North Korean operatives are using sophisticated artificial intelligence tools to create convincing fake personas to secure remote tech jobs around the world, according to research from identity management company Okta's Threat Intelligence.
The detailed investigation reveals how agents working for the Democratic People's Republic of Korea (DPRK) are exploiting generative AI at every stage of the job application process to circumvent international sanctions and generate revenue for the regime.
"GenAI is playing an integral role in how North Korean nationals gain employment in remote technical roles around the globe," the Okta report states.
The security company's researchers found that these operatives, sometimes referred to as "DPRK IT Workers" or in "Wagemole" campaigns, use AI-enhanced services to create and manage multiple fake personas simultaneously, effectively operating remote jobs from laptop farms.
"While most of the GenAI applications used by facilitators relate directly to training and recruitment, Okta Threat Intelligence also observed them constantly signing into generic chatbots powered by large language models (LLMs)," the researchers said.
In its February 2025 threat report, Microsoft-backed OpenAI acknowledged that North Korean threat actors were using its services to get hired and to perform the work required.
These AI services help the operatives translate communications, generate convincing CVs, prepare for interviews, and even conduct mock job interviews with AI-powered feedback. Some have been recorded using real-time "deepfake" video during actual interviews.
Okta's research team discovered that facilitators based in Western countries operate laptop farms where they redirect company-issued devices.
These facilitators provide critical infrastructure including domestic addresses for shipping, access to legitimate identity documents, and technical assistance.
"One Arizona-based 'laptop farm' operation exposed in May 2024 is alleged to have assisted in the placement of over 300 individuals in technical positions across the United States," Okta's report reveals.
The fraud has become increasingly sophisticated, with facilitators using AI-powered unified messaging systems to manage multiple chat accounts, phone numbers, and email addresses behind a "single pane of glass."
These tools help schedule job interviews for multiple DPRK candidate personas managed by a small group of facilitators.
Particularly concerning is the discovery that these operatives are exploiting the same applicant tracking systems used by legitimate recruiters.
By posting fake job advertisements, they can study which features in applications are most likely to result in success, effectively "using the recruiters' own tools against them at scale."
Okta Threat Intelligence believes the primary objective of these schemes is to raise funds for North Korea to bypass international sanctions.
However, US agencies have identified cases where the access provided by these roles facilitated espionage or data extortion.
According to the report, the scale of operations suggests that even short-term employment can present a viable economic opportunity for the DPRK when scaled with automation and AI tools.
"By extensively employing AI-enhanced tools, facilitators enable minimally skilled, non-native English-speaking workers to maintain software engineering positions long enough to channel earnings towards the sanctioned DPRK regime," the report states.
To combat these threats, Okta recommends organisations implement identity verification in key business processes, train staff to identify fraudulent behaviour, and detect unauthorised use of remote management tools.
Australia's department of foreign affairs and trade (DFAT) warned about the North Korean IT worker scam in August last year.
The department warned that Australian businesses should stay clear from hiring North Korean workers, so as not to inadvertently engage in sanctions busting which would expose local organisations to potential severe criminal repercussions.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
