North Korea weaponizes deepfake AI to infiltrate Western firms through remote worker fraud
State operatives are earning $800 million annually by using generative AI to bypass HR systems, perform legitimate work, then systematically exfiltrate intellectual property.
North Korean operatives generated nearly $800 million in 2024 by using deepfake technology to secure remote IT jobs at Western companies, then funneling wages directly to Pyongyang’s weapons programs while stealing sensitive data. The operation represents the first large-scale weaponization of generative AI for state-sponsored labor arbitrage combined with espionage—a threat vector that traditional cybersecurity defenses weren’t designed to detect.
The mechanics of AI-enabled infiltration
Microsoft tracks two North Korean groups—Jasper Sleet and Coral Sleet—using AI at every stage of the hiring process: voice-changing software masks accents during remote interviews, while the Face Swap app inserts North Korean faces into stolen identity documents and generates polished headshots for CVs. Creating a real-time deepfake now takes just over an hour with no prior experience using readily available tools and inexpensive consumer hardware, according to Palo Alto Networks’ Unit 42.
The technology offers two key operational advantages: it allows a single operator to interview for the same position multiple times using different synthetic personas, and it helps operatives avoid being identified and added to security bulletins and wanted notices. Google’s Threat Intelligence Group recently identified one individual operating 12 personas across the US and Europe.
The scheme exploits a structural vulnerability in remote hiring. The COVID-19 pandemic significantly expanded remote work opportunities, which North Korean intelligence services exploited to scale operations. The number of people working in North Korea’s cyber divisions grew from 6,800 in 2022 to 8,400 in 2024, per South Korea’s National Intelligence Service.
From revenue generation to data exfiltration
What began as pure labor arbitrage has evolved into dual-use espionage. Operatives don’t just collect paychecks—they perform legitimate work to build trust, then exfiltrate proprietary data. In some cases, these DPRK IT workers have introduced malware into company networks to exfiltrate proprietary and sensitive data, Treasury officials noted.
Crowdstrike reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. The targets have expanded beyond tech: while North Korea’s fraudulent remote worker scheme historically focused on US companies in the technology, critical manufacturing, and transportation sectors, operatives have evolved to target various industries globally that offer technology-related roles, per Microsoft Security.
The laptop farm infrastructure
The operation relies on US-based facilitators who run “laptop farms”—addresses where corporate devices are shipped and remotely accessed by operatives overseas. At one point, Chapman handled as many as 90 laptops for the DPRK IT workers, according to Department of Justice filings. Among the companies targeted was the shoe giant Nike, which unwittingly paid more than $75,000 to a North Korean employee and subsequently conducted a review to confirm there was no data breach.
After being hired, operatives request that company laptops be sent to addresses controlled by facilitators outside North Korea, who maintain “laptop farms” containing dozens of devices that can be controlled remotely. This setup allows North Korean workers to appear as if they’re logging in from US IP addresses, bypassing geolocation controls.
The DPRK government withholds up to 90 percent of the wages earned by these overseas workers, according to US Treasury sanctions announcements. Some operatives work multiple jobs simultaneously to maximize earnings. One IT worker cell earned US$1.64 million between the first quarter of 2022 and the third quarter of 2025, GitHub’s threat intelligence analysis found.
AI arms race in identity verification
Operators feed real-time subtitles from interviews into AI models to generate accurate and contextually relevant responses, significantly improving their chances of securing employment, per the Stimson Center. The technical quality gap is narrowing rapidly. Technical shortcomings in real-time deepfake systems that can detect an imposter include temporal consistency issues, occlusion handling, lighting adaptation, and audio-visual synchronization, but these telltale signs are becoming less reliable.
“Nearly every Fortune 500 company chief information security officer interviewed about the issue has admitted to hiring at least one North Korean IT worker.”
— Mandiant (now part of Google Cloud)
Voice biometrics company Pindrop determined that one in six applicants shows clear signs of fraud, while one in 343 is linked to North Korea, with a quarter of those DPRK-linked applicants using deepfake technology during live interviews. The detection industry is responding: Cloudflare One is partnering with Nametag to combat laptop farms and AI-enhanced identity fraud by requiring identity verification during employee onboarding and via continuous authentication, the company announced in its 2026 Threat Report.
Geopolitical implications and sanctions response
The operations are run by North Korea’s Department 53, which sits under the Ministry of Defense. North Korean intelligence services, including the Reconnaissance General Bureau, recruit top graduates from prestigious institutions such as Kim Chaek University of Technology and the University of Sciences in Pyongsong.
- Candidate requests to change address during onboarding or route paychecks to money transfer services
- Video/microphone issues that prohibit participation in verification calls
- Multiple personas linked to the same email patterns (birth years, animals, colors, tech terms)
- Remote desktop software (AnyDesk, TeamViewer) or datacenter-class IP addresses during interviews
- GitHub commit history misaligned with claimed US-based location time zones
The US government’s enforcement response has accelerated. Between June 10 and June 17, 2025, the FBI executed searches of 21 premises across 14 states hosting known and suspected laptop farms. Microsoft disrupted 3,000 Outlook and Hotmail accounts used by fake North Korean IT workers last year.
But the threat continues to adapt faster than defenses. IT workers associated with the Democratic People’s Republic of Korea are now applying to remote positions using real LinkedIn accounts of individuals they’re impersonating, with profiles often having verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate, Security Alliance warned in February 2026.
What to watch
The convergence of AI-enabled social engineering and state-sponsored espionage creates a threat model most organizations aren’t structured to counter. HR departments lack the technical tools to detect Deepfakes; security teams rarely audit hiring processes. Human Resource professionals, who represent the first line of defense in the hiring process, often lack awareness of sanctions risks, geopolitical adversaries, or the broader counter-proliferation context, and their limited integration into security and compliance structures creates a systemic vulnerability in recruitment processes, researchers at 38 North noted.
Three trends will define the next phase: First, Iranian threat actors have begun reportedly mirroring similar fake job offer techniques, demonstrating how such schemes may expand across the threat landscape. Second, as detection capabilities improve, operatives will shift from freelance platforms to direct employee impersonation using compromised LinkedIn accounts. Third, the regulatory response will likely mandate continuous identity verification for remote workers in critical sectors, fundamentally reshaping how companies authenticate distributed workforces.
The immediate action for enterprises: integrate security teams into hiring workflows for all remote technical roles, implement multi-stage video verification across different platforms, and treat recruitment as an attack surface requiring the same rigor as network perimeter defense. The laptop farm model only works when companies assume physical presence from IP geolocation. Remove that assumption, and the operation collapses.