{
	"id": "df05a800-5fbd-4f56-bd01-1299ff67dd9a",
	"created_at": "2026-04-06T00:06:29.714089Z",
	"updated_at": "2026-04-10T13:12:59.976287Z",
	"deleted_at": null,
	"sha1_hash": "ef970474fdf5df7c9fc68c636fa2aa1575c83f2d",
	"title": "How AI services power the DPRK’s IT contracting scams",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64081,
	"plain_text": "How AI services power the DPRK’s IT contracting scams\r\nBy Okta Threat Intelligence\r\nPublished: 2025-04-24 · Archived: 2026-04-05 14:00:41 UTC\r\nOver the past few months, Okta Threat Intelligence conducted in-depth research into online services used by\r\nindividuals identified by US authorities and trusted third parties as agents for the Democratic People’s Republic of\r\nKorea (DPRK).\r\nOur research finds that generative artificial intelligence (GenAI) is playing an integral role in how North Korean\r\nnationals gain employment in remote technical roles around the globe, in what some researchers refer to  as\r\n“DPRK IT Workers” or “Wagemole” campaigns.  GenAI is used to create compelling personas at numerous stages\r\nof the job application and interview process. Once employed, GenAI tools are also used to assist in maintaining\r\nmultiple simultaneous roles to earn revenue for the state.\r\nOkta Threat Intelligence has observed multiple AI-enhanced services used to:\r\nManage the communications of multiple personas and their numerous mobile phone accounts, instant\r\nmessaging accounts, email accounts and other related chat services behind a “single pane of glass”\r\nTranslate, transcribe and summarize communications\r\nGenerate and critique CVs and cover letters \r\nConduct mock job interviews via chat and webcam\r\nTest and improve the likelihood of any given job application passing automated checks\r\nOkta Threat Intelligence has also observed facilitator use of online shipping and logistics services. We hypothesise\r\nthat these services are used to redirect company-issued devices to “laptop farms” operated by facilitators based in\r\nWestern countries.\r\nBackground\r\nMultiple arrests and indictments have revealed the scale at which individuals operating on behalf of the DPRK\r\nhave been mobilized into neighbouring countries to gain fraudulent employment in organizations across the globe.\r\nThe primary objective of these schemes is to raise funds for the DPRK and compensate for the significant\r\nfinancial sanctions applied to the North Korean regime. US agencies have also identified several outlier cases in\r\nwhich the access to systems provided for employment was used to facilitate espionage or data extortion.\r\nThe targets for these fraudulent schemes appear opportunistic and based on the availability of remote technical\r\nroles. The employers most at-risk are technology companies that are more likely to accept remote candidates for\r\nhttps://sec.okta.com/articles/2025/04/genaidprk/\r\nPage 1 of 5\n\nIT or software engineering roles, often on a contingent basis. However, these campaigns also extend to industry\r\nverticals well beyond the technology sector. \r\nOkta Threat Intelligence has worked with highly targeted customers and partners, with a view to developing\r\npreventative controls for this unique threat model. In the process, Okta has revised our own onboarding processes,\r\nshared awareness collateral and built out numerous methods of detection. \r\nThe research had a direct influence on feature enhancements built into Okta Workforce Identity, such as ID\r\nverification services, that Okta customers can use to reduce their exposure to this threat. \r\nThe Facilitators\r\nOur understanding of this threat is shaped by the unique insight Okta Threat Intelligence can glean into the tools\r\nused by those individuals identified as “facilitators” of fraudulent employment schemes.\r\nThese facilitators provide the necessary in-country support, technical infrastructure and/or legitimate business\r\ncover to help individuals from sanctioned countries gain and maintain employment.\r\nFacilitators already apprehended by law enforcement in the United States are alleged to have knowingly provided\r\na range of support services to DPRK nationals:\r\nDirect assistance in the recruitment process\r\nA domestic address for the shipment of company-issued devices\r\nAccess to legitimate identity documents\r\nOperating company-issued devices on the remote worker’s behalf\r\nInstalling remote management and monitoring (RMM) tools on the device to facilitate the remote work\r\nAuthenticating, where necessary, on the remote worker’s behalf\r\nOne Arizona-based “laptop farm” operation exposed in May 2024 is alleged to have assisted in the placement of\r\nover 300 individuals in technical positions across the United States. In another January 2025 indictment, two US\r\nresidents were accused of fraudulently obtaining employment and operating a laptop farm in North Carolina for\r\nDPRK nationals, after they’d successfully gained employment at 64 organizations.