A suspected North Korean threat group has used ChatGPT to create forged military IDs. According to a report by the cybersecurity firm Genians, fake identification was used in phishing attacks to deceive targets into opening links that delivered malware designed to extract data from their devices.
The cyber-espionage group Kimsuky is believed to be state-sponsored and has been linked to numerous espionage missions aimed at South Korean interests. The US Department of Homeland Security has previously estimated that this group operates under the direction of the North Korean government.
In their probe of fake identification documents, Genians’ researchers tested ChatGPT. The system initially denied requests to create government-issued IDs, which are prohibited from being replicated under South Korean law. It was found that hackers can manipulate prompts to side-step the tool’s protection filters.
Mun Chong-hyun, a director at Genians, explained that the case is an example of a larger trend. Malicious groups seem to be leveraging AI not just to make forged documents but also to organize cyberattacks, plan malware attacks, construct hacking tools, and pose as professionals like recruiters.
This is not the first time that North Korean hackers have used AI platforms for a cyberattack. In July, Genians revealed evidence of Pyongyang-aligned actors exploiting AI for espionage activities. A month later, Anthropic discovered that North Korean hackers had used the Claude Code tool to land remote work at US Fortune 500 technology firms.
The company claimed that AI tools allowed them to create identities, take coding tests, and even finish technical projects after they were hired. Anthropic stated that it had suspended accounts from North Korea for creating fake resumes, cover letters, and social media posts in aid of hiring scams on its service.
The phishing attacks reported by Genians most recently targeted South Korean journalists, human rights campaigners, and researchers specializing in North Korea. The emails were spoofed to appear as if from addresses ending in .mli.kr, a domain designed to seem like an official South Korean military email address. The extent of compromised data is unknown.
Also Read: Spyware in the Play Store: North Korean Hackers Target Android Users
US officials have long blamed North Korea for running cyber campaigns, cryptocurrency robberies, and other illegal IT contracting schemes in an effort to raise money.
They state that profits from these enterprises fund Pyongyang’s sanctioned nuclear weapons program while facilitating clandestine foreign intelligence collection.
The report highlights increasingly valid concerns that generative AI, although intended for productivity and innovation, is being increasingly exploited by state-sponsored cyber groups as a weapon.