A Nashville man who quietly turned his homes into a "laptop farm" for overseas workers is headed to federal prison. Matthew Issac Knoot was sentenced to 18 months after a judge found he helped North Korean operatives pose as U.S.-based IT staff, letting them log in from abroad while appearing to work from Nashville. Prosecutors say the setup helped steer remote-work paychecks to the DPRK and is part of a growing category of cyber-enabled fraud the feds are determined to choke off.
Sentence, restitution, and scope
According to a Department of Justice press release, U.S. District Judge Eli Richardson on May 1 ordered Knoot to serve 18 months in prison, followed by one year of supervised release. He was also ordered to pay $15,100 in restitution and to forfeit an additional $15,100.
The Justice Department said Knoot ran the laptop farm out of his Nashville residence between July 2022 and August 2023. During that time, victim companies paid more than $250,000 to North Korean workers tied to his operation. Federal officials, quoted in the release, said, "These sentences hold accountable U.S. nationals who enabled North Korea's illicit efforts to infiltrate U.S. networks."
How the laptop farm worked
Investigators say U.S. companies, believing they were hiring domestic IT talent, shipped company laptops to a U.S. persona tied to the scheme. Knoot then installed remote-access software that let overseas workers control those machines while appearing to be physically located in the United States. The work performed was real, but the identity and location of the workers were not.
Cybersecurity reporting has noted that this model lets sanctioned or prohibited workers blend into legitimate corporate environments while staying hidden behind U.S.-based hardware. As reported by CyberScoop, prosecutors say Knoot's operation was one of two similar schemes, and that the two defendants together touched nearly 70 U.S. companies and helped channel more than $1.2 million to DPRK-linked actors.
Local timeline
Knoot was first charged in August 2024 after an FBI search of his home and an indictment in the Middle District of Tennessee that alleged he hosted company devices and helped funnel payments overseas. At the time, local coverage detailed how the laptop farm left employers with hundreds of thousands of dollars in remediation and auditing costs. When the initial charges were unsealed, the Nashville tech ruse was unpacked.
Part of a broader crackdown
Prosecutors say Knoot's sentence is one piece of a broader Justice Department push to disrupt North Korea's remote-worker revenue streams and the U.S.-based enablers who keep them running. National security coverage has highlighted a steady run of related convictions and indictments over the past year tied to laptop farms, stolen identities, and fraudulent hiring practices.
Tech outlets have tracked several similar cases in which facilitators received significantly longer prison terms for playing central roles in larger networks. TechCrunch and others have summarized those earlier prosecutions.
What companies should watch for
Federal guidance flags a few recurring red alerts for employers: sudden changes to an applicant's stated address, requests to ship company laptops to alternate locations, the installation of remote-access software on corporate devices, and unusual routing of salary payments. The FBI and the Internet Crime Complaint Center (IC3) have issued public service announcements outlining specific steps HR teams and security staff can take during hiring and onboarding to reduce the risk of getting burned.
For practical checklists on verification and monitoring, see the FBI's IC3 advisories. IC3
Legal note
The indictment unsealed in 2024 charged Knoot with running a scheme that used stolen U.S. identities, unauthorized installation of remote desktop software on company machines, and transfer of funds to accounts outside the United States. Those actions expose defendants to federal counts that can include conspiracy to cause damage to protected computers and associated money-laundering and fraud offenses, the Department of Justice said in its release. Department of Justice
For a local look at the case and footage from the courtroom, see the station's coverage. WKRN News 2 reported on the sentencing on May 8.