\r\nOkta can now reveal for the first time the degree to which facilitators of fraudulent work schemes rely on\r\nemerging GenAI-enhanced services to scale their operations. \r\nOkta customers can read a comprehensive report into DPRK IT Worker fraud at the Okta Security Trust Center.\r\nPrimary Security Contacts can sign-in to access threat advisories at security.okta.com\r\nIn recent months, individuals strongly suspected to be DPRK-created personas have been recorded using real-time\r\n“deepfake” video during interviews.\r\nhttps://sec.okta.com/articles/2025/04/genaidprk/\r\nPage 2 of 5\n\nOkta Threat Intelligence research has observed a far broader set of GenAI services used in these schemes,\r\nsuggesting a very deliberate attempt by facilitators to keep pace with AI innovation. Facilitators are now using\r\nGenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK\r\nnationals attempting to maintain this employment.\r\nFacilitators were observed using GenAI-based services specializing in:\r\nUnified messaging\r\nRecruitment platforms\r\nResume/CV screening\r\nCandidate management\r\nAutomated job screening\r\nAI-based chatbots\r\nAI code training\r\nOnline shipping\r\nWhile Okta Threat Intelligence is not able to observe the facilitators’ activities beyond the login page, the narrow\r\nrange of functionality offered by many of these tools allows us to hypothesize on some likely use cases:\r\n1. Unified messaging\r\nOne of the most demanding challenges for facilitators is how to manage multi-channel communications on behalf\r\nof dozens of candidates from sanctioned countries and their multiple personas.\r\nOkta Threat Intelligence observed the use of unified messaging services to manage many simultaneous mobile\r\nphone accounts, instant messaging accounts, email accounts and other related chat services behind a “single pane\r\nof glass”. These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple\r\nDPRK candidate personas by a small cadre of facilitators.\r\nThese services use GenAI in everything from tools that transcribe or summarize conversations, to real-time\r\ntranslation of voice and text.\r\n2. Recruitment platforms\r\nFacilitators and candidates both make extensive use of jobseeking platforms to apply for roles.\r\nMore surprising was the use of AI-enhanced recruitment platforms typically used by recruiters (not candidates) to\r\namplify the reach and accuracy of job postings.\r\nAccess to these tools provides facilitators opportunities to advertise roles at front companies that are similar, if not\r\nidentical, to those advertised by targeted organizations, in order to study the cover letters and resumes of\r\nhttps://sec.okta.com/articles/2025/04/genaidprk/\r\nPage 3 of 5\n\nlegitimate candidates.  The CVs and cover letters from legitimate jobseekers may even form part of a training set\r\nfor optimizing future applications made on behalf of DPRK nationals. \r\nThese same recruitment platforms provide access to the same applicant vetting systems (ATS) real employers use\r\nto narrow down the number of job applications a recruiter or hiring manager needs to manually review. Posting\r\nfake job advertisements would allow facilitators to examine what features presented in a job application are most\r\nlikely to result in these AI-enhanced algorithms selecting a particular candidate over others. \r\nAt scale, these techniques dramatically improve the potential success of job applications, effectively using the\r\nrecruiters own tools against them at scale.\r\n3. Resume/CV screening\r\nOkta Threat Intelligence assesses that facilitators are highly motivated to generate successful cover letters, CVs\r\nand interviews and address any specific criteria in a given application.  Facilitators were observed making use of\r\nservices that provide “AI Superpowers” to job applicants to help them “outsmart employers’ robots”, in order to\r\nimprove the chances of a job application successfully progressing past the automated CV/resume scans used in\r\nrecruiting platforms.\r\nThese services use GenAI agents to test uploaded CVs against ATS (applicant tracking software), iterating until\r\nthey achieve a better result and learning which personas will be more successful in any given role.\r\n4. Candidate management\r\nOkta Threat Intelligence observed services that use GenAI agents to automate the process of filling in application\r\nforms on behalf of candidates and to track the progress of candidates through the application process. \r\nAgain, these capabilities address the challenge of facilitating job applications and employment on behalf of\r\nmultiple individuals and their multiple personas over multiple timezones.