North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews

North Korean state-sponsored agents from the Famous Chollima APT group are using real-time AI deepfakes to apply for software engineering positions at cryptocurrency and Web3 companies.

The new campaign involves these operatives stealing legitimate identities and résumés of engineers, then deploying AI-powered facial filters during video interviews to hide their true appearance while impersonating their victims. Their goal is to infiltrate Western companies for corporate espionage and fund acquisition, a tactic quite prevalent over the last couple of years.

****AI-powered facial reconstructive procedure** **

Threat intelligence analysts from the Quetzal Team identified two consecutive infiltration attempts by North Korean IT workers from the Famous Chollima APT group applying for Senior Software Engineer positions at a cryptocurrency company.

Famous Chollima is a division of the Lazarus group that specialises in landing jobs at Western companies, primarily targeting software engineering positions in Crypto, Web3, and Fintech sectors, though recent reports show they’ve expanded into civil engineering and architecture.

The threat actors, using stolen identities of Mexican engineers named Mateo and Alfredo, joined video interviews with real-time AI facial filters that attempted to reconstruct their appearance, but many details didn’t quite add up.

Picture A – Exaggerated AI-powered facial reconstruction (Via Quetzal Team)

****A bad surgeon and two bad liars** **

During the interviews, the deepfake technology showed clear signs of failure. The first candidate’s face appeared heavily filtered, with his mouth remaining shut whilst speaking and his teeth not accompanying any lip movements.

AI filter showing failure signs. Pay attention to the word “authentication” (Via Quetzal Team)

The second operative used more subtle filtering but displayed nervous behaviour, constantly rocking back and forth whilst over-gesticulating with his brows. Both claimed to have studied engineering at Mexican universities and resided in Jalisco and Chihuahua, respectively, yet neither spoke a single word of Spanish when questioned.

Their LinkedIn profiles vanished immediately after the interviews were terminated, a pattern consistent with previous Chollima infiltration attempts documented by the Quetzal Team.

A nervous candidate has anxious signs while waiting to reply (Via Quetzal Team)

****Bouncing over the internet** **

The investigation revealed that both operatives connected through Astrill VPN, a service commonly used by Chinese users to bypass the Great Firewall and increasingly favoured by DPRK IT workers for fraudulent activities.

Their connections tunnelled through European IP addresses before landing on US-based residential IPs that were part of laptop farms accessed via remote desktop tools. The operatives were attempting to mask their North Korean origin by appearing as US-based candidates with residential connections.

The latest attempt by North Korean hackers to conceal their identities while seeking jobs in Western companies highlights why organisations hiring remotely should apply strict background checks and work closely with compliance teams. This may include verifying national IDs and, where lawful, recording interviews to confirm candidate authenticity.

Otherwise, the consequences can be severe. In July, an Arizona woman was sentenced to 8.5 years in prison for helping North Korean hackers carry out a $17 million IT job fraud that targeted more than 300 US companies. A May 2025 report also revealed that North Korean hackers had already stolen over $88 million by impersonating US IT professionals using fake identities.