How North Korea’s “Famous Chollima” Used AI Deepfakes to Get Tech Jobs and Steal $2 Billion

The AI-powered hiring con

Famous Chollima’s core tradecraft is both sophisticated and disturbingly simple: get a job. Active since at least 2018, the group specializes in obtaining fraudulent freelance or full-time equivalent employment, typically as remote software developers .

What has changed recently is the industrialization of the hiring fraud. CrowdStrike’s 2025 Threat Hunting Report describes a "clear picture of an adversary deeply interweaving GenAI-powered tools that automate and optimize workflows at every stage of the hiring and employment process" .

The specific tactics documented in CrowdStrike’s reports include:

• AI-generated deepfake video and audio for remote interviews. Operatives use consumer GenAI tools, including OpenAI’s ChatGPT and Google’s Gemini, to alter their voice and video in real time during video interviews and to generate convincing answers to technical questions .
• Entirely fabricated professional personas. Threat actors create polished LinkedIn profiles with AI-generated profile images, complete with believable employment histories and fake resumes that pass background checks .
• Real stolen identity documents. Operatives leverage stolen US Social Security numbers and other identity documents to deepen the illusion of legitimacy for background screening systems .

CrowdStrike’s OverWatch threat hunting team investigated over 320 distinct cases of Famous Chollima operatives obtaining fraudulent employment in a 12-month period—a staggering 220% increase over the prior year . The success rate of these disguised hires also surged by 220%, and CrowdStrike’s head of counter adversary operations, Adam Meyers, noted his team is now responding to roughly one such incident every day .

What they’re after

The motivation is a dual-revenue pipeline for the sanctioned regime.

The first stream is straightforward salary theft. Famous Chollima operatives collect paychecks from the companies they infiltrate, funneling the wages to North Korea. The second—and more damaging for victims—is intellectual property theft. Once inside a network with legitimate credentials, the operatives steal proprietary source code, trade secrets, and other sensitive IP .

Parallel to the IT worker scheme, the wider North Korean cyber ecosystem runs a massive cryptocurrency theft operation. CrowdStrike’s 2026 Financial Services Threat Landscape Report found that DPRK-nexus groups stole a combined $2.02 billion in digital assets during 2025, a 51% increase compared to the previous year . The largest single heist—$1.46 billion in cryptocurrency—was attributed to the related group PRESSURE CHOLLIMA, which deployed trojanized software through a supply-chain compromise .

The ultimate destination of these funds is explicit. Stolen billions are “almost certainly laundered and will be used to fund the regime’s military and nuclear weapons programs," the 2026 Financial Services Threat Landscape Report states .

Beyond the hire: data-theft extortion

While Famous Chollima’s public reporting emphasizes infiltration and theft, data exfiltration carries a second potential payoff. Broader North Korean cyber operations have adopted data-theft extortion tactics—threatening to leak stolen information unless a ransom is paid.

CrowdStrike’s earlier Global Threat Report tracked a 76% increase in victims named on dedicated leak sites as data-theft extortion became a preferred monetization route for many adversaries . The firm notes that DPRK-nexus actors have been observed conducting data theft and extortion campaigns without deploying ransomware, applying pressure through the threat of exposing sensitive data .

CrowdStrike has also confirmed that in service engagements involving Famous Chollima, data theft was confirmed in 50% of cases . That exfiltrated information could be leveraged for extortion, though the public report summaries focus more directly on the group’s insider infiltration and salary-crypto theft pipeline. The exact details of Famous Chollima’s post-detection ransom playbook may be available only in the full, unredacted threat reports rather than the public summaries available to date.

The scale and sophistication of the operation represents a new paradigm in nation-state cyber intrusion, shifting the threat from perimeter attacks to trusted insiders who get hired, get paid, and steal from within.