Group IV has announced that it has detected signs that an organization linked to North Korean IT personnel infiltrated the remote recruitment processes of global companies using synthetic identities and artificial intelligence. Investigations revealed that they gained access to corporate environments by assuming legitimate employment forms using fake identities.

Group IV disclosed the details of its investigation on the 13th and explained that it confirmed such activities through its latest report, "Following the Footsteps of North Korean IT Workers." According to the investigation, they were found to have bypassed existing security controls by utilizing synthetic identities, AI-based job applications, and digital platforms.

This case exhibited characteristics different from typical cyber attacks. Group IV explained that instead of directly attacking the system from the outside, a "human resource-based access model" was identified, in which attackers bypassed the hiring process using fake identities to gain entry into the organization.

The Group Ivy threat intelligence team discovered an organized ecosystem of fake developer personas active on GitHub, freelance marketplaces, and portfolio sites. The investigation found that related activities began at least in 2021 and continued until March 2026.

The investigation revealed a broader network spanning repositories, emails, and portfolio sites, in addition to previously exposed accounts. It was found that threat actors repeatedly reused or repurposed developer personas while maintaining their technical profiles and modifying only the details of their personal histories.

Along with this, archives containing identity creation kits, job application templates, AI-generated responses, and account login information were discovered, and evidence was found of using generative AI tools to write job applications and communicate with employers. The investigation also included attempts to enhance credibility by securing verified accounts on freelance platforms such as Upwork.