North Korean operatives are infiltrating Western companies by posing as legitimate remote workers, using ‘laptop mules

Laptop Mules: How North Korea Is Infiltrating Remote Workforces (Part 2)

Hiring processes have become the new front line of cyber warfare. In our previous post, we detailed the tactics used by North Korean cyber operatives to infiltrate hiring processes using local accomplices to receive and configure corporate laptops, otherwise known as “laptop mules”.

Below, we run through three real-life examples of these infiltration schemes, the consequences for the targeted businesses, the warning signs, and how understanding this evolving threat landscape is no longer optional.

The Nashville Network (2022-2023)

In Tennessee, Matthew Isaac Knoot thought he was running a legitimate tech support business. For over a year, he received corporate laptops at his Nashville-area home, configured them with remote access software, and shipped them to what he believed were legitimate remote workers. The devices kept coming—sometimes multiple laptops per week—each with detailed setup instructions and employee names he never questioned.

What Knoot didn’t realize was that he had become the central hub for one of the most successful North Korean infiltration operations ever documented. The “employees” he was supporting were actually operatives working from Pyongyang, accessing American corporate networks through the devices he meticulously configured in his home office.

The operation unraveled when one of the infiltrated companies noticed unusual network activity patterns. Forensic investigation traced the suspicious traffic back to Knoot’s address, where federal agents discovered his detailed logs of laptop configurations, shipping records, and communication with handlers who coordinated the entire scheme.

Federal authorities charged Knoot in August 2024, revealing the sophisticated support network required for these operations. According to the Department of Justice, the IT workers associated with Knoot were paid over $250,000 for their work between July 2022 and August 2023. The handlers had provided him with detailed technical instructions, backup communication channels, and even troubleshooting guides for common laptop configuration issues.

Arizona’s Multi-Million Dollar Operation (2020-2023)

Christina Chapman’s suburban Litchfield Park, Arizona home looked unremarkable from the outside. But inside, she had transformed her living space into what federal prosecutors called a “laptop farm” that supported a massive North Korean infiltration scheme.

Chapman’s operation was far more sophisticated than Nashville’s single-person setup. According to the Department of Justice, her scheme impacted more than 300 U.S. companies and generated $17 million in revenue for North Korea over three years. The operation compromised more than 70 identities of U.S. persons and created false tax liabilities for more than 70 U.S. individuals.

Chapman managed multiple “employees” simultaneously, handling everything from receiving and configuring laptops to managing payroll deposits and maintaining cover stories for her fake workers. Her detailed records, seized by federal agents, revealed a meticulous operation that tracked employee personas, work schedules, and cover stories to maintain authenticity.

What made Chapman’s case particularly alarming was the diversity of her “employees.” Her laptop farm supported fake software engineers, data analysts, graphic designers, and administrative assistants.

Each persona had been carefully crafted with consistent work histories, technical skills, and personal details that could withstand scrutiny. Some of these fake employees had been “working” for the same companies for extended periods, building trust and gaining access to increasingly sensitive projects.

Christina Chapman pleaded guilty to running a multi-million dollar laptop farm in the suburban city of Litchfield Park, Arizona.
Christina Chapman pleaded guilty to running a multi-million dollar laptop farm in the suburban city of Litchfield Park, Arizona.

Chapman’s operation involved relaying dozens of computers from U.S. companies overseas, mostly to the Chinese city of Dandong, just across the Yalu River from North Korea. The scheme included detailed instructions for the operatives, including guidance like “If they ask WHY you are using two devices, just say the microphone on your laptop doesn’t work right.”

Chapman pleaded guilty in February 2025 to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments. Her case highlighted how these operations had evolved beyond simple employment fraud into sophisticated corporate espionage with international money laundering components.

The International Conspiracy (2018-2024)

The most complex laptop mule operations discovered to date span multiple countries and involve networks of facilitators that federal investigators are still unraveling. These schemes have placed fake workers in dozens of companies across various industries, from tech startups to Fortune 500 corporations.

The operations’ coordination involves networks in China managing technical aspects, North Korean operatives performing the actual work, and American facilitators handling physical logistics. The American side includes not just laptop mules but also fake staffing companies that provide additional legitimacy to the hiring process.

