Deepfakes contributing to North Korea’s war chest, global intelligence ops

Hundreds of companies from among the Fortune 500 have been unwitting pawns in a scheme by North Korea to violate international sanctions through employment fraud facilitated by synthetic identities.

IT analysts and law enforcement officials describe an operation in which laptop farms are established in America and remotely controlled by teams of North Koreans in China and Russia, both of which are aware of the fraud, Fortune reports. Altogether they have raked in at least hundreds of millions of dollars, perhaps as much as $1 billion, according to FBI estimates. A researcher at CRDF Global talking to Radio Free Asia put the total closer to $1.7 billion in cryptocurrency alone.

Those committing the crimes are separated from their families and kept in conditions compared in the report to modern slavery. The regime confiscates most of their salaries to finance its military ambitions, according to the report.

They sometimes buy and sometimes steal real identities from Americans and then build profiles on top of them to evade detection during background checks. They have also appeared in the video meetings now common in remote work. Cybersecurity research firm ESET has discovered North Korean workers using AI to manipulate photos in online account profiles and CVs, and to carry out real-time video injection attacks that swap in the face of the person whose identity is being impersonated.

As explained in a recent report from Reality Defender, there are tools available to detect deepfake videos injected into online interviews and conference calls that will seem like the real thing to others on the call.

There are probably between one thousand and ten thousand of them working for companies around the world, KnowBe4’s Roger Grimes told Fortune.

North Korean hackers have found jobs at aerospace manufacturers, U.S. banks and crypto startups. They have taken freelance and contract positions. They have also targeted businesses in Europe, Saudi Arabia and Australia.

But North Korean hackers aren’t just targeting businesses with deepfakes and AI fraud. Government officials, journalists, human-rights activists and researchers have also been contacted by North Koreans posing as real or manipulated identities. In some cases, the identity fraud is related to phishing, and in others, attempts to gain information useful to the country’s intelligence apparatus.

RFA has produced a three-part series, titled “Whack A Mole: North Korea’s Cyber Threat” detailing the use of a wide range of impersonation tactics, from manipulated and false identity data in social media posts and applications all the way up to deepfakes.

And deepfakes can be introduced even before the business has a chance to put the employee’s authenticity to the test in a video call.

An attack against a South Korean target reported in September by Bloomberg was carried out by a state-sponsored North Korean group, and reportedly used a deepfake of a military ID created by ChatGPT. Threat intelligence company Genians found that OpenAI’s LLM initially refused to break South Korean law by replicating a military ID document, but was convinced to do so by altering the prompt.

The third video from RFA describes the attacks as persistent, and notes a particular interest in working on development projects involving smart contracts, which could set up future thefts.

Article Topics

AI fraud  |  cybersecurity  |  deepfake detection  |  deepfakes  |  North Korea  |  synthetic identity fraud