North Korean hackers use AI to trick HR! Disguised as engineers, they infiltrate and steal 2.8 billion—the whole process exposed

Security researchers BCA LTD, NorthScan, and ANY.RUN deployed a honeypot to lure the Lazarus Group’s Chollima unit, recording North Korean hackers’ operations by disguising as a developer’s laptop and capturing the process on video. The footage shows North Korean operatives using AI tools to generate flawless interview answers, masking their location, and setting a fixed PIN code on Google Remote Desktop to ensure long-term access, focusing on building the image of a model employee rather than launching immediate attacks.

$2.83 Billion in Cybercrime Becomes Pillar of North Korea’s National Economy

This incident is just one part of a much larger industrial system that has made employment fraud a primary revenue source for the heavily sanctioned regime. A recent estimate by a multilateral sanctions monitoring panel found that Pyongyang-linked organizations stole about $2.83 billion in digital assets between 2024 and September 2025. This figure accounts for about one-third of North Korea’s foreign currency earnings, indicating that cyber theft has become a sovereign economic strategy.

The $2.83 billion haul is equivalent to the annual GDP of many small nations. These funds are used to support North Korea’s nuclear weapons and ballistic missile programs, making the fight against North Korean hackers not only a cybersecurity issue but an international security concern. The US Treasury, FBI, and law enforcement agencies from multiple countries have made tracking and halting North Korean cybercrime a top priority.

After international sanctions cut North Korea off from normal trade channels, cybercrime became one of the most important ways for the country to acquire foreign currency. Unlike traditional weapons smuggling or drug trafficking, cybercrime has low costs, relatively low risks, and enormous returns. A well-trained North Korean hacking team only needs a computer and internet connection to steal millions of dollars from anywhere in the world.

This state-level industrialized operation shows that North Korea sees cybercrime as a strategic resource. The Lazarus Group and Chollima are not lone actors but are trained by the state, paid a government salary, and given clear mission objectives. Their operations are meticulously planned, with professional division of labor at every stage, from target selection, identity forgery, technical means, to money laundering.

Four Key Features of North Korea’s Industrialized Cybercrime

State Training System: Hacker talent is selected starting in middle school, with specialized technical and language training

Global Dispersal: North Korean hackers are distributed across China, Southeast Asia, and Russia to reduce the risk of detection

Organizational Division of Labor: Different groups handle infiltration, attack, and money laundering, increasing efficiency

Mission-Oriented Management: Each team has clear annual theft targets, with rewards for those who achieve them

In February 2025, a major CEX exchange was attacked, thoroughly proving the effectiveness of these “human factor” techniques. In that event, North Korean hackers attributed to the TraderTraitor group used stolen internal credentials to disguise external transfers as internal asset movements, ultimately controlling the cold wallet smart contract. The CEX lost over $1.4 billion, making it one of the largest single thefts in cryptocurrency history.

Weaponization of AI Tools: The Deadly Shift from Productivity to Attack

(Source: BCA LTD)

The weaponization of AI productivity tools by North Korean hackers is one of the most disturbing findings of this honeypot operation. They used legitimate job automation software, including Simplify Copilot and AiApply, to mass-produce sophisticated interview answers and fill out applications. These tools, originally intended to help job seekers improve efficiency, have now become weapons for North Korean operatives to bypass HR screening.

Simplify Copilot can automatically generate customized cover letters and resumes based on job descriptions, while AiApply can simulate human responses to technical interview questions. North Korean hackers combine these tools with stolen real identities of US engineers, creating nearly flawless job applications. HR departments see perfect resumes, smooth interview performances, and authentic identity backgrounds, with no reason for suspicion.

This use of Western productivity tools highlights a worrying escalation, showing that state actors are leveraging AI technologies designed to streamline corporate hiring to defeat those very processes. It also underscores the dual nature of AI: the same tools that enhance productivity can also be weaponized for attack. Companies adopting AI recruitment tools must account for the risk of their malicious use.

Investigations revealed that North Korean hackers routed traffic to mask their locations and used browser-based services to handle two-factor authentication codes linked to stolen identities. This technical stack shows their deep understanding of Western corporate security measures. By bypassing geolocation checks, handling 2FA codes via browser services, and using stolen identities for legitimate background data, they create a comprehensive disguise.

The ultimate goal is not immediate destruction but long-term control. Operatives used PowerShell to set up Google Remote Desktop with a fixed PIN, ensuring continued access to the target machine even if the host tried to revoke permissions. This backdoor mechanism demonstrates North Korean hackers’ patience and long-term planning—they’re willing to spend months building trust for the chance to gain full system access at a critical moment.

