DPRK Operatives Infiltrated Nearly 70 U.S. Companies, Funneling $1.2M to the Regime
Two U.S. nationals were sentenced to 18 months in federal prison each on May 6th, 2026, for running “laptop farms” that helped North Korean IT workers fraudulently obtain remote jobs at nearly 70 American companies, funneling more than $1.2 million to the sanctioned regime.
The sentencings, handed down in separate federal courts in Tennessee and Florida, are the latest in a string of cases exposing a coordinated pipeline that turns U.S. homes into staging grounds for foreign cyber operations. Court filings in both cases describe a nearly identical playbook.
The Mechanics of a Laptop Farm Operation
In both operations, the mechanics were nearly identical. The defendants accepted company-issued laptops at their U.S. homes on behalf of remote workers their employers believed were domestic hires, then installed unauthorized remote desktop software so co-conspirators in North Korea and China could log in and pose as legitimate U.S. employees using stolen identities.
The setup fooled employers, payroll systems, and the IRS while most of the wages flowed overseas.
Inside the Nashville and New York Operations
Even with a shared playbook, the two cases differed in scale and tradecraft. Matthew Isaac Knoot ran a laptop farm from his Nashville residence between July 2022 and August 2023, hosting devices shipped under the stolen identity of “Andrew M.” to staff jobs at at least four U.S. companies. The wages, more than $250,000, were falsely reported to the IRS and Social Security Administration under the victim’s name, and funds were routed to accounts tied to North Korean and Chinese individuals.
The FBI ended his role with an August 2023 search warrant, after which he destroyed evidence and lied to investigators. Knoot was ordered to pay $15,100 in restitution and forfeit an additional $15,100, and his scheme cost victim companies more than $500,000 in remediation.
Erick Ntekereze Prince operated longer and at a larger scale, running his scheme from June 2020 through August 2024 through his company, Taggcar Inc., which fraudulently marketed “certified” IT workers to U.S. employers. He hosted victim-issued laptops at New York residences so North Korean operatives could appear to be working from his home.
Victim companies paid more than $943,000 in salary, most of it routed overseas, and absorbed more than $1 million in remediation costs. Prince was ordered to forfeit $89,000. Co-defendants include U.S. national Emanuel Ashtor, who is awaiting trial, and two North Korean nationals who remain fugitives.
A Coordinated Federal Crackdown on DPRK Revenue Schemes
Knoot and Prince are not outliers. They are the seventh and eighth U.S.-based “laptop farmers” sentenced in the past five months under the DPRK RevGen: Domestic Enabler Initiative, a joint DOJ and FBI effort to disrupt North Korea’s revenue schemes. Last year a separate laptop farm operator in Arizona was sentenced to more than eight years in prison for helping place DPRK workers at 309 U.S. companies, and the FBI has warned about the threat repeatedly since 2023.
Federal officials say Pyongyang runs thousands of IT workers worldwide who use identity theft to land jobs at hundreds of U.S. companies each year, with individuals earning up to $300,000 annually. The proceeds flow to sanctioned entities, including the North Korean Ministry of Defense and other units tied directly to the regime’s weapons programs.
How Companies Can Harden Hiring Against Foreign Operatives
The takeaway is that nation-state infiltration no longer arrives only through phishing emails or zero-day exploits. It is slipping into companies through routine remote hiring, with stolen identities, polished resumes, and U.S.-based facilitators making the deception convincing enough to clear onboarding.
Preparing for that reality means treating the hiring pipeline as part of the attack surface. Harden identity verification with live, on-camera interviews, build cross-functional review between HR, IT, and security for remote technical roles, and monitor company-issued endpoints for unauthorized remote desktop tools and impossible-travel logins. Reconcile shipping addresses, payment details, and working hours against a candidate’s claimed location, and plan for the possibility that a “rogue employee” is actually a foreign operative with months of legitimate access.
Sources: BleepingComputer |DoJ Office of Public Affairs
