North Korean state-backed hackers are now using deepfake technology to create synthetic identities for remote job interviews, according to cybersecurity researchers at Palo Alto Networks’ Unit 42. These deceptive tactics are part of a wider campaign aimed at gaining employment in U.S. and global tech firms — and using that access for cyberespionage or other malicious operations. The scheme involves North Korean IT workers crafting fake personas using real-time deepfakes.
These identities are deployed in job interviews, often at cybersecurity and tech companies, to bypass standard screening processes. The attackers hope to blend into remote teams and exploit internal systems once hired.
Unit 42’s findings follow a report by the Pragmatic Engineer newsletter, which revealed how a Polish AI firm almost hired two fake candidates. Both were likely deepfakes generated by the same individual. This raised alarms and prompted further investigation.
“We view these deepfakes as a natural next step in an already established infiltration scheme,” said Evan Gordenker, an incident response consultant at Unit 42. “North Korean IT workers have steadily advanced their tactics — now they’re using real-time AI-based identity masking.”
Deepfakes Give Threat Actors a Dangerous Edge
The adoption of deepfakes gives threat actors two significant advantages. First, it enables one operator to apply multiple times for the same job under different identities. Second, it helps them evade detection by law enforcement and cybersecurity watchlists.
With consumer-grade tools and minimal expertise, Unit 42 proved how easy it is to create deepfake identities. A researcher with no prior image manipulation experience used a five-year-old PC and a public AI generator to create several convincing fake personas in just over an hour. The team used images from thispersondoesnotexist[.]org and free deepfake tools to generate both still images and video identities.
“A simple change in clothing and background can turn one persona into a completely new candidate,” Gordenker explained. The hardest part wasn’t creating the deepfake — it was setting up a virtual camera for use in common video conferencing platforms.
This method allows North Korean operators to cycle through multiple interviews, applying for jobs in sensitive sectors like cybersecurity, IT administration, and software engineering. Once inside, these individuals could steal proprietary data, install malware, or open backdoors into corporate networks.
The danger is real — in one reported case, KnowBe4, a security firm, unknowingly hired a North Korean worker who later deployed malware on their systems. Other businesses, including Fortune 500 companies and small startups, have also fallen victim.
How Employers Can Spot Deepfake Candidates
Spotting deepfakes in a remote interview isn’t easy — but it’s possible. Unit 42 suggests several ways for companies to detect suspicious behavior during the hiring process.
First, hiring teams should watch for technical inconsistencies common in real-time deepfakes. These include:
- Glitches in lighting and shadows
- Poor lip-sync or mismatched audio-visual cues
- Awkward head movements
- Frame lag or distortion during fast motion
Interviewers should also record video calls for later forensic analysis. Additionally, companies should use identity verification protocols before interviews begin. This includes validating ID documents, matching them with live facial recognition, and checking for inconsistencies.
On the technical side, security teams should analyze job application data. They can monitor IP addresses to flag access from anonymizing services or suspicious countries. Phone numbers tied to VoIP services should also be reviewed, as these are commonly used to mask identities.
Finally, companies are urged to collaborate with other firms and ISACs to stay informed about the latest synthetic identity tactics. Sharing intel can help identify repeat offenders and prevent future breaches.
North Korea’s growing use of deepfakes shows just how far nation-state actors will go to exploit the remote work landscape. Organizations must tighten their hiring practices and cybersecurity protocols if they hope to stay one step ahead.
