惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

Okta Security RSS Feed

Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
How AI services power the DPRK’s IT contracting scams
Okta Threat Intelligence · 2025-04-24 · via Okta Security RSS Feed

Over the past few months, Okta Threat Intelligence conducted in-depth research into online services used by individuals identified by US authorities and trusted third parties as agents for the Democratic People’s Republic of Korea (DPRK).

Our research finds that generative artificial intelligence (GenAI) is playing an integral role in how North Korean nationals gain employment in remote technical roles around the globe, in what some researchers refer to  as “DPRK IT Workers” or “Wagemole” campaigns.  GenAI is used to create compelling personas at numerous stages of the job application and interview process. Once employed, GenAI tools are also used to assist in maintaining multiple simultaneous roles to earn revenue for the state.

Okta Threat Intelligence has observed multiple AI-enhanced services used to:

  • Manage the communications of multiple personas and their numerous mobile phone accounts, instant messaging accounts, email accounts and other related chat services behind a “single pane of glass”

  • Translate, transcribe and summarize communications

  • Generate and critique CVs and cover letters 

  • Conduct mock job interviews via chat and webcam

  • Test and improve the likelihood of any given job application passing automated checks

Okta Threat Intelligence has also observed facilitator use of online shipping and logistics services. We hypothesise that these services are used to redirect company-issued devices to “laptop farms” operated by facilitators based in Western countries.

Background

Multiple arrests and indictments have revealed the scale at which individuals operating on behalf of the DPRK have been mobilized into neighbouring countries to gain fraudulent employment in organizations across the globe.

The primary objective of these schemes is to raise funds for the DPRK and compensate for the significant financial sanctions applied to the North Korean regime. US agencies have also identified several outlier cases in which the access to systems provided for employment was used to facilitate espionage or data extortion.

The targets for these fraudulent schemes appear opportunistic and based on the availability of remote technical roles. The employers most at-risk are technology companies that are more likely to accept remote candidates for IT or software engineering roles, often on a contingent basis. However, these campaigns also extend to industry verticals well beyond the technology sector. 

Okta Threat Intelligence has worked with highly targeted customers and partners, with a view to developing preventative controls for this unique threat model. In the process, Okta has revised our own onboarding processes, shared awareness collateral and built out numerous methods of detection. 

The research had a direct influence on feature enhancements built into Okta Workforce Identity, such as ID verification services, that Okta customers can use to reduce their exposure to this threat. 

The Facilitators

Our understanding of this threat is shaped by the unique insight Okta Threat Intelligence can glean into the tools used by those individuals identified as “facilitators” of fraudulent employment schemes.

These facilitators provide the necessary in-country support, technical infrastructure and/or legitimate business cover to help individuals from sanctioned countries gain and maintain employment.

Facilitators already apprehended by law enforcement in the United States are alleged to have knowingly provided a range of support services to DPRK nationals:

  • Direct assistance in the recruitment process

  • A domestic address for the shipment of company-issued devices

  • Access to legitimate identity documents

  • Operating company-issued devices on the remote worker’s behalf

  • Installing remote management and monitoring (RMM) tools on the device to facilitate the remote work

  • Authenticating, where necessary, on the remote worker’s behalf

One Arizona-based “laptop farm” operation exposed in May 2024 is alleged to have assisted in the placement of over 300 individuals in technical positions across the United States. In another January 2025 indictment, two US residents were accused of fraudulently obtaining employment and operating a laptop farm in North Carolina for DPRK nationals, after they’d successfully gained employment at 64 organizations.

Okta can now reveal for the first time the degree to which facilitators of fraudulent work schemes rely on emerging GenAI-enhanced services to scale their operations. 

Okta customers can read a comprehensive report into DPRK IT Worker fraud at the Okta Security Trust Center. Primary Security Contacts can sign-in to access threat advisories at security.okta.com

In recent months, individuals strongly suspected to be DPRK-created personas have been recorded using real-time “deepfake” video during interviews.

Okta Threat Intelligence research has observed a far broader set of GenAI services used in these schemes, suggesting a very deliberate attempt by facilitators to keep pace with AI innovation. Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment.

