Two Americans Get 18 Months for Running North Korean Laptop Farms

The Department of Justice announced that two U.S. nationals have been sentenced to 18 months in federal prison for operating "laptop farms" that enabled North Korean IT workers to fraudulently obtain employment at nearly 70 American companies. The scheme generated more than $1.2 million in wages for Pyongyang's government.

Matthew Isaac Knoot of Nashville, Tennessee and Erick Ntekereze Prince of New York both received identical sentences. These are the seventh and eighth convictions of U.S.-based laptop farmers in the past five months as federal prosecutors intensify their crackdown on North Korean illicit revenue operations.

How the Scheme Worked

Both men received company-issued laptops shipped by victim companies who believed they were hiring legitimate U.S.-based IT workers. Knoot and Prince then installed remote desktop software that allowed their co-conspirators—actually North Korean workers operating from overseas—to appear as if they were working from the defendants' residences.

Knoot ran his operation from Nashville between July 2022 and August 2023. He received laptops under a stolen identity ("Andrew M.") and installed unauthorized remote access tools. The scheme defrauded at least four American companies of more than $250,000 in wages.

Prince, operating through his company Taggcar Inc., facilitated employment for at least three North Korean IT workers from June 2020 through August 2024. His victims paid more than $943,000 in salary, with the majority routed overseas.

Financial Penalties

Beyond the 18-month sentences:

• Knoot was ordered to pay $15,100 in restitution plus forfeit another $15,100
• Prince was ordered to forfeit $89,000

The relatively modest forfeitures compared to total scheme revenue reflects the difficulty of recovering funds already transferred to North Korea.

Broader North Korean IT Worker Threat

The FBI has documented that North Korea maintains thousands of IT workers who infiltrate hundreds of American companies annually through identity theft schemes. This isn't just about revenue generation—infiltrated workers have access to corporate systems, source code, and sensitive data.

We've previously covered how North Korean threat actors operate sophisticated supply chain attacks. The laptop farm scheme represents a lower-tech but equally dangerous avenue: human infiltration enabled by American accomplices.

Red Flags for Employers

Organizations should watch for:

1. Shipping address anomalies: Multiple new hires requesting equipment to the same address
2. Remote access patterns: Authorized users connecting from unexpected geographic locations or during unusual hours
3. Camera avoidance: Employees who consistently refuse video calls or provide excuses for camera issues
4. Payment routing: Requests to change direct deposit to accounts or services associated with money movement

Why This Matters

The sentencing sends a clear message that U.S. authorities are actively pursuing laptop farm operators. But 18 months is a relatively light sentence compared to the damage inflicted.

The real concern is scale. If two individuals helped nearly 70 companies get infiltrated, how many other laptop farms remain undiscovered? The DOJ's five-month prosecution streak suggests investigators have mapped at least part of this network—but North Korea's IT worker program is estimated to involve thousands of operatives.

For organizations concerned about insider threats, our online safety tips provide foundational guidance on verification processes and security awareness.