Two U.S. nationals received 18-month federal prison sentences for operating “laptop farms” that enabled North Korean IT workers to fraudulently obtain remote employment at American companies, generating a combined $1.2 million in fraudulent wages while inflicting more than $1.5 million in employer remediation costs.
DOJ Identifies Knoot and Prince as the Seventh and Eighth Laptop Farm Operators Imprisoned in 2026
Matthew Isaac Knoot and Erick Ntekereze Prince were sentenced in separate federal proceedings, each receiving 18-month custodial terms. The Department of Justice identified the sentencings as marking the seventh and eighth U.S.-based laptop farm operators imprisoned in 2026 — a figure reflecting the accelerating pace of enforcement against a scheme the FBI formally warned the public about in 2023.
Both men used the same core technique: accepting company-issued laptops shipped by U.S. employers to their home addresses, installing unauthorized remote-access software on the devices before employer device management tools could inventory them, and then providing persistent remote sessions to North Korean workers who had applied for and obtained the jobs under fabricated American identities. From the perspective of the employer’s IT systems, connections appeared to originate from U.S. residential addresses, and the workers had cleared the hiring process using counterfeit documentation.
Knoot’s Operation: Fraudulent Salaries Drawn From Nearly 70 Victim Companies
Knoot ran his laptop farm from July 2022 to August 2023. During that period, North Korean workers using his infrastructure collected fraudulent salaries exceeding $250,000 from approximately 70 victim companies. Those employers then incurred more than $500,000 in collective remediation costs — covering forensic investigations, incident response to unauthorized-access events, credential resets, and compliance reviews triggered by the discoveries. A federal court ordered Knoot to pay $15,100 in restitution and forfeit an additional $15,100.
Prince’s Four-Year Operation Generated $943,000 in Fraudulent Payments
Prince’s scheme operated over a significantly longer window: June 2020 to August 2024, a four-year span that continued for more than a year after the FBI’s public advisory on the laptop farm threat. His network generated $943,000 in fraudulent salary payments and caused more than $1 million in employer remediation expenses. The court ordered Prince to forfeit $89,000. The duration of Prince’s operation — persisting through the period of elevated federal attention to the scheme — reflects how difficult the infiltration technique is to detect once a worker has cleared the hiring process.
How the North Korean IT Worker Infiltration Scheme Functions
The laptop farm technique forms one component of a broader North Korean government program designed to generate hard currency and circumvent international sanctions through fraudulent remote employment. North Korean workers — operating under direction of state-affiliated organizations — apply for U.S. technology positions using fabricated identities supported by counterfeit documentation, obtain the jobs through remote hiring processes, and receive company-issued equipment shipped to domestic facilitator addresses.
Facilitators install remote access software before employers complete device enrollment, then provide the overseas workers with continuous remote sessions that make their connections appear to originate from U.S. locations. Paychecks are directed to accounts controlled by the operator network and routed back to North Korea through layered money-laundering infrastructure.
The FBI’s 2023 guidance on detecting the scheme identified several indicators: employee reluctance to appear on camera during video calls, requests to redirect direct-deposit payments to third-party accounts, login activity at hours inconsistent with the employee’s claimed time zone, and company equipment deliveries to residential addresses not matching employee-provided locations.
Beyond the direct financial losses to individual employers, federal officials have characterized the scheme as a national security concern. North Korean workers placed through this technique have in some cases accessed enterprise source code repositories, internal infrastructure systems, and sensitive operational data — carrying intelligence value independent of the fraudulent wages. Knoot and Prince join more than a dozen individuals charged in related federal prosecutions since 2023, with DOJ enforcement expanding to reach overseas money-laundering infrastructure used to repatriate earnings to Pyongyang.
