North Korean IT Worker Used Stolen Identity and AI in Job Scam
Key Takeaways A suspected North Korean operative used a stolen identity, AI-generated content, and a VoIP number to apply for a remote Lead AI Architect position at a cybersecurity firm. The...
Key Takeaways
- A suspected North Korean operative used a stolen identity, AI-generated content, and a VoIP number to apply for a remote Lead AI Architect position at a cybersecurity firm.
- The sophisticated scam, uncovered in June 2025, highlights the evolving tactics of DPRK state-sponsored IT workers who infiltrate global companies to fund North Korea’s weapons programs.
- Red flags included an AI-generated resume mirroring job descriptions, suspicious interview behavior, and the use of VPNs and VoIP numbers.
- Hiring such operatives poses severe risks, including data theft, intellectual property loss, regulatory penalties, and reputational damage.
A sophisticated attempt by a suspected North Korean operative to infiltrate a cybersecurity firm through a remote employment scam was recently thwarted. The individual leveraged a stolen identity, a resume largely crafted by artificial intelligence, and a Voice over IP (VoIP) telephone number in an effort to secure a Lead AI Architect role.
Table Of Content
This incident, identified in June 2025, underscores the escalating complexity of North Korea’s state-sponsored IT worker operations. These schemes are becoming increasingly difficult to detect without robust screening protocols.
The operative presented themselves as a Florida-based professional boasting over ten years of experience in AI architecture and full-stack development. While the attempt ultimately failed, it exposed a series of critical red flags that offer valuable insights into the current operational methods of these illicit networks.
Since early 2023, IT professionals linked to the Democratic People’s Republic of Korea (DPRK) have been systematically penetrating companies across the United States and other nations. They masquerade as legitimate remote workers, funneling their earnings directly back to the North Korean government to finance its weapons development programs. This illicit funding scheme targets a broad spectrum of organizations, from small businesses to major players in technology, intelligence, and cybersecurity sectors. These fraudulent candidates meticulously construct elaborate fake online personas using stolen personal data, new email addresses, and fabricated professional profiles to enhance their perceived legitimacy.
Unmasking the Operative: The Investigation
Analysts at Nisos successfully identified the suspected DPRK operative through a combination of extensive pre-employment Open-Source Intelligence (OSINT) research and strategically designed interview questions. The individual’s digital footprint revealed the use of IP addresses 167.88.61.250 and 167.88.61.117, both associated with the Astrill VPN anonymization network. This VPN service is a known tool favored by DPRK IT workers operating primarily from China.
Further investigation traced the provided phone number, 850-308-4867, to a Voice over Internet Protocol service. This is a common tactic employed by these operatives to align their phone’s area code with their fabricated U.S. location, thereby enhancing the illusion of local presence.
The stolen identity belonged to an actual Florida resident with documented addresses in Palm Beach Gardens, West Palm Beach, and Greenacres. The operative exploited this individual’s name and residential details to create multiple resume accounts across various platforms, each presenting slightly altered educational backgrounds, employment histories, and geographical locations. All three distinct resumes were ultimately linked back to the same unsuspecting individual, who was likely unaware of the misuse of their personal information. Following the discovery, Nisos collaborated with law enforcement to notify the victim.
The ramifications of such employment fraud extend far beyond a single fraudulent job application. Engaging an individual tied to this scheme can expose an organization to severe risks, including data breaches, loss of intellectual property, significant regulatory penalties, and irreparable damage to its reputation. Once embedded, these operatives utilize remote access tools to control company laptops from foreign locations, creating the illusion of local work and making detection exceedingly difficult for standard IT security teams.
Fake Identity Construction and the Use of AI in Job Fraud
A particularly revealing aspect of this case was the sophisticated method the operative employed to construct and sustain a false identity, heavily relying on artificial intelligence tools and directly plagiarized job description language.
The resume submitted for the Lead AI Architect position featured an unusually extensive list of technical skills. This included various programming languages, cloud platforms, agentic AI tools, and OSINT frameworks. Notably, a significant portion of these skills was copied almost verbatim from the original job posting itself. Nisos analysts highlighted this pattern of directly mirroring job description language into a resume as a recognized tactic among DPRK IT workers. This method is used to bypass basic keyword screening filters commonly employed by automated hiring systems.
The overlap between the job description and the operative’s resume was highly significant. This mirroring was not limited to the skills section; the resume’s summary also directly reused phrasing from the job description, particularly concerning the research and evaluation of emerging agentic AI technologies.
During a virtual interview conducted on June 24, 2025, the operative’s behavior triggered additional alarms. The individual frequently averted their gaze from the camera. When presented with a fabricated question about a non-existent hurricane, the operative responded with “How can I say?” while conspicuously glancing at another screen, suggesting reliance on an AI chatbot for an answer. Furthermore, when asked to share their screen and demonstrate past work, the operative abruptly closed browser tabs and terminated the call. They claimed to have no GitHub portfolio and stated all previous work was held in private repositories that could not be shared.
The investigation uncovered three separate resume accounts under the same name, but detailing different employers, universities, and locations across multiple platforms. One account had been created as recently as May 2025, indicating the persona was freshly constructed for this specific application campaign. The operative also provided a distinct mailing address for the company-issued laptop, separate from the address listed on the resume. This is consistent with how DPRK operatives redirect company devices to “laptop farms.”
Subsequent intelligence confirmed that the device ultimately ended up in a closet alongside numerous other company-issued laptops. All these devices were controlled remotely via PiKVM devices and connected through the Tailscale mesh VPN service.
What You Should Do
- Implement rigorous pre-employment OSINT checks for all remote candidates.
- Verify phone numbers and IP addresses during the initial application process.
- Ask targeted, unscripted questions during interviews that cannot be easily answered by AI or pre-prepared responses.
- Require live screen sharing of verifiable past work and code during technical interviews.
- Monitor for newly created professional profiles with minimal connections or activity.
- For organizations lacking internal capacity, engage qualified intelligence and investigations firms specializing in employment fraud and insider threat detection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.