Two US Men Imprisoned for Aiding North Korean Hackers in Infiltrating American Companies
- May 10
- 2 min read
Key Findings
Two US men, Matthew Isaac Knoot and Erick Ntekereze Prince, sentenced to 18 months each for operating "laptop farms" that enabled North Korean hackers to infiltrate approximately 70 US companies
The scheme generated over $1.2 million in illicit revenue, primarily funneled to North Korea's weapons of mass destruction programs
Knoot's operation ran from July 2022 to August 2023; Prince's farm operated from June 2020 to August 2024
Victims incurred over $1.5 million in remediation costs including forensic auditing and network recovery
Several co-conspirators remain at large, including two North Korean nationals
Background
The US Department of Justice announced the convictions as part of a broader initiative called DPRK RevGen: Domestic Enabler Initiative, designed to identify and prosecute Americans who knowingly facilitate foreign threat actors. The operation represents a sophisticated infiltration method that bypassed traditional cybersecurity perimeters by exploiting domestic trust and geographic assumptions.
How the Laptop Farm Scheme Operated
The mechanics were deceptively simple but highly effective. North Korean hackers used stolen American identities to apply for remote IT positions at US companies. When hired, the companies shipped work laptops to addresses provided on the applications—which turned out to be the homes of Knoot and Prince.
Once the hardware arrived, the two men installed remote desktop software on the devices. This allowed North Korean operatives, often positioned in China, to remotely control the laptops from overseas. To the victim companies' security systems and network administrators, all activity appeared to originate from legitimate employees working within the United States.
Prince operated his own company, Taggcar Inc., which he used to actively source and place fraudulent workers, adding another layer of deception to the operation. One worker even operated under the stolen identity "Andrew M." while Knoot managed the physical equipment.
Scale and Financial Impact
The operation's reach was extensive, compromising at least 70 US companies across multiple sectors. The scheme generated over $1.2 million in fraudulent payments, with the vast majority flowing directly to North Korea—a country operating under strict international sanctions.
The financial damage extended beyond the direct fraud. Victim companies spent over $1.5 million on emergency response measures, including forensic investigations, incident response teams, and comprehensive network remediation to eliminate unauthorized access points and restore system integrity.
The Investigation and Arrests
The FBI raided Knoot's Nashville residence in August 2023, bringing his operation to an abrupt end after over a year of activity. Prince's farm continued operating longer, persisting until August 2024 before law enforcement intervention.
During the raid, Knoot attempted to destroy evidence, a detail that aggravated his legal situation. US Attorney Jason A. Reding Quiñones characterized the defendants' actions as deliberate crimes that "exposed US businesses, compromised trust, and supported one of the world's most dangerous adversaries."
Restitution and Ongoing Manhunt
Prince was ordered to forfeit $89,000—the total he received for hosting equipment and facilitating worker placement. Knoot must pay back $15,100 plus an equal amount in restitution to victim companies.
The investigation identified additional suspects who remain at large: Emanuel Ashtor, Pedro Ernesto Alonso de los Reyes, and two North Korean nationals, Jin Sung-il and Pak Jin-Song. Their continued freedom indicates the network extended beyond the two convicted Americans.
Sources
https://hackread.com/us-men-sentenced-north-korean-hackers-hack-us-firms/
https://securityonline.info/north-korea-laptop-farm-us-corporate-infiltration-sentencing/
https://www.news4hackers.com/us-duo-sentenced-for-running-laptop-farms-for-north-korean-it-workers/

Comments