North Korean operation uses ChatGPT to forge military IDs as part of cyberattack
North Korean hackers exploited OpenAI’s ChatGPT to generate deepfake military ID cards in a phishing campaign against South Korean defense-related institutions, researchers have found.
The July attack was attributed to the Kimsuky group, also known as APT43, which has been sanctioned by Washington and its allies for supporting Pyongyang’s foreign policy and sanctions-evasion efforts through intelligence-gathering operations.
According to South Korean cybersecurity firm Genians, the hackers used ChatGPT to create sample images of South Korean government and military employee ID cards. The images were embedded in phishing emails crafted to appear as if they came from a legitimate South Korean defense agency handling identification services for military officials.
The emails delivered a fake ID card alongside malware that enabled data theft and remote access to victims’ systems.
Researchers said that metadata analysis confirmed the images were produced using ChatGPT. Even though it typically rejects requests to replicate official identification documents. According to the report, the attackers likely manipulated prompts by framing the request as a mock-up or sample design.
“This is a real case demonstrating the Kimsuky group’s application of deepfake technology,” Genians said, warning that generative AI can be abused to create realistic forgeries with little technical skill.
Kimsuky has been active since at least 2012, targeting governments, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe and Russia. Its primary focus has been individuals working on North Korea-related issues, including human rights and sanctions.
Genians and other researchers also have documented cases where North Korean IT workers used AI to generate fake résumés and online personas to secure overseas jobs, and to assist with technical interviews and tasks once employed.
South Korea’s foreign ministry has warned that Pyongyang’s workers “use a variety of techniques to disguise themselves as non-North Korean IT workers with false identities and locations, including by leveraging AI tools as well as cooperating with foreign facilitators.”
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.