Facilitators were observed using GenAI-based services specializing in:

  • Unified messaging

  • Recruitment platforms

  • Resume/CV screening

  • Candidate management

  • Automated job screening

  • AI-based chatbots

  • AI code training

  • Online shipping

While Okta Threat Intelligence is not able to observe the facilitators’ activities beyond the login page, the narrow range of functionality offered by many of these tools allows us to hypothesize on some likely use cases:

1. Unified messaging

One of the most demanding challenges for facilitators is how to manage multi-channel communications on behalf of dozens of candidates from sanctioned countries and their multiple personas.

Okta Threat Intelligence observed the use of unified messaging services to manage many simultaneous mobile phone accounts, instant messaging accounts, email accounts and other related chat services behind a “single pane of glass”. These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators.

These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text.

2. Recruitment platforms

Facilitators and candidates both make extensive use of jobseeking platforms to apply for roles.

More surprising was the use of AI-enhanced recruitment platforms typically used by recruiters (not candidates) to amplify the reach and accuracy of job postings.

Access to these tools provides facilitators opportunities to advertise roles at front companies that are similar, if not identical, to those advertised by targeted organizations, in order to study the cover letters and resumes of legitimate candidates.  The CVs and cover letters from legitimate jobseekers may even form part of a training set for optimizing future applications made on behalf of DPRK nationals. 

These same recruitment platforms provide access to the same applicant vetting systems (ATS) real employers use to narrow down the number of job applications a recruiter or hiring manager needs to manually review. Posting fake job advertisements would allow facilitators to examine what features presented in a job application are most likely to result in these AI-enhanced algorithms selecting a particular candidate over others. 

At scale, these techniques dramatically improve the potential success of job applications, effectively using the recruiters own tools against them at scale.

3. Resume/CV screening

Okta Threat Intelligence assesses that facilitators are highly motivated to generate successful cover letters, CVs and interviews and address any specific criteria in a given application.  Facilitators were observed making use of services that provide “AI Superpowers” to job applicants to help them “outsmart employers’ robots”, in order to improve the chances of a job application successfully progressing past the automated CV/resume scans used in recruiting platforms.

These services use GenAI agents to test uploaded CVs against ATS (applicant tracking software), iterating until they achieve a better result and learning which personas will be more successful in any given role.

4. Candidate management

Okta Threat Intelligence observed services that use GenAI agents to automate the process of filling in application forms on behalf of candidates and to track the progress of candidates through the application process. 

Again, these capabilities address the challenge of facilitating job applications and employment on behalf of multiple individuals and their multiple personas over multiple timezones.

5. Mock interviews

Once an application is successful, the next task for facilitators is to prepare their candidates (or the facilitator themselves, in some cases) for job interviews.

Facilitators were observed using AI-enhanced services that deploy GenAI agents to host and record first-round interviews on behalf of employers, then critique and offer improvement tips for the interviewee. 

These automated “AI-based webcam interview review” services claim to assist with the appropriate use of lighting, video filters, lighting and the candidate’s approach to conversation. 

Okta Threat Intelligence assesses that mock interviews staged by AI agents can be used to evaluate the efficacy of deepfake overlays and of highly scripted answers to common questions, to decrease the chance of their ruse being discovered.

6. LLM-based chatbots

While most of the GenAI applications used by facilitators relate directly to training and recruitment, Okta Threat Intelligence also observed them constantly signing into generic chatbots powered by large language models (LLMs).

Analyzing patterns of activity, these GenAI tools appear to be relied on heavily throughout the recruitment process, as well as by successful candidates once they gain employment.

7. Code training services

Candidates were also observed signing into free services that offer training in specific development languages and AI tools. These training platforms deliver a cursory awareness of unfamiliar development skills required by a hiring organization at interview, and the bare essentials required to maintain employment for as long as possible.

In short, DPRK facilitators are AI’s “power users”

By extensively employing AI-enhanced tools, facilitators enable minimally skilled, non-native English-speaking workers to maintain software engineering positions long enough to channel earnings towards the sanctioned DPRK regime.  

The scale of observed operations suggests that even short-term employment for a few weeks or months at a time can, when scaled with automation and GenAI , present a viable economic opportunity for the DPRK.

Mitigating Controls

To mitigate the threat posed by these campaigns, Okta Threat Intelligence recommends:

Okta customers can access a detailed set of recommendations and detection methods by selecting Okta Threat Intelligence at security.okta.com.

Liam Dermody, Tim Peel, Alex Tilley and David Zielezna contributed to this research.