North Korean state-sponsored threat actors, identified as the Famous Chollima APT group, are reportedly employing real-time AI-powered facial filters during video job interviews to conceal their identities. These sophisticated tactics aim to infiltrate Western cryptocurrency and Web3 companies for corporate espionage and illicit fund acquisition. This development marks an evolving method within the group’s established pattern of targeting sensitive industries through social engineering.
The campaign involves operatives using stolen legitimate identities and résumés of engineers to apply for software engineering roles. During video interviews, AI-powered facial filters are deployed to disguise their appearance while impersonating their victims. Threat intelligence analysts from the Quetzal Team documented two such infiltration attempts targeting a cryptocurrency company, highlighting a persistent effort by these actors to breach secure organizations through human-element vulnerabilities.
Famous Chollima, a recognized division of the Lazarus Group, primarily targets software engineering positions in the Crypto, Web3, and Fintech sectors, with recent reports indicating an expansion into civil engineering and architecture. In the documented instances, the threat actors impersonated Mexican engineers named Mateo and Alfredo. Both claimed to have studied at Mexican universities and resided in specific Mexican states but were unable to speak Spanish when questioned, according to the Quetzal Team’s investigation.
During the interviews, the deepfake technology exhibited noticeable failures. One candidate’s face appeared heavily filtered, with their mouth remaining shut while speaking and teeth not accompanying lip movements. Another operative displayed nervous behavior, including constant rocking and exaggerated facial gestures. Both individuals’ LinkedIn profiles vanished immediately after their interviews were terminated, a pattern consistent with previous Chollima infiltration attempts documented by the Quetzal Team.
Further investigation revealed that the operatives connected through Astrill VPN, a service frequently used by Chinese users to bypass internet restrictions and increasingly favored by DPRK IT workers for fraudulent activities. Their connections were routed through European IP addresses before terminating on US-based residential IPs. These residential IPs were likely sourced from laptop farms accessed via remote desktop tools, a method designed to mask their North Korean origin and appear as US-based candidates.
This advanced social engineering technique underscores the ongoing challenges for organizations engaged in remote hiring. Previous incidents illustrate the financial and legal ramifications of such schemes; in July, an Arizona woman received an 8.5-year prison sentence for assisting North Korean hackers in a $17 million IT job fraud involving over 300 US companies. A May 2025 report also indicated that North Korean hackers had previously stolen over $88 million by impersonating US IT professionals using fake identities. Implementing stringent background checks, national ID verification, and, where permissible, recorded interviews are measures organizations can take to confirm candidate authenticity and mitigate risks.