The financial infrastructure is particularly sophisticated, with funds flowing through complex webs of shell companies, cryptocurrency exchanges, and international wire transfers designed to obscure the ultimate destination in North Korea.

The True Cost of Infiltration

Data and Intellectual Property Theft

Once embedded within corporate networks, these operatives can access source code, customer databases, strategic plans, and other sensitive information. The FBI has observed North Korean IT workers leveraging unlawful access for data extortion in recent months.

Malware and Persistent Access

With legitimate system credentials, operatives can disable security protections and install backdoors that provide long-term access even after their initial infiltration is discovered. They can harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices.

Financial and Regulatory Consequences

Companies inadvertently funding sanctioned entities face potential regulatory violations and penalties. The complex money laundering schemes often involve cryptocurrency and international banking, compounding legal risks.

Operational Disruption

Even unsuccessful infiltration attempts trigger extensive forensic investigations, device recalls, system audits, and reputational damage.

As FBI Cyber Division Assistant Director Bryan Vorndran noted: “FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions.” He described it as “a very sophisticated threat” that “is very pervasive” and has “evolved as industry and the government has evolved to counter it.”

The threat of North Korean-state sponsored candidate fraud has prompted urgent warnings from federal agencies, including the FBI.
The threat of North Korean-state sponsored candidate fraud has prompted urgent warnings from federal agencies, including the FBI.

The Warning Signs Are Everywhere

The most unsettling aspect of laptop mule operations isn’t their technical sophistication. It’s how they exploit our basic human tendency to trust. Every day, hiring managers across the country are unknowingly interviewing North Korean operatives who have perfected the art of appearing like ideal remote employees.

Consider the red flags that emerged in retrospective analysis of successful infiltrations: candidates who consistently avoid video calls, provide shipping addresses that don’t match their stated residence, or demonstrate technical skills that seem inconsistent with their claimed work history. Yet these warning signs are often dismissed as quirks of remote work culture.

The scale of the threat is staggering. Federal investigations have uncovered operations affecting hundreds of companies, with new cases emerging regularly. What makes this particularly concerning is that many successful infiltrations likely remain undetected, with operatives earning legitimate salaries while quietly accessing sensitive systems and intellectual property.

A New Reality for Remote Work

The laptop mule phenomenon reveals an uncomfortable truth: the very flexibility that makes remote work attractive has created unprecedented vulnerabilities. North Korea has weaponized our trust in virtual collaboration, turning job interviews into intelligence operations and corporate laptops into surveillance tools.

What’s particularly concerning is the patience these operations demonstrate. Unlike traditional cyber attacks that strike quickly and retreat, laptop mule schemes are designed for the long game. Operatives will work legitimately for months, building trust and access, before beginning their true mission of data extraction and financial siphoning.

The implications extend far beyond individual companies. Each successful infiltration provides North Korea with insights into American business practices, technology developments, and economic strategies. In essence, these operations represent a form of economic espionage disguised as employment fraud.

As remote work continues to reshape the global economy, the laptop mule threat serves as a stark reminder that our hiring processes have become the new front lines of cyber warfare. The question isn’t whether your organization will encounter this threat, but whether you’ll recognize it when it arrives at your virtual doorstep.

For security professionals and business leaders, understanding this evolving threat landscape is no longer optional. It’s essential preparation for protecting both your organization and preventing inadvertent support of hostile foreign regimes through compromised hiring practices.

How Incode Stops Candidate Fraud

Incode brings real-time, adaptive identity verification to every stage of your recruiting workflow to protect and streamline the hiring process.

  • Incode prevents fraudulent candidates from reaching the interview stage, helping reduce organizational risk, recruiting costs, and downstream disruption.
  • Our platform not only blocks bad actors early, it also accelerates hiring with a seamless candidate experience that reduces manual review and enables faster, more confident decision-making.
  • Adaptive biometric verification confirms each candidate’s real-world identity, giving recruiting teams confidence from initial application through Day 1 onboarding.

Learn more about how Incode’s Candidate Verification solution offers end-to-end protection from application to Day 1.

Missed part 1? Read the laptop mule playbook here.

Additional Resources

Author

Carrie Melanda is a Product Marketing Manager at Incode. She brings deep expertise in product marketing and go-to-market strategy, with a proven track record of driving revenue growth and market differentiation in the cybersecurity space.