North Korea’s espionage group Kimsuky used artificial intelligence in a recent operation, according to researchers at Genians Security Center (GSC). In a July spear-phishing campaign aimed at a South Korean defense-related institution, the group deployed a deepfaked image of a military employee ID generated with ChatGPT’s image tools. Genians said the file’s metadata indicated it was produced with ChatGPT, despite OpenAI’s ongoing efforts to block counterfeit IDs.
Genians’ threat intelligence team said the attackers likely employed prompt-engineering tricks, framing requests as a mock-up or sample design for legitimate use to prompt the AI to fabricate the ID image. The researchers noted that producing copies of military IDs is illegal, and that while ChatGPT may refuse direct requests for such IDs, its responses can vary depending on how the prompt is framed.
After the image was crafted, the deepfake was distributed via emails that masqueraded as ID issuance notices for military-affiliated officials, the researchers said. The targets included an unnamed defense-related institution in South Korea; Genians did not disclose the number of affected organizations or identify the victims.
The finding underscores a broader shift toward AI-assisted espionage by North Korean actors, who have increasingly turned to tools and techniques that lower the bar for deception. In related findings, Anthropic said Pyongyang’s keyboard warriors have been using its Claude Code tool to spin up fake personas, ace job interviews, and even ship code for Fortune 500 firms.
The incident comes as AI providers reiterate efforts to curb misuse. OpenAI in February said it had booted dozens of accounts tied to North Korea’s overseas IT worker schemes as part of a broader crackdown to disrupt state-backed misuse of its models; the company also published threat-intelligence material detailing the measures. A related OpenAI threat report is available as a PDF.