Imagine hiring a remote engineer who passes interviews, technical tests, and background checks—only to discover they’re a cyber spy. This isn't fiction. It happened in 2024, when cybersecurity firm KnowBe4 discovered one of its new hires manipulating suspicious files and running unauthorized software.
After an internal investigation, they found the employee was a North Korean national, part of a global network of fake professionals deceiving companies to gain access to corporate systems and steal sensitive information.
This is not an isolated case. It’s part of a growing trend exposing a new risk: insider threats disguised as remote hires.
A Global Problem Growing Silently
Since 2017, the FBI and companies like ESET and Microsoft have tracked WageMole, a group linked to North Korea focused on placing fake workers in Western companies.
Microsoft data shows that between 2020 and 2022, over 300 companies—including several Fortune 500 firms—fell victim to this tactic. In June 2022 alone, Microsoft suspended 3,000 Outlook and Hotmail accounts used by fake applicants.
And the issue has gone global:
- ESET has identified similar activity in Europe, especially in France, Poland, and Ukraine.
- Google warns that the UK is also being targeted.
- Thousands of fake developers are believed to be working under stolen or fabricated identities.
A U.S. court case revealed that some infiltrators earned over $860,000 across at least 60 companies.
How They Fool Companies
These attackers craft full digital identities, mixing real and fake data to appear legitimate. They create email accounts, social media profiles, and developer pages on platforms like GitHub or LinkedIn. Some even use deepfakes or voice/face changers during video interviews.
Their goal is to convince recruiters they’re qualified remote professionals.
Once hired, these fake employees can:
- Access internal systems, databases, or code repositories
- Exfiltrate sensitive information, sell it, or use it for blackmail
- Plant malware or open backdoors for others
ESET notes that WageMole also collaborates with DeceptiveDevelopment, a group that tricks real developers into solving “technical challenges” using infected code. The criminals then steal those identities and reuse them in hiring scams.
Learn more: Cyberespionage Against Executives and Politicians
The Role of Facilitators
Behind each fake candidate is a network of foreign collaborators who help maintain the disguise. These facilitators:
- Create accounts on freelance job platforms
- Open or lend bank accounts to receive payments
- Purchase local SIM cards and phones
- Help pass background verification checks
Once hired, the fake employee receives the company’s laptop—which is sent to a “laptop farm” in the target country. The real worker in North Korea connects via VPN, proxies, or VPS, making it seem like they are based in the company’s country.
Risks and Consequences for Companies
Hiring a cyber infiltrator isn’t just a security breach—it can also lead to legal and reputational damage. Affected organizations may unknowingly pay sanctioned individuals, violating international finance and trade laws.
These individuals often gain privileged access to critical environments, leading to:
- Theft of intellectual property or source code
- Unauthorized access to financial and personal data
- Tampering with IT infrastructure or insider sabotage
- Ransomware attacks and extortion
In short, one poorly managed hire can turn into a catastrophic operational and reputational failure.
How to Detect and Prevent Fake Candidates
At TecnetOne, we believe cybersecurity starts at recruitment. Here are key steps to protect your company:
Review Digital Identity Thoroughly
- Look for consistency between résumé and digital footprint. Sparse or new profiles are suspicious.
- Compare their social and dev platforms with others to spot identity copies.
- Verify references via live video and ensure past companies actually exist.
Use Video Interviews, Not Just Audio
- Conduct multiple video interviews, and require camera to be on.
- Be cautious if they claim camera issues or use background filters.
- Watch for deepfake signs: stiff expressions, lip-sync mismatches, odd eye reflections.
- Ask cultural or local questions (e.g., food, weather) to test location authenticity.
Monitor Post-Hire Behavior
- Watch for red flags like:
a. Suspicious downloads or unauthorized software installs
b. IP logins from high-risk regions (e.g., China, Russia, North Korea)
c. Remote Management Tool (RMM) use on corporate devices
- Use insider threat detection tools and correlate alerts with behavior patterns.
Act Quickly on Infiltration Signs
- If you suspect an insider threat, limit access immediately and review activity logs.
- Preserve digital evidence before acting.
- Involve your legal team and report to authorities (e.g., cybercrime units).
- Update training programs so HR and tech leads can spot red flags early.
Similar titles: How to Detect and Remove Spyware Apps on Android
Combine Technology and Human Intuition
Prevention isn’t only about tools. Combining tech controls with human insight is key to detecting anomalies.
Reinforce hiring and access processes with:
- Multi-factor authentication for remote workers
- Role-based access reviews
- Continuous endpoint and network monitoring
- Clear policies on device usage and allowed locations
And most importantly, promote a culture of active vigilance. HR and IT must collaborate, sharing information about suspicious candidates or employees.
Final Thought: The Enemy May Come With a Flawless Resume
The KnowBe4 case proves the threat isn’t always outside—it can be inside your team. In a remote-first world with hyper-realistic AI tools, attackers have learned to pose as ideal professionals.
At TecnetOne, we urge you to fortify your hiring process with rigorous interviews, smart monitoring, and technical safeguards. That’s how you’ll protect your data, your team, and your reputation.