North Korean state-sponsored IT operatives are using real-time deepfake technology to impersonate synthetic identities during online job interviews, targeting remote IT roles globally. The goal of this employment scam is to infiltrate U.S. and European companies to conduct cyberespionage and malicious activities while posing as legitimate employees.

According to Palo Alto Networks' Unit 42, the creation of deepfakes requires no prior experience and can be done in about 70 minutes using tools like thispersondoesnotexist[.]org, basic AI tools, and low-cost hardware. The deepfakes enable attackers to repeatedly apply for the same position under multiple personas, and to evade detection by HR screening and security bulletins.

This method is seen as a natural evolution of North Korea’s infiltration strategy, which has already seen success in past cases—such as one involving KnowBe4, where a hired operative installed malware on a corporate workstation.

To counteract this threat, Unit 42 recommends organizations implement advanced identity verification measures, including document authenticity checks, video interview recordings, and monitoring for deepfake artifacts like inconsistent lighting, poor lip-sync, or glitches. Cybersecurity and HR teams are also encouraged to track IP origins, VoIP usage, and participate in ISACs to stay informed on emerging synthetic identity threats.

‍