Full Report
North Korean IT workers illicitly gaining employment at U.S. and European tech companies are increasingly using generative artificial intelligence in a variety of ways to assist them throughout the job application and interview process.
Analysis Summary
# Threat Actor: DPRK State-Sponsored IT Workers (Facilitated Scheme)
## Attribution & Identity
Attributed to agents of the **Democratic People’s Republic of Korea (DPRK)**, often utilizing North Korean IT workers living abroad (e.g., in Southeast Asia or China) to gain remote employment at Western technology companies. Facilitators, sometimes U.S.-based, assist these workers. Some implicated individuals are allegedly linked to the DPRK’s **Munitions Industry Department**.
## Activity Summary
The actor group is engaged in a scheme to secure remote IT positions at U.S. and European tech companies using deceptive synthetic identities. Upon securing employment, they leverage these roles to channel high salaries back to the sanctioned DPRK regime. The operation is scaled using generative AI (GenAI) to streamline onboarding, application processes, and day-to-day job performance, allowing workers to potentially hold multiple roles simultaneously.
## Tactics, Techniques & Procedures
- **Identity Deception:** Creation of compelling personas for job applications and interviews.
- **Automated Application Process:** Using GenAI tools to automate filling out job applications for multiple personas.
- **Resume Optimization:** Using services to test and improve resumes against Applicant Tracking Systems (ATS) to bypass filters.
- **Interview Deception:** Utilizing AI-enhanced tools for mock interviews, real-time voice/text translation/transcription, and employing "deepfake" video overlays during remote interviews to mask identity.
- **Performance Maintenance:** Using Large Language Model (LLM) chatbots for on-the-job assistance, including learning new coding languages and skills needed for complex roles.
- **Coordination:** Using AI-enhanced services to manage the scheduling and communication across multiple candidate personas.
## Targeting
- **Sectors:** Technology (IT roles at U.S. and European companies).
- **Geography:** Targeting companies in the U.S. and Europe; workers are housed primarily in Southeast Asia or China.
- **Victims:** Major U.S. and European tech companies (multiple Fortune 500 companies are reportedly affected).
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but reliance on **Generative AI services** (LLMs, deepfake technology, AI webcam interview reviewers) is central to the operation.
- **Infrastructure (C2, domains, IPs):** Online services used for communication management, translation, transcription, and resume testing. Specific tool names are not fully disclosed, but the methodology relies on third-party cloud/AI services.
## Implications
This activity represents a significant, state-sponsored economic espionage and sanctions evasion scheme, potentially netting hundreds of millions of dollars for the DPRK regime, funding sensitive programs like missile development. The widespread adoption of GenAI effectively lowers the barrier to entry for minimally skilled workers to maintain complex software engineering roles, vastly increasing the scale and efficiency of the illicit operation. This forces Western organizations to overhaul hiring and vetting processes.
## Mitigations
- Implement rigorous, multi-stage vetting processes for all IT candidates, including multiple video interviews and mandatory in-person contact before final hiring.
- Employ rigorous identification verification services (e.g., ID verification) that detect synthetic identities or anomalies associated with known DPRK evasion tactics.
- Increase scrutiny of interview performance, looking for overly scripted answers or inconsistencies that might suggest AI assistance or deepfake usage.
- Collaborate with government and industry partners to share indicators regarding suspicious candidate profiles.