Month: August 2024

Source: United States Department of Justice Criminal Division

Matthew Isaac Knoot, 38, of Nashville, Tennessee, was arrested today for his efforts to generate revenue for the Democratic People’s Republic of Korea’s (DPRK or North Korea) illicit weapons program, which includes weapons of mass destruction (WMD).

The FBI, along with the Departments of State and Treasury, issued a May 2022 advisory to alert the international community, private sector, and public about the North Korea IT worker threat. Updated guidance was issued in October 2023 by the United States and the Republic of Korea (South Korea) and in May 2024 by the FBI, which include indicators to watch for that are consistent with the North Korea IT worker fraud and the use of U.S.-based laptop farms.

According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors. Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.

“As alleged, this defendant facilitated a scheme to deceive U.S. companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This indictment should serve as a stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes.”

“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” said U.S. Attorney Henry C. Leventis for the Middle District of Tennessee. “Today’s indictment, charging the defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the United States’ national security interests.”

“As today’s charges demonstrate, the FBI will relentlessly pursue those who aid the North Korean government’s illegal efforts to generate revenue,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Where illicit proceeds may be used to fund the regime’s kinetic capacity, we will prioritize our work to disrupt that flow of money. This indictment should demonstrate the risk faced by those who support the DPRK’s malicious cyber activity.”

The DPRK has dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers to generate revenue for its WMD programs. DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere. As described in a May 2022 tri-seal public service advisory released by the FBI, the Department of the Treasury, and the Department of State, such IT workers have been known to individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited WMD programs.

The indictment unsealed today in the Middle District of Tennessee alleges that Knoot participated in a scheme to assist overseas IT workers to obtain remote IT work at U.S. companies which believed that they were hiring U.S.-based personnel. The IT workers, who were North Korean nationals, used the stolen identity of a U.S. citizen, “Andrew M.,” to obtain this remote IT work. The scheme defrauded U.S. media, technology, and financial companies, ultimately causing them hundreds of thousands of dollars in damages.   

According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023.  The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023.

The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was stolen. Knoot and his conspirators’ actions also caused the victim companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer those funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it.  The non-U.S. accounts include accounts associated with North Korean and Chinese actors.

Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft and conspiracy to cause the unlawful employment of aliens. If convicted, Knoot faces a maximum penalty of 20 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.

Under the Department-wide “DPRK RevGen: Domestic Enabler Initiative,” launched in March 2024 by the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, Department prosecutors and agents are prioritizing the identification and shuttering of U.S.-based “laptop farms” — locations hosting laptops provided by victim U.S. companies to individuals they believed were legitimate U.S.-based freelance IT workers — and the investigation and prosecution of individuals hosting them. Today’s announcement follows successful action taken by the Department in October 2023 and May 2024, which targeted identical and related conduct.

The FBI is investigating the case.

Assistant U.S. Attorney Josh Kurtzman for the Middle District of Tennessee and Trial Attorney Greg Nicosia of the National Security Division’s Cyber Section are prosecuting the case.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Source: United States Department of Justice Criminal Division

Note: View the superseding indictment here. 

A superseding indictment was returned yesterday charging two Iranian citizens, brothers Shahab Mir’kazei (Shahab) and Yunus Mir’kazei (Yunis), and one Pakistani citizen, Muhammad Pahlawan, for conspiring to provide and providing material support to Iran’s weapons of mass destruction program resulting in death and conspiring to commit violence against maritime navigation and maritime transport involving weapons of mass destruction resulting in death. Pahlawan is currently awaiting trial, while Shahab and Yunus remain at large.

According to the court documents, Shahab and Yunus work for Iran’s Islamic Revolutionary Guard Corps. Pahlawan, is a Pakistani citizen who allegedly worked for the Mir’kazei brothers as the captain of a smuggling vessel known as a dhow, named the “Yunus,” which is owned by Shahab.

Pahlawan allegedly worked with Shahab to prepare the dhow for multiple smuggling voyages, and Shahab paid Pahlawan in Iranian Rials from a bank account in Shahab’s name. Pahlawan allegedly arranged to receive payments from Shahab and Yunus in Iran and distribute the money to his family and others.

On the night of Jan. 11, U.S. Central Command Navy forces operating from the USS LEWIS B. PULLER, including Navy SEALs and members of the U.S. Coast Guard, boarded the dhow off the coast of Somalia. Two Navy SEALs lost their lives during the interdiction.

