{ "id": "15e53030-a113-4d52-a7a8-7282630434eb", "created_at": "2026-04-06T00:15:32.528964Z", "updated_at": "2026-04-10T13:12:48.242966Z", "deleted_at": null, "sha1_hash": "fb65cbdefc1a51e9e72760748be1a9bc6c7afdd1", "title": "OpenAI bans ChatGPT accounts used by North Korean hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1859344, "plain_text": "OpenAI bans ChatGPT accounts used by North Korean hackers\r\nBy Sergiu Gatlan\r\nPublished: 2025-02-24 · Archived: 2026-04-05 20:37:16 UTC\r\nOpenAI says it blocked several North Korean hacking groups from using its ChatGPT platform to research future targets\r\nand find ways to hack into their networks.\r\n\"We banned accounts demonstrating activity potentially associated with publicly reported Democratic People's Republic of\r\nKorea (DPRK)-affiliated threat actors,\" the company said in its February 2025 threat intelligence report.\r\n\"Some of these accounts engaged in activity involving TTPs consistent with a threat group known as VELVET CHOLLIMA\r\n(AKA Kimsuky, Emerald Sleet), while other accounts were potentially related to an actor that was assessed by a credible\r\nsource to be linked to STARDUST CHOLLIMA (AKA APT38, Sapphire Sleet).\"\r\nhttps://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe now-banned accounts were detected using information from an industry partner. In addition to researching what tools to\r\nuse during cyberattacks, the threat actors used ChatGPT to find information on cryptocurrency-related topics, which are\r\ncommon interests linked to North Korean state-sponsored threat groups.\r\nThe malicious actors also used ChatGPT for coding assistance, including help on how to use open-source Remote\r\nAdministration Tools (RAT), as well as debugging, researching, and development assistance for open-source and publicly\r\navailable security tools and code that could be used in Remote Desktop Protocol (RDP) brute force attacks.\r\nOpenAI threat analysts also found that the North Korean actors revealed staging URLs for malicious binaries unknown to\r\nsecurity vendors at the time while debugging auto-start extensibility point (ASEP) locations and macOS attack techniques.\r\nThese staging URLs and the associated compiled executable files were submitted to an online scanning service to facilitate\r\nsharing with the broader security community. As a result, some vendors now reliably detect these binaries, protecting\r\npotential victims from future attacks.\r\nOther malicious activity uncovered by OpenAI while researching in what ways the North Korean threat actors used the\r\nbanned accounts includes but is not limited to:\r\nAsking about vulnerabilities in various applications,\r\nDeveloping and troubleshooting a C#-based RDP client to enable,\r\nRequesting code to bypass security warnings for unauthorized RDP,\r\nRequested numerous PowerShell scripts for RDP connections, file upload/download, executing code from memory,\r\nand obfuscating HTML content,\r\nDiscusses creating and deploying obfuscated payloads for execution,\r\nSeeking methods to conduct targeted phishing and social engineering against cryptocurrency investors and traders, as\r\nwell as more generic phishing content,\r\nCrafting phishing emails and notifications to manipulate users into revealing sensitive information.\r\nThe company also banned accounts linked to a potential North Korean IT worker scheme, described as having all the\r\ncharacteristics of efforts to obtain income for the Pyongyang regime by tricking Western companies into hiring North\r\nKoreans.\r\n\"After appearing to gain employment they used our models to perform job-related tasks like writing code, troubleshooting\r\nand messaging with coworkers,\" OpenAI explained. \"They also used our models to devise cover stories to explain unusual\r\nbehaviors such as avoiding video calls, accessing corporate systems from unauthorized countries or working irregular\r\nhours.\"\r\nSince October 2024, when it published its previous report, OpenAI has also detected and disrupted two campaigns\r\noriginating from China, \"Peer Review\" and \"Sponsored Discontent.\" These campaigns used the ChatGPT models to research\r\nand develop tools linked to a surveillance operation and generate anti-American, Spanish-language articles.\r\nIn the October report, OpenAI revealed that since the beginning of 2024, it disrupted over twenty campaigns linked to cyber\r\noperations and covert influence operations associated with Iranian and Chinese state-sponsored hackers.\r\nhttps://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/\r\nhttps://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/" ], "report_names": [ "openai-bans-chatgpt-accounts-used-by-north-korean-hackers" ], "threat_actors": [ { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb65cbdefc1a51e9e72760748be1a9bc6c7afdd1.pdf", "text": "https://archive.orkl.eu/fb65cbdefc1a51e9e72760748be1a9bc6c7afdd1.txt", "img": "https://archive.orkl.eu/fb65cbdefc1a51e9e72760748be1a9bc6c7afdd1.jpg" } }