AI Supercharges North Korean IT Worker Infiltration Schemes
Microsoft Threat Intelligence has identified a significant evolution in the tactics of remote IT workers deployed by North Korea. Since 2024, these state-sponsored operatives have begun leveraging artificial intelligence to increase the scale and sophistication of their global infiltration campaigns, which are designed to steal data and generate revenue for the North Korean regime.
Key changes in their methods include using AI to manipulate photos for fake identity documents and professional profiles, making them appear more convincing. Furthermore, they have been observed experimenting with voice-changing software to bypass verification during interviews.
This marks a new chapter in a long-running campaign where thousands of highly skilled North Korean IT workers, often based in China and Russia, use VPNs and witting accomplices to conceal their identities and secure remote jobs at companies worldwide.
The Rising Threat of State-Sponsored Remote Workers
For years, North Korea has run a sophisticated global operation where skilled IT workers apply for remote jobs to generate revenue and support state interests. Posing as legitimate foreign or domestic teleworkers, they use a variety of fraudulent methods to bypass standard employment checks. This scheme has evolved into a well-oiled machine, allowing North Korean operatives to secure roles in various industries. In some instances, victim organizations have even praised these workers as being among their most talented employees.
These positions provide North Korean actors with privileged access to sensitive information, which they use for information theft and extortion. The threat is multifaceted: not only does it violate international sanctions by generating revenue for the regime, but it also leads to the theft of intellectual property, source code, and trade secrets. In some cases, these workers have extorted their employers by threatening to leak company data.
The scale of this operation is staggering. Between 2020 and 2022, the US government found that over 300 US companies, including several Fortune 500 firms, had unknowingly hired these workers. This ongoing threat continues to evolve with more sophisticated tactics and tools, including custom and AI-enabled software.
How the Infiltration Scheme Works
North Korean remote IT workers employ a complex ecosystem to craft fake personas, perform remote work, and secure payments. They apply for remote roles across various sectors globally, often creating or stealing identities that match the geographic location of their target company.
Their process involves establishing fake email and social media accounts and building legitimacy through fabricated portfolios on platforms like GitHub and LinkedIn. Facilitators play a key role in this ecosystem, helping to validate fraudulent identities, forward company hardware from "laptop farms," and set up accounts on freelance job sites. To hide their tracks, the workers rely on a combination of VPNs, virtual private servers (VPS), and remote monitoring and management (RMM) tools.
Figure 1. The North Korean IT worker ecosystem
They begin by procuring identities—either stolen or "rented"—and creating tailored resumes and online profiles to match specific job requirements. These operatives often use fake LinkedIn profiles to contact recruiters and apply for jobs.
Figure 2. An example of a fake LinkedIn profile used by a North Korean IT worker.
To establish a convincing digital footprint, they create profiles on developer platforms like GitHub to showcase a portfolio of supposed work samples.
Figure 3. An example GitHub profile used by a North Korean IT worker.
AI: The New Weapon in Their Arsenal
Microsoft has observed these operatives using AI to boost the quantity and quality of their operations. In one instance, a public repository was found containing both actual and AI-enhanced images of suspected North Korean IT workers, along with their resumes, playbooks, and tools.
Figure 4. Photos of potential North Korean IT workers
They appear to be using AI tools like Faceswap to place their own pictures onto stolen employment and identity documents. These tools are also used to enhance their photos, moving them into more professional-looking settings for use on resumes and social media profiles.
Figure 5. Use of AI to modify photos for resumes and profiles
Figure 6. Different resumes using variations of the same AI-enhanced photo.
Beyond images, operatives are experimenting with voice-changing software. While not yet observed in the wild, combining AI voice and video could allow them to conduct interviews directly, removing the need for human facilitators.
The Crucial Role of Facilitators
Accomplices, or facilitators, are essential to the success of this scheme. They are recruited to help find jobs, pass verification checks, and manage logistics once a position is secured. These roles are often advertised as legitimate partnership opportunities.
Figure 7. An example job advertisement for a facilitator role.
Facilitators assist with creating bank accounts, purchasing phone numbers, and validating identities using fake or stolen documents. Once hired, company laptops are shipped to the facilitator's address, where they are set up with remote access software before being used by the operative.
Staying Hidden: Defense Evasion Tactics
To conceal their true location and maintain access, workers use a variety of tools, including VPNs (especially Astrill VPN), proxy services, and RMM software like JumpConnect, TeamViewer, and Anydesk. When face-to-face interaction is unavoidable, such as for a bank verification, they pay accomplices to stand in for them. They frequently offer excuses to avoid being on camera during video calls.
How Microsoft is Disrupting These Operations
Microsoft tracks this activity under the name Jasper Sleet and has developed a custom machine learning solution to accelerate the identification of these workers. By analyzing signals like impossible time travel (e.g., logins from the US and China in quick succession), the system flags suspect accounts for analyst review. Once confirmed, customers are alerted through Microsoft Entra ID Protection and Microsoft Defender XDR.
To disrupt this activity, Microsoft has suspended 3,000 known consumer accounts created by North Korean IT workers and has directly notified all targeted or compromised customers.
How to Protect Your Organization from Infiltration
Defending against this threat requires a three-pronged strategy: vetting freelancers and vendors, monitoring for unusual activity, and responding effectively to suspected incidents.
Investigating Potential Threats in Your Hiring Process
To identify a potential North Korean operative during hiring, organizations should:
- Verify Digital Footprints: Confirm candidates have authentic social media profiles, a real phone number (not VoIP), and a residential address.
- Scrutinize Resumes: Check for inconsistencies in names, addresses, and dates. Contact references via phone or video.
- Mandate Video Calls: Insist on seeing candidates on camera during interviews. Technical issues with video or audio should be a red flag.
- Verify Identity on Camera: Ask candidates to hold their driver's license or passport up to the camera during a video call.
- Require Notarized ID: Consider requiring notarized proof of identity.
Monitoring for Suspicious Activity
To prevent infiltration, continuously monitor for:
- Unapproved RMM Tools: Use application control policies like Windows Defender Application Control or AppLocker to block unauthorized IT management software.
- Impossible Travel: Monitor for logins from geographically distant locations in a short time frame, for example, a US-based employee signing in from China or Russia.
- Use of Public VPNs: Track the use of known public VPN services like Astrill.
- Anomalous Work Hours: Monitor for consistent user activity outside of typical working hours.
Responding to a Confirmed Intrusion
If you identify a North Korean worker, treat it as an insider risk incident:
- Form a Small Working Group: Restrict the response to a trusted team to avoid tipping off the operative.
- Assess Access: Quickly evaluate the subject’s access to critical assets, sensitive data, and influential teams.
- Conduct Analysis: Look for connections to other potential aliases or collaborators and avoid premature actions that could alert other operators.
- Use OSINT: Investigate all PII provided by the actor to determine if the identity is stolen. Analyze account images for signs of AI generation.
- Preserve Evidence: Document all findings and conduct a full forensic investigation of all systems the employee had access to.
For more guidance, organizations can refer to CISA’s Insider Threat Mitigation Guide. US-based organizations should report suspected activity to the FBI's Internet Crime Complaint Center (IC3).