Teleworking has accustomed us to a very comfortable idea: if someone delivers work, attends meetings and responds to messages, perhaps it doesn’t matter too much where they do it from. The problem appears when that distance becomes an advantage to hide identities, move money and enter companies that believe they are hiring a legitimate professional. North Korea has been exploiting precisely that rift. And the case of two men convicted of hosting laptops in their homes shows the extent to which the plot could rely on domestic infrastructure.
Two men condemned. Matthew Isaac Knoot, of Nashville, Tennessee, and Erick Ntekereze Prince, of New York, have been sentenced in the US to 18 months each in prison for their role in fraudulent schemes involving remote IT workers linked to North Korea. according to the Department of Justice.
The house as a piece of the plot. The mechanism was more domestic than one might imagine. Companies shipped corporate laptops to American addresses because they believed the contracted workers were there. Once received, the computers were housed in those homes and configured with remote desktop applications installed without authorization. This allowed the fake workers to operate from abroad while, to the companies, the connection appeared to come from an address within the United States.
What did each one do?. Prince, according to official information, facilitated at least three North Korean IT workers to obtain remote employment in US companies between June 2020 and August 2024, and used his company Taggcar Inc. to fraudulently supply “certified” workers, despite knowing that they were outside the US and using false or stolen identities. Knoot, for his part, operated a laptop farm from his Nashville residences between July 2022 and August 2023.
Money, companies and damages. The Justice Department maintains that the two schemes together generated more than $1.2 million for North Korea and affected nearly 70 U.S. companies. In the Prince case, the companies paid more than $943,069 in salaries to IT workers linked to the file. In Knoot’s case, the payments exceeded $250,000.
More than labor fraud. The US justice system presents the sentences as part of a specific line of action against facilitators located in the US. The note itself highlights that these are the seventh and eighth convictions of “laptop farmers” obtained in the last five months within their efforts to interrupt North Korea’s illicit generation of income. It is an important nuance: the focus is not only on those who connect from abroad, but also on the local network that makes the operation viable.
Expansion into Europe. As we have seen in the pastthese cases are also present outside the United States. The Record discovered in April 2025 an investigation by Google Threat Intelligence Group according to which North Korean operatives had increased their activity in Europe following US police actions against laptop farms and financial networks. At the center were job searches linked to the United Kingdom, Germany and Portugal, in addition to the use of local facilitators to support the alibi of a work presence in the corresponding country.
AI and fake identities. One of the most current layers of this story is not only in the laptops, but in the ease of building increasingly credible profiles. BISI points out that North Korean operations combine stolen identities, manipulated professional profiles and AI tools capable of writing localized CVs and cover letters. In the Old Continent, platforms such as Upwork and Freelancer are usually used, in addition to Telegram. The consequence is obvious: detecting the fake candidate can become much more difficult before the company even ships the equipment.
What started with laptops housed in private homes ends up having something much bigger than a criminal conviction. The companies were not attacked from outside in the classic sense, but ended up opening the door to workers they believed to be legitimate. So everything seems to indicate that in these times it is no longer enough to protect servers, credentials or repositories, but rather to review the processes that we consider normal, such as the hiring of personnel.
Images | Xataka with Grok
In Xataka | The ‘vibe coding’ promised to democratize software. Your first gift is 5,000 apps with open sensitive data
GIPHY App Key not set. Please check settings