A highly developed North Korean operation implants its IT workers in U.S. and Western companies to work remotely. These workers, using stolen or fabricated identities, secure jobs with major corporations, including many Fortune 500 firms. They funnel their salaries back to the North Korean regime, which uses the funds to support its work on forbidden nuclear weapons and missiles.
The methods have become more and more intricate, and now they involve the following:
1. Creating credible resumes and acing job interviews with the help of generative AI, then manufacturing deepfake ID docs for the employment verification process.
2. Using “laptop farms” in which the worker has the workstation sent to a U.S. address, then remotely connects from North Korea or China to the workstation, usually working at night to match U.S. business hours.
3. Using deepfake technology in video job interviews to make synthetic identities that obfuscate their real appearance.
4. Making the utmost use of AI tools all the way through the job application and interview process, such as for: translating and transcribing communications, generating resumes and cover letters , conducting mock job interviews, and testing and improving job applications.
This undertaking is far-reaching. By the reckoning of Google Threat Intelligence Group authority Michael Barnhart, the North Korean personnel involved here are “wildly successful” at burrowing into American firms. CrowdStrike calls the group behind this work “Famous Chollima,” and in 2024 alone, this outfit was credited with 304 incidents.
Detection Methods
Some techniques have been developed by companies to identify these fraudulent employees:
- An effective interview question is asking candidates to say something negative about Kim Jong Un. Legitimate North Korean operatives will often terminate the call immediately when asked such a question, as it is too dangerous—and plainly illegal—to criticize the country’s leader.
- Other effective indicators of North Korean operatives include nervousness when discussing the country’s human rights violations, an inability to say anything positive about Kim Jong Un, and—most tellingly—a refusal to say anything at all, even when prompted.
- These behaviors are also correlated with having been trained to adhere too strictly to the country’s ideology.
- Certain companies now mandate that video interviews be conducted with the camera on. They also use identity verification tools with geolocation features to ensure the interviewee is at the location they claim.
- Experts advise organizations to check for technical shortcomings of real-time deepfake systems. Specific issues to watch include temporal consistency, occlusion handling, lighting adaptation, and audio-visual synchronization.
North Korea’s AI Research and International Collaboration
Apart from penetrating tech employment, North Korea has also been developing capabilities in AI and research networks.
1. In spite of UN Security Council Resolution 2321 (passed in 2016) that bans scientific and technical cooperation with North Korea, the nation has carried on with its collaborative AI research and development efforts and seems to have an expanding network of foreign partners, according to several recent media reports. China has become a major partner, but at least 11 other countries—South Korea, Japan, Germany, Lithuania, Sweden, Switzerland, the UK, Egypt, Uganda, Canada, and the US—also figure prominently in the North Korean AI effort.
2. The collaborations have been especially vigorous at three North Korean institutes: Kim Il Sung University, the National Academy of Science, and Kim Chaek University of Technology. These institutes have most often partnered with Chinese universities that are geographically close to North Korea, but they have also done collaborations with institutions such as the University of Detroit Mercy in the U.S. and George Mason University’s campus in South Korea.
A report by Hyuk Kim of the James Martin Center for Nonproliferation Studies states that “North Korea’s recent endeavors in AI and machine learning development signify a strategic investment to bolster its digital economy.”
4. North Korean researchers have used AI/ML in delicate work like “wargaming and surveillance” but have kept working with foreign academics in scientifically permissible ways. This is a potential sanctions evasion scheme because you can’t very well sanction a country that’s sending scientists abroad and bringing them back with knowledge of permissibly worked-on sensitive technologies.
5. The regime has employed artificial intelligence to create “wargame simulations” and to protect nuclear reactors. Notably, the report states, “North Korea’s pursuit of a wargaming simulation program using machine learning reveals intentions to better comprehend operational environments against potential adversaries.”
Implications
The two-pronged approach of penetrating Western technology firms and simultaneously building native AI through cooperation with foreign researchers is a many-sided problem for the United States and its allies.
1. Funding for weapons of mass destruction programs
2. Data theft and exfiltration of intellectual property.
3. Critical infrastructure is vulnerable to cyberattacks.
4. Evasion of sanctions via intangible technology transfer
5. Legitimate academic collaboration is exploited for military purposes.
The intersection of technology, cybersecurity, and international security is becoming ever more pronounced. And at the center of it all is artificial intelligence, both as a tool for bad actors (in this case, North Korea) to use when infiltrating our systems and as a reason to worry about the kinds of strategic technological development bad actors are up to.
