.