\r\n5. Mock interviews\r\nOnce an application is successful, the next task for facilitators is to prepare their candidates (or the facilitator\r\nthemselves, in some cases) for job interviews.\r\nFacilitators were observed using AI-enhanced services that deploy GenAI agents to host and record first-round\r\ninterviews on behalf of employers, then critique and offer improvement tips for the interviewee. \r\nThese automated “AI-based webcam interview review” services claim to assist with the appropriate use of\r\nlighting, video filters, lighting and the candidate’s approach to conversation. \r\nOkta Threat Intelligence assesses that mock interviews staged by AI agents can be used to evaluate the efficacy of\r\ndeepfake overlays and of highly scripted answers to common questions, to decrease the chance of their ruse being\r\ndiscovered.\r\n6. LLM-based chatbots\r\nhttps://sec.okta.com/articles/2025/04/genaidprk/\r\nPage 4 of 5\n\nWhile most of the GenAI applications used by facilitators relate directly to training and recruitment, Okta Threat\r\nIntelligence also observed them constantly signing into generic chatbots powered by large language models\r\n(LLMs).\r\nAnalyzing patterns of activity, these GenAI tools appear to be relied on heavily throughout the recruitment\r\nprocess, as well as by successful candidates once they gain employment.\r\n7. Code training services\r\nCandidates were also observed signing into free services that offer training in specific development languages and\r\nAI tools. These training platforms deliver a cursory awareness of unfamiliar development skills required by a\r\nhiring organization at interview, and the bare essentials required to maintain employment for as long as possible.\r\nIn short, DPRK facilitators are AI’s “power users”\r\nBy extensively employing AI-enhanced tools, facilitators enable minimally skilled, non-native English-speaking\r\nworkers to maintain software engineering positions long enough to channel earnings towards the sanctioned\r\nDPRK regime.  \r\nThe scale of observed operations suggests that even short-term employment for a few weeks or months at a time\r\ncan, when scaled with automation and GenAI , present a viable economic opportunity for the DPRK.\r\nMitigating Controls\r\nTo mitigate the threat posed by these campaigns, Okta Threat Intelligence recommends:\r\nEmbedding Identity Verification in key business processes,\r\nTraining staff to identify common indicators of fraudulent behavior\r\nDetecting the unauthorized use of RMM (remote management and monitoring) tools\r\nOkta customers can access a detailed set of recommendations and detection methods by selecting Okta Threat\r\nIntelligence at security.okta.com.\r\nLiam Dermody, Tim Peel, Alex Tilley and David Zielezna contributed to this research.\r\nSource: https://sec.okta.com/articles/2025/04/genaidprk/\r\nhttps://sec.okta.com/articles/2025/04/genaidprk/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sec.okta.com/articles/2025/04/genaidprk/"
	],
	"report_names": [
		"genaidprk"
	],
	"threat_actors": [
		{
			"id": "7187a642-699d-44b2-9c69-498c80bce81f",
			"created_at": "2025-08-07T02:03:25.105688Z",
			"updated_at": "2026-04-10T02:00:03.78394Z",
			"deleted_at": null,
			"main_name": "NICKEL TAPESTRY",
			"aliases": [
				"CL-STA-0237 ",
				"CL-STA-0241 ",
				"DPRK IT Workers",
				"Famous Chollima ",
				"Jasper Sleet Microsoft",
				"Purpledelta Recorded Future",
				"Storm-0287 ",
				"UNC5267 ",
				"Wagemole "
			],
			"source_name": "Secureworks:NICKEL TAPESTRY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d05e8567-9517-4bd8-a952-5e8d66f68923",
			"created_at": "2024-11-13T13:15:31.114471Z",
			"updated_at": "2026-04-10T02:00:03.761535Z",
			"deleted_at": null,
			"main_name": "WageMole",
			"aliases": [
				"Void Dokkaebi",
				"WaterPlum",
				"PurpleBravo",
				"Famous Chollima",
				"UNC5267",
				"Wagemole",
				"Nickel Tapestry",
				"Storm-1877"
			],
			"source_name": "MISPGALAXY:WageMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ef59a0d9-c556-4448-8553-ed28f315d352",
			"created_at": "2025-06-29T02:01:57.047978Z",
			"updated_at": "2026-04-10T02:00:04.744218Z",
			"deleted_at": null,
			"main_name": "Operation Contagious Interview",
			"aliases": [
				"Jasper Sleet",
				"Nickel Tapestry",
				"Operation Contagious Interview",
				"PurpleBravo",
				"Storm-0287",
				"Tenacious Pungsan",
				"UNC5267",
				"Wagemole",
				"WaterPlum"
			],
			"source_name": "ETDA:Operation Contagious Interview",
			"tools": [
				"BeaverTail",
				"InvisibleFerret",
				"OtterCookie",
				"PylangGhost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef970474fdf5df7c9fc68c636fa2aa1575c83f2d.pdf",
		"text": "https://archive.orkl.eu/ef970474fdf5df7c9fc68c636fa2aa1575c83f2d.txt",
		"img": "https://archive.orkl.eu/ef970474fdf5df7c9fc68c636fa2aa1575c83f2d.jpg"
	}
}