North Korean hackers exploited OpenAI’s ChatGPT to generate deepfake military ID cards in a phishing campaign against South Korean defense-related institutions, researchers have found. The July 2025 attack was credited to the Kimsuky group, also known as APT43, which has been sanctioned by the US and its allies for supporting Pyongyang’s foreign policy and sanctions-evasion efforts through intelligence-gathering operations.
South Korean cybersecurity firm Genians reports that the hackers used ChatGPT to create sample images of South Korean government and military employee ID cards. The images were embedded in phishing emails crafted to appear as if they came from a legitimate South Korean defense agency handling identification services for military officials. The emails delivered a fake ID card alongside malware that enabled data theft and remote access to victims’ systems.[1]
Researchers said that metadata analysis confirmed the images were produced using ChatGPT. Even though it typically rejects requests to replicate official identification documents. According to the report, the attackers likely manipulated prompts by framing the request as a mock-up or sample design. “This is a real case demonstrating the Kimsuky group’s application of deepfake technology,” Genians said, warning that generative AI can be abused to create realistic forgeries with little technical skill.
Kimsuky has been active since at least 2012, targeting governments, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe and Russia. Its primary focus has been individuals working on North Korea-related issues, including human rights and sanctions.
Genians and other researchers also have documented cases where North Korean IT workers used AI to generate fake résumés and online personas to secure overseas jobs, and to assist with technical interviews and tasks once employed.
South Korea’s foreign ministry has warned that Pyongyang’s workers “use a variety of techniques to disguise themselves as non-North Korean IT workers with false identities and locations, including by leveraging AI tools as well as cooperating with foreign facilitators.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/north-korea-kimsuky-hackers-phishing-fake-military-ids-chatgpt/
Comments