How does FAMOUS CHOLLIMA produce fake engineer identities convincing enough to pass AI company hiring?

The operation runs an industrialised identity fabrication pipeline. Operators build GitHub profiles over months with genuine commit histories, contribute to open-source AI projects under the fake persona, populate LinkedIn accounts with plausible career progressions, and use AI-generated photographs that pass reverse image search. References are provided by other operatives running supporting personas. For video interviews, some documented cases involve laptop camera obstruction, delayed video feeds, or impersonation by a more technically capable colleague speaking for the hired persona -- a practice the FBI has specifically documented. The process is not improvised: it reflects years of iteration against Western hiring practices.

Which roles at AI companies carry the highest FAMOUS CHOLLIMA infiltration risk?

Remote ML engineering and AI research positions are the primary target. Specifically: model training engineers with access to weight storage and experiment infrastructure, AI safety researchers with access to internal model evaluations and red-team findings, MLOps and infrastructure engineers with broad access to cloud compute and data pipelines, and AI product engineers with access to proprietary datasets and fine-tuning workflows. The common factor is remote-first roles that grant broad system access without requiring physical presence. Roles requiring on-site work, hardware access, or classified clearances are naturally excluded from the scheme.

What are the most reliable controls for detecting or preventing FAMOUS CHOLLIMA infiltration?

No single control is sufficient. The most reliable combination is: government-issued identity verification through a service that checks against national databases (not just document scanning), video interview conducted with camera requirements enforced and identity verified against the submitted document in real time, device management that prevents personal laptop use for sensitive work from day one, and access provisioning that limits new hires to minimum necessary permissions during an onboarding period -- model weight storage, training infrastructure, and IP repositories should not be accessible on day one. Background check providers with OFAC screening should flag names and aliases associated with sanctioned entities, though FAMOUS CHOLLIMA operatives use fabricated identities that won't match known lists. The practical floor is identity verification robust enough to confirm a real person exists behind the application.

FAMOUS CHOLLIMA: Inside North Korea's AI Lab Infiltration

They don’t break in. They get hired.

FAMOUS CHOLLIMA is North Korea’s most operationally mature threat cluster, and its defining capability is not malware or zero-day exploitation — it’s the ability to place operatives inside target organisations as legitimate employees. Tracked by CrowdStrike under the FAMOUS CHOLLIMA designation and by Microsoft as Jade Sleet, the operation has evolved from opportunistic revenue generation into a systematic campaign targeting AI companies for both financial extraction and intellectual property theft.

The FBI, DOJ, and Department of Treasury have all issued guidance on this. Multiple indictments have named individuals running the supporting infrastructure. The scheme has been running since at least 2022 and is getting larger, not smaller.

Attribute	Detail
Motivation	Financial (DPRK weapons programme revenue) + strategic (AI IP collection)
Assessed nexus	DPRK / Reconnaissance General Bureau (RGB)
Aliases	Jade Sleet (Microsoft), Nickel Tapestry (Secureworks), UNC5267 (Mandiant)
Active since	IT workers scheme from 2022; AI-specific targeting escalated from 2024
Primary targets	Foundation model developers, ML engineering teams, AI safety orgs, GPU cloud providers
Distinguishing capability	Industrialised fake employment — fabricated identities, manufactured work histories, real insider access

The Operation in Numbers

The DOJ’s 2024 indictment described a scheme in which thousands of North Korean IT workers were employed across hundreds of US companies simultaneously, generating over $300 million in revenue for the regime over several years. That number is almost certainly understated: it reflects only what investigators could trace to known operatives. The FBI estimated in 2024 that DPRK IT workers had obtained employment at companies across 50 countries.

That’s not a targeted attack. That’s an industry.

The operation works because it exploits a structural feature of modern tech hiring: remote-first roles, fast interview cycles, and a talent market that rewards moving quickly. AI companies are particularly exposed. They hire engineers globally, often through GitHub profiles and portfolio work, and they operate on timelines where a great ML engineer is hired in days, not weeks.

Why AI Companies Specifically

The IT workers scheme began as revenue generation. Workers were paid market-rate salaries that were partially or wholly remitted back to the DPRK, typically routed through cryptocurrency to evade sanctions. That motivation persists.

What changed around 2024 is that AI IP became a strategic priority alongside the financial extraction. Model weights for a frontier AI system represent years of compute investment, proprietary datasets, and research insight. A single exfiltration of a major lab’s model weights delivers intelligence value that no traditional espionage operation could match for equivalent cost. For a nation that has identified AI development as a core strategic priority, access to those weights is worth more than the salary recovery.

The AI targeting is also tactically rational. AI companies often have:

Remote-first engineering cultures with limited physical verification requirements
Fast hiring pipelines that prioritise technical demonstration over comprehensive background checks
Distributed infrastructure in cloud environments that can be accessed from anywhere
Valuable IP concentrated in relatively small repositories: model weights, training pipelines, proprietary datasets

An operative placed as a senior ML engineer at a mid-tier AI lab has, from day one, access to more strategically valuable data than most traditional espionage operations could acquire in years.

