North Korean IT worker is said to have used a stolen identity and an AI resume to trick people into applying for jobs.

Zerowl

March 31, 2026

North Korean IT worker is said to have used a stolen identity and an AI resume to trick people into applying for jobs.

A suspected North Korean spy tried to get a remote job at a cybersecurity company by using a stolen identity, a fake AI-generated resume, and a VoIP phone number. The case shows that North Korea's state-sponsored IT worker program has become more advanced and harder to find without proper screening. Since the beginning of 2023, North Korean (DPRK) IT workers have been quietly getting into companies in the US and other countries by posing as qualified remote workers.

The North Korean government gets money from these operatives' paychecks, which helps pay for its weapons programs. If a company hires someone who is connected to this scheme, it could lose data, intellectual property, and face regulatory fines, as well as damage to its reputation.

This type of fraud has far-reaching effects that extend far beyond a single fraudulent job application. It targets businesses of all sizes, including those in the cybersecurity, intelligence, and technology industries. List of competencies for the position of Lead AI Architect (Source: Nisos) This demonstrates how much the two documents overlapped.

The job description's language was also used in the resume's summary section. He abruptly closed browser tabs and ended the call when asked to share his screen and walk interviewers through previous work. He stated that all of his earlier work was kept in private repositories that he was unable to share and that he lacked a GitHub portfolio. Across several platforms, three distinct resume accounts with the same name but different employers, universities, and locations were found.

The fact that one account was made as recently as May 2025 indicates that the persona was created especially for this particular job application campaign. Additionally, the employee gave a different mailing address for the laptop than what was on the resume. This verified that the device ended up in a closet with several other laptops provided by the company, all of which were connected via Tailscale mesh VPN service and remotely controlled via PiKVM devices.

North Korean IT worker is said to have used a stolen identity and an AI resume to trick people into applying for jobs.

Trending News

The Notepad++ v8.9.3 update fixes bugs that cause crashes and cURL vulnerabilities.

The Notepad++ v8.9.3 update fixes bugs that cause crashes and cURL vulnerabilities.

Axios Supply Chain Attack Sends Cross-Platform RAT Through Hacked npm Account

Axios Supply Chain Attack Sends Cross-Platform RAT Through Hacked npm Account

North Korean IT worker is said to have used a stolen identity and an AI resume to trick people into applying for jobs.

North Korean IT worker is said to have used a stolen identity and an AI resume to trick people into applying for jobs.

Exposed server shows TheGentlemen ransomware toolkit, victim credentials, and Ngrok tokens.

Exposed server shows TheGentlemen ransomware toolkit, victim credentials, and Ngrok tokens.

CrySome RAT is a new type of .NET malware that can kill AV and HVNC.

CrySome RAT is a new type of .NET malware that can kill AV and HVNC.

The new ClickFix variant uses Rundll32 and WebDAV to get around PowerShell detection.

The new ClickFix variant uses Rundll32 and WebDAV to get around PowerShell detection.

DeepLoad malware that uses AI steals credentials and hides from detection.

DeepLoad malware that uses AI steals credentials and hides from detection.

TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform

TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform

Storm Brews Over Critical, No-Click Telegram Flaw

Storm Brews Over Critical, No-Click Telegram Flaw

Manufacturing and Healthcare Both Have Problems with Passwords

Manufacturing and Healthcare Both Have Problems with Passwords