Microsoft has shut down 3,000 Outlook and Hotmail email accounts it believes were created by North Korean IT workers as part of a scheme to infiltrate US companies and generate revenue.
The tech giant disclosed the action in a blog post published alongside two U.S. Justice Department indictments that charge multiple North Koreans — along with at least two U.S. citizens — for their involvement in the long-running operation. Microsoft said it has spent years tracking the campaign, which involves North Koreans posing as remote IT freelancers to secure work with international businesses.
According to Microsoft, the operation has evolved in recent months, with North Korean operatives increasingly using artificial intelligence tools to forge job application materials and manipulate personal data. AI is now commonly used to replace faces in stolen ID documents and enhance photos to appear more professional, the company said. Some actors have also begun experimenting with voice-changing software to bypass interview screenings.
“We’ve observed a clear shift in tactics,” Microsoft said. “They are now using AI tools like Faceswap to transfer their images onto stolen documents and to create professional-looking profiles for job applications.”
The company’s threat intelligence team previously uncovered a public repository containing AI-altered photos, forged resumes, email accounts, and detailed playbooks on identity theft, VPN usage, and freelance job platforms. Payment records tied to facilitators were also found.
Microsoft warned that although it has not yet seen AI-generated voices or video used in job interviews, such technology could allow North Korean workers to conduct interviews themselves rather than rely on third-party intermediaries.
The Justice Department indictments revealed the broad scope of the scheme. The FBI conducted searches in 16 U.S. states, targeting 29 so-called "laptop farms" — setups where Americans lease or provide company-issued laptops to be used remotely by North Korean operatives.
Among the U.S. citizens charged was an active-duty military member with a security clearance, highlighting the potential national security risks of the scheme.
Microsoft's latest action aims to disrupt what it calls a "costly and deceptive" operation that poses risks to corporate security and integrity.
