OpenAI has blocked multiple North Korean hacking groups from using its ChatGPT platform to research targets and develop hacking techniques.
In its February 2025 threat intelligence report, OpenAI confirmed it banned accounts linked to these state-sponsored cybercriminals.
The company identified activities associated with well-known North Korean hacking groups, including VELVET CHOLLIMA (also known as Kimsuky, Emerald Sleet) and STARDUST CHOLLIMA (also known as APT38, Sapphire Sleet). These accounts were detected with the help of an industry partner and were found to be using ChatGPT to explore cybersecurity vulnerabilities, develop attack strategies, and research cryptocurrency-related topics—a common focus of North Korean cybercriminals.
The threat actors reportedly used ChatGPT to seek coding assistance for remote administration tools (RATs), debugging, and researching methods for conducting brute-force attacks on Remote Desktop Protocol (RDP). OpenAI analysts also uncovered that these groups attempted to develop obfuscated payloads and social engineering tactics to target cryptocurrency investors and traders. Additionally, some accounts sought methods to bypass security warnings and create phishing content aimed at stealing sensitive user data.
OpenAI also identified and banned accounts connected to a suspected North Korean IT worker scheme. These individuals appeared to use AI models to assist in job-related tasks such as coding, troubleshooting, and professional communication. OpenAI noted that they even generated cover stories to explain suspicious behavior like avoiding video calls and accessing corporate systems from unauthorized locations.
In addition to North Korean activities, OpenAI disrupted two cyber campaigns originating from China. These campaigns, named “Peer Review” and “Sponsored Discontent,” reportedly used ChatGPT to develop tools for surveillance and generate propaganda, including anti-American content in Spanish. Since October 2024, OpenAI has taken action against over twenty cyber operations linked to state-sponsored groups from Iran and China.
