North Korea uses AI for social engineering

AIRiskExplorer said on May 22 that North Korea-linked actors were using AI-generated resumes, interview answers and LinkedIn profiles to run social-engineering campaigns tied to cryptocurrency theft. The examples fit a broader pattern that U.S. authorities and private researchers have been documenting for more than a year: North Korean operators posing as job candidates, recruiters or remote workers to get access to companies, devices and digital assets. Microsoft said in June 2025 that it had observed North Korean remote IT workers using AI to improve the scale and sophistication of their operations since 2024. The Justice Department has said some of those schemes led directly to virtual-currency theft. ### How does the AI fit into North Korea’s existing playbook? Microsoft Threat Intelligence said on June 30, 2025 that North Korean remote IT workers were using AI tools to replace images in stolen employment and identity documents and to enhance photos so they appeared more professional. The company said it had also observed the use of voice-changing software and advised recruiters to verify that candidates’ social-media and professional accounts were unique and consistent. (microsoft.com) The FBI said on July 23, 2025 that North Korean IT workers and their facilitators use job-search accounts, front businesses, background-check services and artificial-intelligence models to obtain fraudulent employment and access U.S. company networks. The bureau said U.S.-based facilitators have also attended virtual interviews and meetings on behalf of North Korean workers. ### Is this mainly a hiring fraud story or a crypto theft story? (microsoft.com) The Justice Department said on June 30, 2025 that North Korean actors fraudulently obtained employment with more than 100 U.S. companies using stolen and fake identities. Prosecutors said the workers received salary payments, gained access to sensitive employer information and, in one case involving an Atlanta-based blockchain research and development company, stole more than $900,000 in virtual currency. (fbi.gov) Expel said on April 22, 2026 that a North Korea-linked group it tracks as HexagonalRodent was targeting Web3 developers and was primarily focused on stealing cryptocurrency and NFTs. Expel said the group made heavy use of generative AI and that as much as $12 million in cryptocurrency wallets was exfiltrated in three months. ### Why do fake LinkedIn profiles and interview scripts matter? (justice.gov) Palo Alto Networks’ Unit 42 said the synthetic-identity threat associated with North Korean IT worker operations has become easier to execute as AI-generated faces, document-forgery tools and real-time voice and video manipulation have become more accessible. The firm said the technical barriers were falling, which helps explain why fabricated candidate profiles can now look more plausible across multiple platforms. (expel.com) The FBI said employers should cross-check photos, phone numbers, addresses and email accounts against social-media profiles, portfolio sites and payment platforms. The bureau also told companies to verify prior employment and education and to scrutinize identity documents for misspellings and inconsistencies. ### How long has the U.S. been tracking this network? The Justice Department said on Dec. 12, 2024 that 14 North Korean nationals were indicted in Missouri for a multi-year scheme to obtain remote IT work with false, stolen and borrowed identities. (unit42.paloaltonetworks.com) Prosecutors said the group generated at least $88 million over about six years and in some cases stole source code and threatened employers with extortion. (fbi.gov) The Justice Department said again on June 30, 2025 that coordinated actions across 16 states included searches of 29 suspected laptop farms, seizures of 29 financial accounts and 21 fraudulent websites, and charges tied to North Korea’s remote IT worker revenue schemes. Assistant Attorney General John A. Eisenberg said the schemes were designed to evade sanctions and fund North Korea’s illicit programs, including weapons programs. (justice.gov) ### What should readers watch next? The FBI’s July 23, 2025 public alert remains the clearest U.S. checklist for employers screening remote candidates, staffing vendors and contractor accounts. Microsoft’s June 30, 2025 report and current threat-research updates from firms tracking DPRK activity are the next places to watch for new examples involving AI-generated hiring materials, voice tools and crypto-targeting campaigns. (microsoft.com) (justice.gov)