“Natural Selection” at Work: How North Korean IT Workers Use AI to Infiltrate Companies
Ddos 
A new report from Okta Threat Intelligence has pulled back the curtain on a sprawling fraudulent employment scheme orchestrated by IT workers from the Democratic People’s Republic of Korea (DPRK). By analyzing data from over 130 actors and more than 6,500 interviews, the research exposes how these state-sponsored operatives are using stolen identities, AI-generated photos, and manipulated LinkedIn profiles to land jobs at hundreds of companies worldwide.
The report details the activities of specific “personas” who exemplify the tactics used to bypass background checks and secure remote employment, funneling their earnings back to the North Korean regime.
The investigation highlights a specific persona, referred to as “JJ,” who exemplifies the group’s tactics. “JJ” didn’t just apply for a few jobs; they were a professional interviewee.
“This actor has prolifically interviewed for roles in multiple verticals over two years, with an overrepresentation of roles in AI and healthcare,” the report states.
To pass background checks, “JJ” abused legitimate platforms. By creating a profile on LinkedIn that mimicked a real person, they could bypass initial scrutiny. “These two actors reveal two interesting TTPs DPRK actors use to land employment: the abuse of legitimate LinkedIn profiles to pass reference checks, and the abuse of stolen identities,” Okta researchers explain.
The fraud didn’t stop at resumes. The actors used technology to hide their true identities during video calls and in profile pictures. One persona, hired as a “Senior Front End Engineer,” used a photo that researchers identified as clearly fake.
“The photo used in this post is even more obviously AI-generated than any of the other photographs we analyzed,” the report notes.
Perhaps the most disturbing finding is the efficiency of the operation. The North Korean actors are learning from every rejection, sharing successful resume templates and interview answers across the group.
“A kind of IT Worker natural selection is at play,” the report concludes. “The various operators in the IT Worker scheme are clearly ‘learning from their mistakes’ – in many cases duplicating approaches… that have succeeded in progressing one application over another”.
Successful actors become “interview brokers,” taking multiple meetings a day not just for themselves, but to secure positions that are then handed off to other operatives. This industrial-scale fraud turns the hiring process into a vulnerability, one that traditional background checks are struggling to catch.
Related Posts:
- Lazarus Group Lures Victims with Fake LinkedIn Job Offers, Warns Bitdefender
- LinkedIn to Use Your Data for AI Training. Here’s How to Opt Out
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
