Two More Americans Just Got 18 Months Each for Running North Korean Laptop Farms — That's Eight This Year
Federal prosecutors sentenced two U.S. nationals — Matthew Isaac Knoot of Nashville and Erick Ntekereze Prince of Naples, Florida — to 18 months each for running "laptop farms" that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. They are the seventh and eighth U.S.-based laptop-farm operators sentenced in 2026 alone. Combined victim impact: more than $1.2 million in salaries routed largely to North Korea, plus over $1.5 million in audit and remediation costs.
The U.S. Department of Justice on May 6, 2026 confirmed the sentencing of Erick Ntekereze Prince, 38, of Naples, Florida, to 18 months in federal prison for his role as a laptop-farm operator that helped North Korean IT workers infiltrate U.S. companies. The sentencing follows the May 1 sentencing of Matthew Isaac Knoot, who received the same 18-month term in the Middle District of Tennessee. Both men pleaded guilty to wire-fraud conspiracy charges. Together they enabled North Korean IT workers — operating from outside the United States while masquerading as U.S.-based remote employees — to be hired by nearly 70 different American companies between 2020 and 2024.
The single most consequential element is not the individual sentences. It is what the cumulative pattern represents. Knoot and Prince are the seventh and eighth U.S.-based facilitators sentenced this year. Christina Marie Chapman of Arizona received 102 months in July 2025 for a similar scheme that touched 309 companies and generated $17 million for the North Korean regime. Kejia Wang and Zhenxing "Danny" Wang were sentenced in April 2026. The federal initiative responsible — DPRK RevGen: Domestic Enabler Initiative — is producing monthly sentencings. The underlying threat is not contained: the FBI continues to assess that North Korea maintains "an army of thousands" of IT workers attempting this fraud across U.S. firms.
| Knoot & Prince Sentencing Profile | |
|---|---|
| Detail | Information |
| Defendants | Matthew Isaac Knoot, of Nashville, Tennessee; Erick Ntekereze Prince, of Naples, Florida |
| Sentences | Knoot: 18 months in federal prison (sentenced May 1, 2026); $15,100 restitution plus $15,100 forfeiture. Prince: 18 months in federal prison (sentenced May 6, 2026) |
| Charges | Wire-fraud conspiracy; Prince pleaded guilty in November 2025 |
| Knoot's tradecraft | Received company-issued laptops addressed to a stolen identity ("Andrew M."); installed unauthorized remote desktop software so DPRK IT workers could appear as a legitimate U.S. employee |
| Prince's tradecraft | Operated through shell company Taggcar Inc.; enabled at least three North Korean IT workers to obtain remote employment at U.S. companies from approximately June 2020 through August 2024 |
| Knoot impact | Victim companies paid over $250,000 in salaries (July 2022 to August 2023); over $500,000 in audit and remediation costs caused |
| Prince impact | Victim companies paid over $943,000 in salaries (majority routed to North Korea); over $1 million in remediation costs caused |
| Combined victim count | Nearly 70 U.S. companies; approximately $1.2 million generated for the North Korean regime |
| Money flow | Funds transferred to Knoot and to "accounts associated with North Korean and Chinese nationals"; payments falsely reported to SSA and IRS under stolen identities |
| Federal initiative | DPRK RevGen: Domestic Enabler Initiative — DOJ National Security Division program targeting U.S.-based facilitators of DPRK revenue generation |
| 2026 sentencing pace | Knoot and Prince are the seventh and eighth U.S.-based laptop-farm operators sentenced in 2026; Wang and Wang sentenced in April; pattern is monthly |
What a Laptop Farm Actually Does
The mechanics are simple and that is part of what makes this scheme effective. A North Korean IT worker — operating from somewhere in the DPRK or from a regional staging country — applies for a U.S. remote tech job using a stolen U.S. identity. The hiring company runs the standard background checks; the stolen identity is real and clears them. The company hires the worker and ships them a laptop addressed to the U.S. address on file. That address belongs to a U.S.-based facilitator like Knoot or Prince. The facilitator receives the laptop, plugs it into their home network, installs unauthorized remote desktop software (TeamViewer, AnyDesk, ConnectWise, or similar), and the actual North Korean worker logs in remotely from overseas. To the employer's monitoring tools, the laptop is sitting on a residential ISP in Tennessee or Florida and the developer is doing legitimate work. The salary goes to a U.S. bank account that the North Korean operator can drain or that the facilitator forwards to accounts in North Korea or China. Knoot kept a 10-percent cut. Prince operated his version through Taggcar Inc., a shell company that did paperwork the IT workers could not do for themselves — payroll setup, IRS filings, identity verification.
