Critically, they now rely on AI to help them appear more fluent in English and well-versed in the companies where they’re interviewing. Once they get hired, the IT workers use AI chatbots to help with their daily work—responding in Slack, drafting emails—to make sure their written offerings appear technically and grammatically sound and to help them hold down multiple jobs simultaneously, CrowdStrike found.
“Famous Chollima operatives very likely use real-time deepfake technology to mask their true identities in video interviews,” the report states. “Using a real-time deepfake plausibly allows a single operator to interview for the same position multiple times using different synthetic personas, enhancing the odds that the operator will get hired.”
CrowdStrike investigators have observed North Korean IT workers searching for AI face-swapping applications and paying premium prices for subscriptions to deepfake services during active operations.
“U.S. law enforcement has put a big dent in their ability to operate the laptop farms, so as it gets increasingly expensive or difficult to get remote jobs here in the U.S., they’re pivoting to other locations,” said Meyers. “They’re getting more traction in Europe.”
Meyers said CrowdStrike has seen new laptop farms established in Western Europe, accessing Romania and Poland, which means North Korean workers are getting jobs—typically as full-stack developers—in those countries and then having laptops shipped to farms there. The scheme matches what takes place in the U.S.: A supposedly Romanian or Polish developer will interview with a company, get hired, and a laptop will get shipped to a known laptop-farm destination in those countries, he said. In other words, instead of shipping devices and onboarding materials to an actual residence where the supposed developer works, the laptop gets shipped to a known farm address based in Poland or Romania. Typically, the excuse is the same type that has proved effective at U.S. companies, said Meyers. The developer will claim to be having a medical or family emergency necessitating a change in the shipping address.
“Companies need to stay vigilant if they’re hiring overseas,” said Meyers. “They need to understand these risks exist not just domestically, but overseas as well.”
Amir Landau, malware research team leader at defense firm CyberArk, told Fortune traditional cyber defenses are likely to eventually become insufficient against the threat as gen AI used by the North Koreans becomes advanced enough to break through companies’ defense wards. Therefore, what companies need to do to defend themselves requires a fundamental shift in thinking in terms of how much trust and access companies grant their own employees.
The military and intelligence principle of a “need-to-know basis,” which originated during World War II, will become more important, said Landau. Not every developer needs to know or have access to certain assets or documents, even after they’ve been with a company for a certain amount of time, he explained.
Landau also advocates for minimum and limited-time privileges for developers, giving them a short window of time for work, rather than unlimited access that could eventually make a company vulnerable.
“There are a lot of small things you can do to defend against these threats,” he said.
And ultimately, while small companies are typically more vulnerable, that doesn’t mean larger companies aren’t also susceptible to fraud schemes, Landau said. Meyers said as long as the IT workers can find work, they’ll keep evolving their tactics through the use of gen AI.
“These are basically exploited people from North Korea making money for the regime,” said Meyers. “As long as they can continue to generate revenue, they’re going to keep doing this.”