As alleged, the U.S. boarding team encountered 14 individual mariners on the vessel, including Pahlawan. During a search of the dhow, the U.S. boarding team allegedly located and seized what is believed to be Iranian-made advanced conventional weaponry. Preliminary analysis of the advanced conventional weaponry indicates that it includes critical components for medium range ballistic missiles and anti-ship cruise missiles, including to include a warhead and propulsion and guidance components. The type of weaponry found aboard the dhow is allegedly consistent with the weaponry used by the Houthi rebel forces in recent attacks on merchant ships and U.S. military ships in the Red Sea and Gulf of Aden.

In addition to the charges described above, Pahlawan is charged with providing materially false information to U.S. Coast Guard officers during the boarding of the dhow regarding the vessel’s captain and witness intimidation for threatening one of the crewmembers on the dhow.  

If convicted, Pahlawan, Shahab and Yunus all face maximum penalties of life in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, U.S. Attorney Jessica D. Aber for the Eastern District of Virginia and Executive Assistant Director Robert Wells of the FBI’s National Security Branch made the announcement.

Assistant U.S. Attorneys Troy A. Edwards Jr. and Gavin R. Tisdale for the Eastern District of Virginia and Trial Attorney Lesley Woods of the National Security Division’s Counterterrorism Section are prosecuting the case.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Source: United States Department of Justice 2

A federal grand jury in Oklahoma City returned an indictment, which was unsealed today, charging Sioux Erosion Control, Inc. (Sioux), its vice president and another employee with a price-fixing conspiracy targeting over $100 million in publicly-funded transportation construction contracts across Oklahoma.

According to court documents, it is alleged that Vice President BG Dale Biscoe, Randall David Shelton and Sioux conspired with their competitors in the erosion control industry to raise and maintain prices for products and services from approximately September 2017 through April 2023. Erosion control products and services, including sod, are used to control runoff of soil or rock on highway construction and repair projects. In addition to conspiring to raise prices for sod, it is alleged that the defendants and their co‑conspirators agreed to divide up contracts across different areas of Oklahoma and rigged bids for particular projects by submitting intentionally high-priced bids or outright refusing to bid.

“Protecting competition for taxpayer-funded infrastructure projects remains a priority for the Antitrust Division,” said Assistant Attorney General Jonathan Kanter of the Justice Department’s Antitrust Division. “This indictment shows the Justice Department and its Procurement Collusion Strike Force partners’ commitment to protecting taxpayer dollars throughout Oklahoma and across the country from brazen collusion.”

“My office is committed to root out price-fixing, collusion and fraud in taxpayer-funded projects,” said U.S. Attorney Robert J. Troester for the Western District of Oklahoma. “We are proud to work with our law enforcement partners in this effort to protect integrity in publicly-funded ventures and preserve the public trust.”

“Today’s announcement represents the FBI’s commitment to protecting competitive markets from those who try to cheat the system,” said Acting Special Agent in Charge Joseph Skarda of the FBI Oklahoma City Field Office. “We will continue to work alongside our law enforcement partners to uncover these harmful schemes and hold the perpetrators responsible.”

“Violations of the nation’s antitrust laws will be taken seriously and those who circumvent federal bidding and contract regulations will be held accountable,” said Special Agent in Charge Joseph Harris of the Department of Transportation Office of Inspector General (DOT-OIG), Southern Region. “This investigation demonstrates our commitment to working with our law enforcement and prosecutorial partners to uproot and expose brazen fraud schemes devised purely for personal gain.”

Four individuals — including a former Sioux employee — previously pleaded guilty for their roles in the charged conspiracy. Those individuals have not yet been sentenced.

Biscoe, Shelton and Sioux are charged with a violation of Section 1 of the Sherman Act. The maximum penalty for individuals is 10 years in prison and a $1 million criminal fine. The maximum penalty for corporations is a $100 million criminal fine. If convicted, a federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The DOT-OIG and FBI Oklahoma City Field Office investigated the case.

Trial Attorneys Bethany Lipman, Matthew Grisier and Marc Hedrich of the Antitrust Division’s Washington Criminal Section and Assistant U.S. Attorney Charles Brown for the Western District of Oklahoma are prosecuting the case.

Anyone with information about this investigation or other procurement fraud schemes should notify the Procurement Collusion Strike Force (PCSF) at www.justice.gov/atr/webform/pcsf-citizen-complaint. The Justice Department created the PCSF in November 2019. It is a joint law enforcement effort to combat antitrust crimes and related fraudulent schemes that impact government procurement, grant and program funding at all levels of government – federal, state and local. For more information, visit www.justice.gov/procurement-collusion-strike-force.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.