Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | The Deepfake Threat: Chollima APT Group Uses AI Filters to Infiltrate Crypto and Web3 Companies
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Nov 13, 2025
6 Mins Read
Moon

The Deepfake Threat: Chollima APT Group Uses AI Filters to Infiltrate Crypto and Web3 Companies

The rapid expansion of remote work and hiring has exposed companies, particularly in high-value sectors like Crypto and Web3, to sophisticated new forms of social engineering. The Chollima Synthetic Interview Operation reveals how advanced persistent threat (APT) groups are exploiting remote hiring processes using real-time deepfakes and stolen identities to conduct espionage and steal funds.

This campaign, linked to North Korean state-sponsored actors, highlights a crucial shift in cyberattack methodology: utilizing AI-powered facial filters during live video interviews to masquerade as legitimate job candidates.

According to the full campaign report, Chollima operatives used fake résumés and real-time AI facial filters to impersonate qualified job candidates during interviews. They connected via VPNs and remote desktop tools that masked their true location creating the illusion of being U.S.-based professionals. Once an interview ended, online profiles like LinkedIn were immediately deleted, leaving minimal traces. This method showcases a deeply orchestrated infiltration tactic designed to bypass digital HR screening.

10 Critical Questions on the Chollima Deepfake Campaign

  1. Who is responsible for the Chollima Synthetic Interview Operation?
Lazarus Group threat actor card

Lazarus Group threat actor card

This campaign is attributed to the Famous Chollima APT group, a known subdivision of the Lazarus Group, one of the most active and persistent threat actors linked to North Korea. Lazarus has a long record of conducting espionage, cyber-theft, and disruptive attacks against global targets.

For a detailed breakdown of Lazarus Group’s history, structure, and tactics, readers can exploreSOCRadar’s Lazarus Group profile, which provides deeper intelligence and recent updates on their operations.

  1. What was the core goal of the operation?

The primary goal was to secure roles inside Western firms—specifically as software engineers—to conduct espionage and steal funds. The operators aimed to gain inside information for spying and financial theft.

  1. Which sectors were primarily targeted by Chollima?

Which sectors were primarily targeted by Chollima?

The group primarily focused on sectors including Crypto, Web3, Finance, Human Resource Consulting Services, and Software Publishers. Recent reports also indicate they have begun targeting civil engineering and architecture positions.

  1. What sophisticated technology did the operatives use?

The Chollima operators utilized AI face filters and AI-driven deepfakes that worked in real time during video calls to disguise their faces and mimic the professionals whose identities they had stolen.

  1. How did the threat actors acquire the identities they used?

Attackers stole the real résumés and identities of professionals. In documented cases, they used the stolen identities of two Mexican engineers, Mateo and Alfredo, to participate in interviews.

  1. How did the attackers attempt to conceal their true location?

To achieve geographical camouflage and appear as legitimate, US-based remote candidates, the operatives used a complex infrastructure. This involved connecting through the Astrill VPN (often used by DPRK IT workers) and tunneling through multiple European IPs before landing on residential US IP addresses via remote desktop tools.

  1. What signs exposed the deepfake attempt?

Despite the use of real-time filters, the executions were described as clumsy and a poor impersonation. Inconsistencies included an unnaturally smoothed face, a mouth that barely moved while speaking, teeth failing to match lip motion, and a lack of ability to respond to a simple question posed in Spanish, even though they claimed to be Mexican engineers.

  1. What immediate action did the threat actors take after the interviews?

Following the termination of the interviews, the operators immediately deleted their online profiles, such as their LinkedIn pages, which is a classic pattern of a Chollima infiltration attempt.

  1. What are the substantial risks companies face due to this type of remote hiring fraud?

Companies face substantial financial and legal risks. For context, North Korean hackers have been reported to steal more than $88 million through similar impersonation tactics.

  1. What Should CISOs and SOC Analysts Do Next?
  1. Monitor VPN traffic from residential IPs.
  2. Detect sudden new account creations tied to hiring pipelines.
  3. Correlate anomalies in identity providers and remote access logs.

10. What Should CISOs and SOC Analysts Do Next?

Organizations must apply rigorous background checks, verify official national IDs, and document interviews to establish candidate authenticity. Efforts should also focus on minimizing the amount and sensitivity of data available to external parties. Training users to be aware of impersonation tricks, such as confirming requests through independent platforms, is also vital.

Tactical Overview (TTPs)

The Chollima Synthetic Interview Operation relies on a chain of sophisticated behaviors aligned with established MITRE ATT&CK tactics.

TTP Group Description & Mitigation Focus
T1589: Gather Victim Identity Information This tactic involves gathering identity information to facilitate impersonation. Mitigation efforts (M1056) are challenging as these behaviors occur outside enterprise controls; focus on minimizing sensitive data exposure.
T1656: Impersonation The core tactic involves pretending to be job candidates using deepfakes and stolen identities. Detection focuses on monitoring anomalous email activity, especially mismatches between sending account names and underlying SMTP addresses, or detecting abnormal login locations (AN0792, AN0793).
T1078: Valid Accounts The campaign aims to gain access via valid accounts acquired through the infiltration process. Mitigation involves using conditional access policies (M1036), disabling legacy authentication (M1015), and implementing Multi-factor Authentication (MFA) across all account types (M1032). Detection relies on monitoring anomalous logon patterns, impossible travel, and risky sign-ins (AN1543, AN1546).
T1090.001: Internal Proxy Adversaries used complex tunneling infrastructure (VPNs and multiple European/US IPs) to achieve geographical camouflage. Detection strategies (DET0075) monitor for anomalous processes initiating connections to internal peer hosts to proxy traffic internally (AN0204).
T1036: Masquerading This involves renaming files or deploying binaries with spoofed metadata to appear legitimate. Mitigation involves using Antivirus/Antimalware (M1049) and requiring signed binaries (M1045).