North Korea’s IT infiltration has exploded by 220 % over the past 12 months, with the Genai weapon at each stage of the recruitment process

The number of companies that I rented North Korean program developers have grown 220 % over the past 12 months – most of their success is due to automation and improving the workflow involved in obtaining technical jobs and fraud, and the threat hunting report for the year 2025 that was released on Monday. open. IT workers infiltrated more than 320 companies in the past 12 months.

For the level group: th North Korea IT scheme It is a wide conspiracy to evade Punish financial penalties The Democratic People’s Republic of Korea is due to the authoritarian ruler Kim Jong Un Human rights violations And the pursuit is uncomfortable to develop weapons of mass destruction. To avoid penalties and earn money to keep it Financing its nuclear programNorth Korea is now training youth and boys in technology, sending them to schools in Pyongyang and around, then publishes them in teams of four or five to locations all over the world including China, Russia, Nigeria, Cambodia and the United Arab Emirates.

Workers are required to earn 10,000 dollars per month, according to ReformerI managed Court records appear. Since 2018, and EstimationThe scheme produced between $ 250 million to $ 600 million a year on the emergence of thousands of North Korean men.

to Fortune 500It was the Information Technology Technology scheme Flash in red alert About the development Work branch Planning. Court records show that hundreds of 500 companies have rented thousands of IT workers in North Korea, in violation of sanctions in recent years. In some cases, the Information Technology Plan is about its generation Stable revenues For the system. In other cases, FBI investigators found certificate IT workers share information with more malicious infiltrators who stole about $ 3 billion in EncryptionAccording to the United Nations.

Under victory

Croldstrike’s investigations revealed that technology workers in North Korea, which is an aggressive description of “famous Chollima”, from artificial intelligence to expand the scope of each aspect of the process. The North Koreans have used Amnesty International to help them formulate thousands of Artificial identitiesand Change photosAnd building technical tools to search for jobs, track and manage their applications. In the interviews, the North Koreans used Amnesty International The mask of their appearance In video calls, They are directed In answering questions, and passing technical coding challenges associated with software jobs.

It is important, now they depend on artificial intelligence to help them appear more fluently in English and good knowledge of the companies where they are conducting interviews. Once they are appointed, Chatbots use Amnesty International to help with their daily work – responding to Slack, formulating emails – to ensure that their written offers seem sound grammatical and help them press multiple functions at the same time.

“It is very likely that Chuelima’s customers actually use Deepfake technology in an actual time to hide their real identities in video interviews,” the report says. “Using Deepfake in an actual time allows one operator to meet with the same position several times using different artificial characters, which enhances the possibilities that will be appointed the operator.”

Croldstrike Investigator Information Workers in North Korea who are searching for artificial intelligence exchange requests and payment of installments for subscriptions for Deepfake services during active operations.

“McCarian Farms” exceeds the borders of the United States

Adam Myers told the first Vice President of Crowdstrike’s anti -infections, luck His team is generally looking for one incident on the day related to the North Korean IT scheme. The program expanded beyond the American border, as happened in American law enforcement Breakage On home operations with indictment regulations and ConsultingAnd since more American companies have tightened their security practices and their motivation.

Last month, the 50 -year -old Arizona woman, Christina Chapman, was Heal To 8.5 years in prison in July after Admit For her role in running “PC farmFrom her home. Prosecutors said she accepted and maintained 90 laptops Prosecutors said that the programs that have been reached from a distance so that the North Koreans could work for American companies. The authorities revealed that the Chapman operation alone helped the workers obtain 309 jobs that achieved revenues of $ 17.1 million through their salaries. The authorities said that approximately 70 Americans had stolen their identities in the process. This was not just attacking the smaller companies with an infrastructure for more flexible employment; Nike One of the companies was affected, according to the victim’s effect on the Chapman case. The sport shoe and the giant of the active clothing unintentionally rented a North Korean work with Chapman. Nike did not respond to luckComment requests.

“American law enforcement has been greatly put in its ability to operate laptop farms, so that it is expensive or difficult to obtain distant jobs here in the United States, as it rises to other locations,” Mayers said. “They get more traction in Europe.”

Myers said that Croldstrike has witnessed new farms for laptops that were established in Western Europe via Romania and Poland, which means that North Korean workers get jobs – as surplus developers – in those countries and then laptops are shipped to farms there. He said that the plan is the same as it works in the United States: a Roman or Polish developer will be supposed to meet with a company, and they will be appointed, and a laptop will be shipped to a well -known destination in those countries. In other words, instead of charging devices and internal materials to the actual resident where the supposed developer works, the laptop is shipped to a well -known farm address in Poland or Romania. Myers said that the excuse is the same type that has proven its effectiveness in American companies. The developer will claim that he suffers from a medical or family emergency that requires a change in the shipping address.

“Companies need to stay awake if they are employed abroad,” Mayers said. “They need to understand these risks not only local, but also abroad.”

AI offers defenses

Amir Landau, captain of the harmful program research team at the defense company Cyberark, told luck Traditional electronic defenses may eventually become insufficient against the threat because Genai, which is used by North Koreans, becomes advanced enough to violate the defense wings of companies. Therefore, what companies have to do to defend themselves requires a fundamental shift in thinking in terms of the amount of confidence and access to companies that grant their employees.

Landau said that the principle of the army and the intelligence of “the basis for the need for knowledge”, which arose during World War II, will become more important. He explained that every developer needs knowledge or access to some assets or documents, even after it was with a company for a certain period of time.

Landau also calls for minimal and limited privileges for developers, giving them a short window of time to work, instead of unlimited access that can make the company at risk at the end.

Landau also said that companies should take some additions Good shipping measures In the recruitment process. If the applicant submits a reference, do not contact the phone number or a message entitled the email that has been submitted. Search for them and communicate with what you see from the general databases, as he advised. If someone’s personal information looks strange or inconsistent, be careful. Use the Internet to check what you can find for what you were told.

“There are a lot of little things that you can do to defend these threats,” he said.

Landau said that in the end, although small companies are usually more at risk, this does not mean that large companies are not vulnerable to fraud plans. Maeers said as long as IT workers can find work, they will continue to develop their tactics through the use of Genai.

“These are essentially exploited from North Korea, who earn money for the regime,” Mayers said. “As long as they can continue to generate revenues, they will continue to do so.”