We all picture the future in different ways, some more optimistic, others not so much. Many people wrote about it, some foretelling great inventions or warning about social problems, whilst others chose more unrealistic fiction (at least for that time), like Philip K. Dick. He wrote about “andys”, androids whose synthetic existence mimicked that of natural humans, trying to deceive observers into accepting them as such.
I know for sure that many would have giggled at the idea at the time, but that future eventually caught up with us in a certain way. Today, it’s become commonplace to see AI being abused to generate deepfakes of influential people and to use them as puppets to promote scams or to video call their employees asking for gift cards or wire transfers.
This is a story about a couple of synthetics. Two North Korean agents who tried to land jobs with us by faking entire artificial existences, with stolen résumés and synthetic AI-powered faces.
A Famous Chollima
We spoke about Famous Chollima in the past (and even met them a couple of times). They are a division of Lazarus, a state-sponsored Advanced Persistent Threat (APT) linked to the DPRK (Democratic People’s Republic of Korea) or, simply put, North Korea.
This division specialises in corporate espionage and fund acquisition, and they do so in a creative way: by landing jobs at western companies. This grants them access to both corporate secrets and clean money, which ultimately is sent to the sanctioned regime’s coffers.
Originally, their primary targets were Software Engineering positions in the Crypto/Web3 and Financial sectors (especially Fintech), but recent reports place them in other markets like civil engineering and architecture, so it’s safe to say… nobody is entirely safe.
And this is how everything started: with a Senior Software Engineer position posted on our website. That’s when we first met our synthetics, Mateo and Alfredo.
Do Chollimas Dream of Western Jobs?
Sofía is our Talent Acquisition Specialist, and she came to us about a strange interview she’d just had with a candidate:
“He applied for the position, saying he was from Jalisco, México.
He joined the call without his camera on, so I asked him to turn it on and then he looked really weird, literally like a robot, and his mouth moved in a strange way.
I asked him if he spoke Spanish and he told me ‘no’.
I just recorded him and hung up.
Now his LinkedIn profile is gone...”
Our team investigated her recordings and, to nobody’s surprise, there it was. A North Korean agent with his face undergoing real-time AI-powered surgery to stylise his cheeks, mouth, and chin to a point where every minimal facial gesture would threaten to snap the fragile digital sutures holding the magic together.
If that wasn’t a dead giveaway, we also recorded him speaking, and as Sofía said, his mouth was shut tight, and when it moved (if it ever did), his teeth didn’t accompany the movement and his lips never modulated any of the words he was saying (like in “authentication”).
He claimed to be from Jalisco, México, having studied engineering at a Mexican university, but didn’t speak a single word of Spanish (does this ring a bell from a previous article?). In the end, we found out he’d stolen a résumé from a real engineer (along with his name) and stitched it all together, just like his fake face, to try his luck.
Armed with that information, we started writing our threat report, but just two days later, Sofía came back with more bad news:
“I think it just happened again.
This time, he didn’t look quite as robotic, but it’s the same story: an Asian man claiming to be from Chihuahua who doesn’t speak Spanish. Yet his LinkedIn says he studied engineering at the University of Chihuahua.
Very suspicious! Obviously, I hung up on him too…”
She recorded this interview as well, and we were able to see a nervous young man with subtle filtering instead of a cheap, clandestine AI facial reconstruction.
He was anxiously shaking whilst she spoke (00:00 - 00:06), as though preparing to answer her questions. When doing so, he constantly rocked his head and torso back and forth, over-gesticulating with his brows occasionally.
His nervousness is puzzling, I’m certain he’s done harder things like, according to his résumé, pursuing a highly technical engineering degree in a Spanish-speaking country… without speaking a single word of the language. Remarkable, honestly.
Sofía knew the LinkedIn profile would vanish the moment she hung up (as happened before), so she recorded that too:
With this, we pulled some strings and found out, once again, the real person this synthetic had cloned: a real engineer with a real degree, a real face, and, well, basically a real life.
That makes two North Korean infiltration attempts dodged in the same week. But to say we were lucky twice would be an understatement, as luck played no part in this tale. Sofía recognised the warning signs immediately because we’d discussed these threats before (lots of times). That’s all it took: being aware that this kind of infiltration attempt actually happens, and that we’re a constant target for them. When the impostor appeared on her call, she did what we always do: recorded everything and got the team involved immediately.
We continued our investigation and found interesting details about these runaway synthetics (as if having their faces on tape was something minor): Mateo and Alfredo were loyal customers of Astrill VPN, a popular VPN service used by Chinese users to bypass the Great Firewall, and also by DPRK IT workers to defraud companies.
Their assigned IP addresses placed them in Europe, but they were actually tunnelling through to a US-based host.
Using a residential US IP address.
Which is part of a laptop farm.
To which they jump into using a popular remote desktop tool.
You may wonder how we discovered this… but that’s a story for Interview with the Chollima IV.
Lessons learned
If you asked us a year ago about this threat, we would have said that people in the [crypto] space were in danger. Today, the financial, crypto, and even the architecture and civil engineering fields are being targeted, and soon more will be.
Ask your Compliance Team about recording interviews, don’t hesitate to involve your security team if a candidate acts suspicious, always double check your candidate’s background (these guys usurp other people’s lives and even SSNs, so triple check if possible), and check IDs at the door: ask your candidates to show an ID when they come (again, checking with your Compliance Team). All exam providers do, and their relationship with customers is a one-time one. You are here to hire someone for a little longer than that.
Outro
Returning to Philip K. Dick’s work, he described the “andys” as synthetic life-forms that mimicked real humans and were nearly impossible to distinguish from them.
But he also wrote in that same book about the “chickenheads”, humans who were simply not bright enough, struggling daily to cling to a world that constantly advances and refuses to wait for them to adapt.
I think I mislabelled our subjects in this article.
IOCs
URL:https://www.linkedin.com/in/alfredo-solares-garcia/
URL:https://www.linkedin.com/in/mateo-jimenez-aaa304379/