By Alfaiz Nova, Cybersecurity Expert

Home
AI résumés

FAMOUS CHOLLIMA: 320+ Companies Hit with AI Résumés, Deepfake Interviews

CrowdStrike: DPRK’s FAMOUS CHOLLIMA infiltrated 320+ firms using AI résumés and real‑time deepfakes in remote interviews. How to detect and stop it
A split-screen video interview where the candidate's face is subtly glitching, revealing deepfake artifacts. An HR dashboard shows a flashing "Identity Anomalies" alert, with a headline about the DPRK's CHOLLIMA group.


 CrowdStrike reports a DPRK‑nexus cluster, FAMOUS CHOLLIMA, infiltrated 320+ organizations in the past 12 months (a 220% YoY surge) by using GenAI to fabricate résumés, run real‑time deepfake video interviews, and even assist on‑the‑job coding—turning insider threats into a scalable, state‑sponsored revenue and access pipeline.ciso.economictimes.indiatimes+1

What changed

  • AI at every step: The group automates identity fabrication (résumés, profiles), interview deception (live deepfake personas), and task execution (AI code tools) to obtain and retain remote roles under false identities.privacymatters.dlapiper+1

  • Scale and victims: Hundreds of intrusions span technology, finance, and critical sectors; reporting highlights Fortune 500 exposure and a broad geographic footprint through remote‑only roles.crn+1

How the operation works

  • Synthetic identities: GenAI crafts multilingual résumés and portfolios; forged documents and deepfake photos/videos bolster background checks and video screens.sonatype+1

  • Access persistence: “Laptop farms” and VPNs/proxies mask location; U.S. “mules” host devices and networks, letting operatives appear domestic while operating from abroad.iddataweb+1

  • Objectives: Generate revenue for DPRK programs and establish insider footholds for data theft and later extortion/espionage—CrowdStrike frames this as a structural shift in insider risk.techcrunch+1

Evidence and case signals

  • CrowdStrike metrics: 320+ infiltrations; 220% YoY growth in this tactic; vishing and identity abuse accelerating across 2024–2025.crowdstrike+1

  • Independent corroboration: Legal/security briefs and media summarize the same TTPs—AI résumés, deepfake interviews, device mules, and remote access obfuscation—impacting Western firms.techbeat+1

  • Known incident example: A well‑publicized deepfake hire incident described by HR/security sources shows the pattern can bypass standard interviews and background checks until post‑onboarding controls catch malware or anomalous behavior.hrexecutive+1

Why this matters now

  • Hiring season risk: Remote hiring cycles amplify exposure, and HR stacks were not designed to detect synthetic identities and real‑time deepfakes.privacymatters.dlapiper

  • Identity is the fastest‑moving vector: CrowdStrike emphasizes identity abuse (fake personas, social engineering, vishing) as the top enabler of cross‑domain compromise.beyondidentity+1

Defensive playbook (HR + Security)

  • Strengthen identity verification

    • Add live liveness/facial‑movement challenges, ask for spontaneous gestures, and use challenge‑response color prompts; compare across multiple calls.iproov+1

    • Corroborate identity with authoritative sources; verify tax and payroll identities against trusted databases; flag “impossible travel” and geolocation mismatches.techbeat+1

  • Secure devices and access

    • Ship devices to verified addresses; require phishing‑resistant MFA/passkeys; restrict admin rights; monitor for remote tools, VPN chaining, and off‑hours data pulls.crowdstrike

    • Enforce conditional access (managed, compliant devices only) and geo‑fencing; require attestations for OS integrity and hardware security.beyondidentity

  • Interview and onboarding controls

    • Demand live coding/screenshares with on‑the‑spot tasks; use surprise follow‑ups to disrupt pre‑scripted deepfake routines; record artifact inconsistencies (voice desync, eye‑blink anomalies).hrexecutive+1

  • Continuous monitoring and response

    • Watch for “shadow worker” patterns: identical work artifacts across accounts, network access from atypical ASNs, device farms, or shipped‑then‑remoted laptops.iddataweb+1

Red flags for hiring teams

  • Avoidance of spontaneous live tasks or “camera/mic issues” recurring across interviews; requests to redirect device shipment or payroll details last‑minute; IPs and working hours inconsistent with claimed location.privacymatters.dlapiper+1

FAQs

  • What is FAMOUS CHOLLIMA?
    A DPRK‑linked adversary cluster named by CrowdStrike, specializing in remote‑work infiltration using GenAI for identity creation, deepfake interviews, and on‑the‑job task support.crowdstrike

  • How many companies were impacted?
    Over 320 in the last 12 months, a 220% increase year‑over‑year, per CrowdStrike’s 2025 Threat Hunting Report.ciso.economictimes.indiatimes+1

  • Are deepfakes really happening in interviews?
    Yes—reports cite real‑time deepfake personas, with cases where new hires later attempted to install malware, revealing synthetic identity fraud post‑onboarding.iproov+1

  • What roles are targeted?
    Remote IT, software engineering, DevOps, and other technical roles where remote device access and repo/credential access deliver monetization and espionage value.sonatype+1

  • Can background checks stop this?
    Traditional checks often miss synthetic identities augmented by stolen PII and deepfake assets; advanced liveness tests, multi‑signal verification, and device/account telemetry are needed.techbeat+1

Sources

  • CrowdStrike 2025 Threat Hunting Report—AI weaponization, 320+ infiltrations, 220% YoY surge.ciso.economictimes.indiatimes+1

  • Legal/industry summaries of the report and controls recommended for HR and security.privacymatters.dlapiper+1

  • Media confirmations and explainer features on DPRK deepfake resumes, interview deception, and remote worker mules.techcrunch+1

  • Case illustrations of deepfake hires and post‑onboarding detection lessons for HR/security teams.iproov+1

Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...