North Korea’s AI-Powered Cybercrime: Deepfakes & Fake Personas Infiltrate 300+ US Companies via Remote IT Jobs
Ddos 
The North Korean IT worker ecosystem | Image: Microsoft
Microsoft Threat Intelligence reveals how North Korea’s remote IT worker program has evolved into a highly organized, AI-enhanced, and globally disruptive cybercrime campaign—blending deepfake tactics, fake personas, and stolen identities to generate revenue for the DPRK regime.
“North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government,” the report states.
Tracked under the threat cluster Jasper Sleet (formerly Storm-0287), these North Korean operatives are applying for jobs at U.S. and global companies, pretending to be developers or IT admins. They come armed with forged credentials, polished AI-generated resumes, and even voice-changing software.
“Among the changes… include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional.”
Microsoft observed that attackers are using tools like FaceSwap to superimpose their likeness onto fake or stolen IDs and employment records. In one instance from October 2024, a public GitHub repository contained AI-enhanced images, resumes, email accounts, and a complete toolkit used by operatives to apply for jobs, manage clients, and collect payments.
“The repository also contained… playbooks on conducting identity theft and creating and bidding jobs on freelancer websites.”
Some resumes even used multiple versions of the same photo, a clear sign of synthetic identity crafting.
The fraud doesn’t stop at documents. Workers build elaborate online personas on LinkedIn, GitHub, Upwork, and even Telegram, showcasing fabricated portfolios. They apply through staffing firms, freelance platforms, and direct job portals.
“They also apply for freelance opportunities through freelancer sites as an additional avenue for revenue generation.”
In some cases, they even become trusted employees, gaining access to proprietary codebases and source repositories.
Once hired, the North Korean workers remotely access U.S. company devices housed in “laptop farms” run by domestic facilitators. These middlemen create fake LLCs, open bank accounts, and forward hardware to the operatives or host it themselves using tools like PiKVM, TinyPilot, TeamViewer, and Rust Desk.
“Once hired, the remote workers direct company laptops and hardware to be sent to the address of the accomplice… enabling the workers to connect remotely.”
In some cases, accomplices are even paid to stand in during video interviews to help complete onboarding processes.
Microsoft reports that over 300 U.S. companies—including Fortune 500 firms—have unknowingly employed these workers between 2020 and 2022. In a single DOJ indictment, two North Koreans and three facilitators generated $866,255 from only ten of at least 64 infiltrated companies.
“North Korean IT workers are a multifaceted threat… they use their access to steal sensitive intellectual property, source code, or trade secrets.”
They’ve even attempted to breach two U.S. government agencies.
To detect these operations, Microsoft developed custom machine learning workflows using techniques like “impossible travel” detections—flagging accounts logging in from U.S. and foreign IPs in rapid succession. This solution uses features to surface suspect accounts most likely to be North Korean IT workers for assessment.
Once confirmed, Microsoft notifies organizations via Entra ID Protection and Defender XDR, flagging suspicious accounts and offering guidance for remediation.
Microsoft urges companies to:
- Vet remote workers rigorously via video interviews
- Cross-check LinkedIn, GitHub, and email account consistency
- Block unapproved remote management tools
- Investigate unusual VPN or VPS usage
- Watch for “employee excuses” avoiding video or voice calls
Related Posts:
- New Mirai Botnet Variants with AI-Powered Attacks Observed
- North Korean IT Workers Pose as Developers on GitHub to Infiltrate Global Companies
- Deepfake Scams on the Rise: CEOs, News Anchors, and Government Officials Impersonated
- North Korean Operatives Use GenAI to Infiltrate Global Tech Jobs, Okta Warns
- Deepfakes and Deception: The Rise of Synthetic Identities in Remote Work
Donate