Honeypot Footage Reveals Full Attack Chain and Defense Strategies

(Source: NorthScan)

Security researchers lured North Korean operatives into a “developer laptop” rigged with traps, recording their actions on video. Researchers from BCA LTD, NorthScan, and malware analysis platform ANY.RUN captured the evolution of state-sponsored cybercrime in real time. This honeypot operation provided an unprecedented view into the full attack chain of North Korean hackers.

The operation began when researchers created a developer persona and accepted an interview invitation from a recruiter using the alias “Aaron.” Rather than deploying standard malware, the recruiter guided the target into a remote work arrangement common in the Web3 space. When researchers granted access to the laptop, the North Korean operative didn’t attempt to exploit code vulnerabilities, but instead focused on building the image of a model employee.

This footage gives the industry the clearest view yet of how North Korean units, especially the notorious Chollima unit, bypass traditional firewalls by being directly hired by HR departments in target countries. Chollima, named after a mythical Korean horse symbolizing speed and efficiency, is North Korea’s elite cyberwarfare unit specializing in infiltrating financial institutions and cryptocurrency companies.

Essentially, their goal is not to immediately hack wallets, but to embed themselves as trusted insiders, gaining access to internal repositories and cloud dashboards. They run system diagnostics to verify hardware, handle normal development tasks, join team meetings, and behave exactly like diligent remote employees. This patience and ability to blend in is the most frightening aspect, making it nearly impossible for companies to spot threats early on.

Six Stages of the North Korean Hacker Attack Chain

Identity Preparation: Steal or buy real US engineer credentials and LinkedIn accounts

AI-Assisted Job Search: Use Simplify Copilot and AiApply to generate perfect applications and interview answers

Passing the Interview: Demonstrate real technical skills and fluent English communication

Building Trust: Show proactive professionalism early on and complete assigned development tasks

Backdoor Implantation: Set up persistent control mechanisms like Google Remote Desktop

Waiting for the Right Moment: Patiently lie in wait until gaining access to critical systems or wallets

From KYC to KYE: A Fundamental Shift in Corporate Defense Paradigms

The rise of social engineering has created a severe accountability crisis for the digital asset industry. Earlier this year, security firms like Huntress and Silent Push documented networks of shell companies, including BlockNovas and SoftGlide, with valid US business registrations and credible LinkedIn profiles. These entities, under the guise of technical assessments, successfully lured developers into installing malicious scripts.

For compliance officers and CISOs, the challenge has shifted. Traditional Know Your Customer (KYC) protocols focus on clients, but the Lazarus workflow demands strict Know Your Employee (KYE) standards. This paradigm shift requires companies to rethink the entire hiring and employee management process.

The Department of Justice has begun cracking down on these IT fraud schemes, seizing $7.74 million linked to such activities, but detection lags far behind. $7.74 million is just the tip of the iceberg compared to the $2.83 billion total theft, highlighting the limited impact of enforcement. North Korean hacker networks are dispersed across multiple countries, leveraging cryptocurrency’s anonymity and cross-border nature, making tracking and prosecution extremely difficult.

As BCA LTD’s sting operation shows, the only way to catch these criminals may be to shift from passive defense to active deception, creating controlled environments that force threat actors to expose their tradecraft before they gain control of funds. This proactive defense strategy represents a major shift in cybersecurity thinking—from building walls to setting traps.

Five Key KYE Measures for Crypto Companies

Multiple Video Interviews: Require cameras on, observe micro-expressions and environmental details

Live Technical Skills Verification: On-the-spot programming tests instead of relying solely on past portfolios

In-Depth Background Checks: Contact previous employers, verify education, and check the authenticity of social media history

Gradual Privilege Granting: New hires start with access to non-sensitive systems, permissions increased step by step

Anomaly Behavior Monitoring: Detect location-masking tools, unusual work hours, and suspicious tool installations

The success of the honeypot strategy shows that against state-level cyber threats, traditional passive defense is no longer enough. Companies need to take initiative—setting up decoy systems to attract and identify potential threats. When North Korean hackers think they’ve successfully infiltrated, they’re actually exposing their tools, techniques, and procedures (TTPs), providing valuable threat intelligence for the security community.

On a broader level, this incident highlights the new security challenges of the remote work era. When team members are scattered around the world and have never met face-to-face, ensuring the authenticity of each person’s identity becomes a key issue. The crypto industry, with its high-value assets and widespread remote culture, has become a primary target for North Korean hackers. Companies must establish stricter employee verification and monitoring mechanisms while maintaining the flexibility of remote work.