How the Scheme Works

Identity Manufacturing

Fake engineer identities are built over months before any application is submitted. The persona accumulates a GitHub contribution history — not just forks, but genuine commits to open-source ML projects, issue responses, and pull requests that read as authentic participation in the AI community. LinkedIn profiles are populated with plausible career progressions at companies that either don’t exist or are difficult to verify. Portfolio projects demonstrate real ML competence: the operatives are trained engineers, not pretenders.

Photographs are AI-generated and pass casual reverse image search. References come from other operatives running supporting personas in the same network. The fabrication is comprehensive because it has to be: AI companies hire people who look credible on GitHub and LinkedIn, and the operation has learned that.

The Interview

Technical skills are genuine. FAMOUS CHOLLIMA operatives can complete ML coding assessments and demonstrate working knowledge of PyTorch, transformers architectures, and distributed training infrastructure. That’s deliberate: a fake engineer who can’t pass a technical screen is useless.

Where interviewers have caught operatives is video-based verification. The FBI has documented specific patterns: webcam obstruction or technical problems conveniently preventing clear video, a slight lag between audio and video suggesting the candidate is being coached in real time by a more technically capable colleague, and — in confirmed cases — voice switching mid-interview when the person who passes the technical screen is not the person who speaks during the verbal portions.

Requiring government-issued identity verification with a live video check that matches the candidate’s face to a submitted document has blocked infiltration attempts in documented cases. Most AI companies don’t do this.

Once Hired

Access provisioning for new hires determines what damage can be done. FAMOUS CHOLLIMA operatives who gain employment at AI labs move quickly to extend their access beyond their initial job scope: requesting access to model weight repositories under legitimate work pretexts, joining internal Slack channels related to training infrastructure, and offering to help with MLOps tasks that require broader permissions.

The data they prioritise, based on recovered cases: model weights and checkpoints, training scripts and dataset configurations, API keys and cloud credentials, internal safety evaluation results and red-team findings. Internal communications about upcoming model capabilities are also collected — for a state actor planning its own AI development roadmap, knowing what frontier labs are building months before public release has obvious value.

Some documented cases have included a secondary extortion component: operatives who gain access to sensitive internal information and then threaten to release it unless paid. This is consistent with FAMOUS CHOLLIMA’s financially motivated history but is relatively rare in the AI-targeting subset of the operation.

Known Activity

CrowdStrike’s reporting documents FAMOUS CHOLLIMA infrastructure overlaps with intrusion activity at technology companies including AI developers across the US, UK, and Europe. Microsoft’s Jade Sleet reporting specifically identifies targeting of cryptocurrency firms and AI companies using fake LinkedIn profiles and GitHub engagement to approach potential victims.

The DOJ’s 2024 indictment, US v. Chapman et al., named individuals running the logistics infrastructure in the US — facilitators who received laptops from companies, forwarded them to overseas operatives, and managed the technical setup that allowed remote workers to appear to be operating from within the US.

Several AI companies have disclosed or confirmed insider threat incidents consistent with FAMOUS CHOLLIMA’s operational profile but have not attributed them publicly. The classification problem is real: a company that discovers it unknowingly employed a North Korean operative faces significant reputational exposure and may calculate that non-disclosure is preferable to attribution.

Detection Opportunities

Signal	What to Look For
Hiring	No verifiable prior employer contact; references unreachable or using non-corporate email; insistence on avoiding video or identity verification
Interview	Webcam obstruction; audio/video desync; response delays inconsistent with claimed experience; personality shift between technical and verbal portions
Onboarding	Unusual access requests in first 30 days; VPN or VDI traffic routing through unexpected geographies; device management resistance
In tenure	Access to systems outside job scope; bulk downloads from model weight storage or training data repositories; unusual transfer of files to personal cloud storage
Financial	Payment routing requests to cryptocurrency wallets or unusual jurisdictions; salary forwarding patterns

What Actually Helps

Enforce identity verification at the point of hire. Document scanning is not sufficient. Use a provider that performs a live video check matching the candidate’s face to a government-issued document, with liveness detection. This is the single highest-leverage control against FAMOUS CHOLLIMA infiltration.
Stage access provisioning. Model weight repositories, training infrastructure, and proprietary dataset stores should not be accessible on day one. New hires — including senior engineers — should operate on minimum necessary access for an initial period, with expansion gated on manager approval and a reasonable rationale.
Require managed devices from the start. Personal laptop policies eliminate your ability to enforce DLP controls, monitor file transfers, or detect anomalous access patterns. Managed devices with endpoint monitoring should be mandatory for any role with access to IP-bearing systems, from day one.
Run OFAC and sanctions screening on all contractors. Fabricated identities won’t match known DPRK names, but sanctions screening catches supporting infrastructure — entities, accounts, and patterns associated with the scheme. It’s not a complete control but it raises the cost of the operation.
Treat ML infrastructure like production security infrastructure. Model weight storage, training pipelines, and experiment tracking systems should have the same access controls, audit logging, and anomalous-access alerting as your core production environment. Most AI companies don’t do this because ML infrastructure grew up as a research tool, not a security boundary. FAMOUS CHOLLIMA has identified that gap.