North Korean information technology (IT) operatives are increasingly using artificial intelligence (AI) to secure remote jobs with major European companies and collect salaries, the Financial Times (FT) reported on March 15.
The U.S. Department of Justice reports that between 2020 and 2024, North Korean operatives worked remotely for more than 300 U.S. companies, earning at least 6.8 million USD.
Jamie Collier, senior advisor for Google’s Threat Analysis Group in Europe, told the FT that this trend is spreading to Europe, with signs that North Korean operatives are setting up laptop farms in the UK.
Collier explained that the hiring process is often not seen as a security risk, making it a vulnerable point in corporate systems that North Korean operatives are exploiting.
These operatives either hijack unused LinkedIn accounts or pay account owners for access. They then create fake resumes and identification documents, obtain LinkedIn endorsements from other operatives, and use AI to generate digital masks, avatars, or deepfake video filters for video interviews.
Alex Lorimer, Chief Technology Officer (CTO) of cybersecurity firm Ping Identity, stated that AI has significantly boosted the credibility of fake applicants. He noted that large language models (LLMs) allow them to create culturally appropriate names and email addresses, avoiding previously detectable linguistic and cultural red flags.
Experts also report that North Korean operatives sometimes pay real individuals to participate in video interviews on their behalf to circumvent enhanced online hiring procedures.
The FT also reported instances where operatives intercept laptops provided to new employees, using remote access to perform tasks with LLMs and chatbot commands.
U.S. cybersecurity firm KnowBe4 revealed a case where a fake employee attempted to implant malware after being hired to access the company’s security system.
Amazon’s security chief, Steven Schmidt, disclosed in a January LinkedIn post that Amazon had blocked the employment of over 1,800 individuals suspected of being North Korean operatives since April 2024. He emphasized that this issue likely extends beyond Amazon and is occurring on a large scale across the industry.
Leif Filling, head of threat response at cybersecurity firm Sophos, described this as a North Korean state-backed operation. He explained that North Korean teams are specifically targeting high-paying remote tech jobs, repeatedly posing as professionals with 7 to 10 years of experience to secure employment and salaries.