The companies do not know any of this is happening. They believe they hired a U.S.-based developer who works remotely. The work product is often genuine — North Korean IT workers are highly skilled at the technical jobs they take — but the payroll fraud and the identity theft are felonies, and the salary funds an OFAC-sanctioned regime. When discovered, victim companies face audit and remediation costs that frequently exceed the salary they paid. Knoot's impact bears this out: $250,000 in salaries paid out, but more than $500,000 in remediation costs that fell on the affected companies. Prince's was even more lopsided: $943,000 in salaries, over $1 million in remediation. CyberSignal's North Korea threat-actor coverage tracks the broader DPRK IT worker scheme and the FBI's continuing assessment that thousands of these workers remain active.
The Eighth Sentencing of 2026
Knoot and Prince are the seventh and eighth U.S.-based laptop-farm operators sentenced in 2026, joining Kejia Wang and Zhenxing "Danny" Wang sentenced in April and several others before them. The headline precedent remains Christina Marie Chapman of Litchfield Park, Arizona, who was sentenced in July 2025 to 102 months — eight and a half years — for running a laptop farm out of her own home that helped North Korean IT workers get hired by 309 different U.S. companies. Chapman's scheme generated more than $17 million for the North Korean regime. The DOJ disclosed that affected companies included Nike, which paid more than $75,000 to a worker who was operating from outside the U.S.; Nike subsequently conducted a review and confirmed no data breach occurred.
The pattern of 2026 sentencings tells a more useful story than any single case. In late June 2025, the DOJ raided 29 known or suspected laptop farms across 16 states, seizing approximately 200 laptops. Each of those raids produced potential defendants, and the resulting plea deals and sentencings are now arriving on a roughly monthly cadence. Assistant Attorney General John A. Eisenberg of DOJ's National Security Division said of the Knoot and Prince sentencings: "These sentences hold accountable U.S. nationals who enabled North Korea's illicit efforts to infiltrate U.S. networks and profit on the back of U.S. companies. These defendants helped North Korean IT workers masquerade as legitimate employees, compromising U.S. corporate networks and helping generate revenue for a heavily sanctioned and rogue regime." FBI Cyber Division lead Brett Leatherman framed the broader operational context: "The FBI and our partners will continue to disrupt North Korea's ability to circumvent sanctions and fund its totalitarian regime."
Why Active Enforcement Is Not Solving This
Two truths sit alongside each other and both matter. First, federal enforcement is producing results — eight sentencings in five months, a coherent prosecutorial framework via DPRK RevGen, and a federal task force that is producing leads. Second, the underlying scheme is much larger than the prosecutions can match. The FBI's standing assessment is that North Korea maintains an "army of thousands" of IT workers attempting to infiltrate U.S. firms. Each U.S. facilitator may host laptops for several workers; each prosecuted facilitator represents perhaps tens of dismantled fraudulent employment relationships. The arithmetic does not balance. For every Knoot or Prince sentenced, an unknown larger number of facilitators continue operating undetected.
The implication for defenders is that "active prosecution" is not a substitute for hiring-process due diligence. The federal cases address U.S. nationals who can be prosecuted; the underlying North Korean operators and the broader scheme persist. Companies that rely on standard background checks and pre-employment screening to catch this are matching the threat from 2022. The 2026 version requires hiring-process security controls that catch the laptop-farm pattern specifically: video verification, geographic restrictions on developer endpoints, periodic re-verification, and a hiring-team training program that knows what the warning signs look like.
