North Korean IT workers seen using AI tools to scam firms into hiring them

North Korean IT workers illicitly gaining employment at U.S. and European tech companies are increasingly using generative artificial intelligence in a variety of ways to assist them throughout the job application and interview process. 

In an effort to improve its own onboarding process and help customers dealing with the scheme, cybersecurity firm Okta conducted research into online services used by individuals identified by U.S. authorities and third parties as agents for the Democratic People’s Republic of Korea (DPRK).

Okta researchers observed the use of multiple AI-enhanced services used to manage the email and phone communications of multiple personas; translate and transcribe communications; generate resumes and cover letters; conduct mock job interviews; test and improve job applications; and more. 

“Facilitators extensively employ AI-enhanced tools to help minimally skilled, non-native English-speaking workers maintain software engineering positions, allowing them to channel earnings towards the sanctioned DPRK regime,” Okta said. 

“The scale of observed operations suggests that even short-term employment for a few weeks or months at a time, when scaled with automation and GenAI, can present a viable economic opportunity for the DPRK.”

The Justice Department said North Korea has potentially made hundreds of millions of dollars through the scheme, where workers living in Southeast Asia or China obtain remote IT jobs at U.S. or European companies. With the help of U.S.-based facilitators, some workers hold multiple jobs at one time, earning high-paying salaries that are then sent back to the North Korean government. 

Several of those caught by U.S. State Department officials “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs,” according to indictments.

Automated resumes and interviews

Okta used indicators previously associated with known DPRK facilitators and agents to track their use of generative AI applications and worked with highly targeted customers and partners to examine the campaigns. 

“GenAI is used to create compelling personas at numerous stages of the job application and interview process. Once employed, GenAI tools are also used to assist in maintaining multiple simultaneous roles to earn revenue for the state,” Okta said in a report shared with customers. 

Other security firms recently spotlighted instances of North Koreans using real-time “deepfake” video during interviews. Okta said it saw IT workers and facilitators using generative AI services to translate voices and text in real time while also transcribing conversations

Okta said the tools “appear to be instrumental in helping a relatively small cadre of facilitators schedule job interviews with multiple DPRK candidate personas.”

Western facilitators of the scheme were also seen using services designed to improve the chances of resumes making it past automated CV scanners used by many large companies. Okta did not name the service but said it is used to test resumes against applicant tracking software until they achieve better results. 

Generative AI tools were also deployed to help automate the process of filling out job applications — allowing one person to handle the applications of multiple people and multiple personas. 

Facilitators were seen using automated AI webcam interview reviews that critique first round interviews and provide advice on lighting, filters and conversational skills. Some AI agents can also “evaluate the efficacy of deepfake overlays and of highly scripted answers to common questions, to decrease the chance of their deception being discovered,” according to Okta. 

Okta’s observed prolific use of large language model chatbots throughout the interview process and after employment is secured. North Koreans typically used it to learn new coding languages and other skills they would need for positions. 

Okta said it has now built features into its products, like ID verification services, they believe customers can use to reduce the threat of hiring illicit workers. 

In an interview with Recorded Future News, Coinbase chief information security officer Jeff Lunglhofer said almost every Fortune 500 company is now dealing with the issue, and has changed the way his firm conducts hiring. 

“We actually have a rigorous hiring program that we built with adversaries like North Korea in mind, not specific for North Korea, but we do require a great deal of our applicants. There’s a very detailed vetting process that we run all of our candidates through that requires multiple interviews, video interviews,” he said. 

Candidates also have to give presentations and they now require some amount of in-person contact with the company before hiring, he said. 

Lunglhofer noted that the kind of deepfakes being used in interviews are not good enough yet to get past keen interviewers. He added that they work with government and industry partners so that when they have some suspicion of a candidate being a DPRK operative, they pull them out of the pipeline.