OpenAI claims to have blocked several North Korean hacking group from using its ChatGPT Platform to research future targets and to find ways to hack their networks.
“We banned accounts demonstrating activity potentially associated with publicly reported Democratic People’s Republic of Korea (DPRK)-affiliated threat actors,” The company In its February 2025 Threat Intelligence Report, said.
“Some of these accounts engaged in activity involving TTPs consistent with a threat group known as VELVET CHOLLIMA (AKA Kimsuky, Emerald Sleet), while other accounts were potentially related to an actor that was assessed by a credible source to be linked to STARDUST CHOLLIMA (AKA APT38, Sapphire Sleet).”
The now banned accounts were detected by using information from a partner industry. In addition to researching what tools to use during cyberattacks, the threat actors used ChatGPT to find information on cryptocurrency-related topics, which are common interests linked to North Korean state-sponsored threat groups.
The malicious actor also used ChatGPT to provide coding assistance. This included help with open-source Remote Administration Tools, as well as research, debugging and development assistance on open-source security tools and code which could be used for Remote Desktop Protocol (RDP brute force) attacks. OpenAI threat analysts found that North Korean actors also revealed staging URLs of malicious binaries, which were unknown to security vendors when they were debugging autostart extensibility points (ASEP) and macOS attack methods.
These URLs, along with the executable files they were associated with, were submitted to a scanning service online to facilitate sharing among the security community. Some vendors can now detect these binaries reliably, protecting potential victims against future attacks.
OpenAI discovered other malicious activities by North Korean threat actors while researching how they used the banned accounts. These include but are not limited to the following:
- Requesting information about vulnerabilities in different applications,
- Building and troubleshooting an RDP client based on C#,
- Requesting codes to bypass security warnings regarding unauthorized RDPs,
- Requesting numerous PowerShellscripts for RDP connection, file upload/download and execution,
- [196590][196590][196590][196590][196590][196590][1965][196590][196590][196590][196590][196590][19659008[19659008[196590][196590][196590][196590]
In addition, the company banned accounts that were linked to a possible North Korean IT worker scheme. The company described the scheme as having all of the characteristics needed to trick Western companies into hiring North Koreans. OpenAI explained. OpenAI also discovered and disrupted, since October 2024 when it published its last report, two campaigns that originated from China. “Peer Review” “Sponsored Discontent.” Both campaigns used ChatGPT models for research and development tools linked to a spying operation, and to generate anti-American Spanish-language articles. OpenAI reported in its October reportthat it had disrupted more than twenty campaigns since the start of 2024. These were linked to cyber operations, covert influence operations, and Iranian and Chinese state sponsored hackers.