Defender Actions for This Quarter
- Add laptop-farm tradecraft to your hiring and onboarding security review. Specific signals: candidate refuses or repeatedly fails video interviews; insists on shipping equipment to addresses different from claimed residence; remote desktop tools (TeamViewer, AnyDesk, ConnectWise) appear on company-issued devices outside change-control windows; sustained timezone or working-hours mismatch with claimed location. KnowBe4's published case (where a post-it note tagging the returned laptop signaled a laptop farm) is a useful internal training reference.
- Validate identity at hire AND at re-employment. Many of these schemes pass initial background checks because the stolen identity is real. Add at-hire video verification, in-person onboarding for any role with privileged access, and periodic re-verification (e.g., quarterly video check-ins for fully-remote staff). For roles touching production systems or sensitive data, in-person components are increasingly necessary.
- Implement geographic restrictions on developer endpoints. Conditional access policies that block authentication from non-U.S. IPs (or from residential proxy ranges typical of laptop-farm setups) catch this scheme at the network level even when HR misses it. For roles where overseas access is legitimately required, document the exception and audit it quarterly.
- Audit existing remote workforce for signs of compromise. The Knoot and Prince schemes spanned 2020 to 2024 — meaning some companies still have active employment relationships with North Korean IT workers and do not know it. Review long-tenured fully-remote developers for the indicators above; re-verify identity and physical location for roles that have not been re-verified since hire.
- Treat suspected NK IT worker incidents as both an HR matter and a national security matter. If you discover one in your environment: terminate access immediately, preserve evidence, contact the FBI's IC3 portal, and engage outside counsel before any public disclosure. Your firm may be a victim, but the scheme is a sanctions violation — counsel needs to address OFAC implications carefully, and the FBI's investigation may benefit from coordinated disclosure timing.
The CyberSignal Analysis
Signal 01 — Eight sentencings in five months is the new baseline, not a peak
The DPRK RevGen initiative is producing prosecutions at a roughly monthly cadence. That cadence appears sustainable: the June 2025 raids across 16 states seeded a multi-year pipeline of defendants. Expect ten to fifteen additional U.S.-based facilitator prosecutions through 2026, each producing 12 to 102 months of federal time depending on scheme size. The strategic implication is that the cost of operating as a U.S.-based laptop-farm facilitator is now meaningfully high, but not prohibitive — facilitators receive 10-percent commissions on six-figure salary streams, which generates real money even after a one-to-two-year prison risk. Whether the prosecutions actually deter the U.S. supply of facilitators is empirically unsettled and will be answered over the next 18 months by whether the DOJ's pipeline runs dry or keeps producing defendants.
Signal 02 — North Korea has not lost the capability, only individual operators
The FBI's "army of thousands" framing is consistent across multiple advisories and is not hedged. Each U.S. facilitator the DOJ takes off the board is replaced. The recruitment supply for new facilitators appears robust: the financial incentive — typically 10 percent of $50,000 to $100,000 salaries per worker hosted — is meaningful for moderately compensated U.S. residents, and the operational risk has been historically perceived as low (clearly miscalibrated, but the perception lags reality). For defenders, this means the threat profile has not shifted — the same scheme will keep arriving in your hiring pipeline, with different facilitator names handling the laptops. Hiring-process controls remain the load-bearing defense; enforcement is a supporting actor, not the protagonist.
Signal 03 — Audit and remediation costs are the under-reported financial harm
Both Knoot's and Prince's victim impacts feature audit and remediation costs that exceeded the salaries paid. That number — over $1.5 million combined across nearly 70 companies — is the cost of after-the-fact incident response, third-party forensic engagement, payroll-system audits, IRS and SSA reconciliation work, OFAC compliance counsel, and potential disclosure obligations. For CFOs and CISOs scoping the financial harm of an undetected NK IT worker engagement, the salary paid is roughly half the total cost. Companies that have a robust pre-employment verification program are not just preventing the salary loss; they are preventing remediation costs that frequently exceed it. The ROI math on prevention is strongly favorable. Make the business case to your board accordingly.
