When Gunter Ollman, chief technology officer of cybersecurity firm Cobalt, advertises for a senior engineer, the response can be overwhelming.
“Within the first couple of days, I’ll get anywhere from 200 to 1,000 CVs,” says Ollman. “A third of them look, at least to me, like they’ve been generated by someone taking their background, running it through an AI, and tailoring it almost perfectly to the role.”
For Ollman, the flood of suspicious applications has upended the normal mechanics of recruitment. “The old system of keyword filtering – matching resumes against the job description – basically doesn’t work anymore. The whole first-pass filter has broken down,” he says.
The issue heightens when those convincing CVs turn out not even to belong to the people presenting them. “We’ve had at least three cases where, by the second round, we realised the candidate wasn’t genuine,” Ollman says. “We caught them through video interviews, IP cross-checks, and help from our pen testers.”
What Cobalt is grappling with reflects a broader trend: the infiltration of corporate networks by fraudulent remote IT workers, many of them linked to North Korea.
Real-world consequences
The threat is not limited to speculative risk. This summer, an Arizona woman was sentenced to more than eight years in prison for helping North Koreans steal Americans’ identities to secure remote IT jobs at hundreds of US companies. The Department of Justice described it as “one of the largest North Korean IT worker fraud schemes” ever charged, involving $17m over three years.
North Korea, under heavy international sanctions for its weapons programme, has turned such scams into a lucrative funding stream.
Fraudulent workers use false identities, résumés and work histories to gain employment and funnel earnings back to Pyongyang, while also providing opportunities to access corporate data and extort their employers.
By the end of last year, US authorities estimated that such schemes had generated at least $88mn for North Korea’s regime. CrowdStrike, the US-based security group, reported a 220% year-on-year rise in these cases, logging more than 320 incidents in the past 12 months.
The aim, its researchers warned, is not only to generate hard currency but also to create back doors into Western companies for theft and disruption.
Personas for hire
At Palo Alto Networks, Andy Piazza, senior director of threat intelligence, leads a team that tracks what they call “worker personas” – the fabricated identities designed to slip past HR and compliance checks.
“Every time a customer shares a persona, we usually find it in two or three other networks,” Piazza explains. “It becomes a real intelligence exchange.”
Unlike conventional threat indicators such as IP addresses or file hashes, personas involve names and biographies. That has forced legal and compliance teams into closer collaboration with security departments.
Attackers often reuse personas across multiple organisations. Some go further, deploying deepfakes during video interviews. In the past, refusing to turn on a webcam was a giveaway.
Now, with widely available software, a reasonably convincing deepfake can be produced on a home computer. “It doesn’t take a Hollywood budget to fool someone in a video call,” Piazza says.
The discovery of such activity can be disconcerting. “When you realise you’re not just dealing with malware but an actual human being inside your network, it feels like someone broke into your house and went through your drawers,” Piazza says.
Canada joins the warnings
The trend has triggered fresh concern from governments, which fear that unwitting employers may be breaking international sanctions. In July, Canadian authorities issued a public advisory warning businesses that hiring North Korean IT workers could result in criminal liability.
The notice, published jointly by the Royal Canadian Mounted Police, Public Safety Canada, Global Affairs Canada, the Financial Transactions and Reports Analysis Centre (FINTRAC) and the Canadian Centre for Cyber Security, made the risks clear.
Employing such individuals, it said, could “indirectly contribute to North Korea’s weapons of mass destruction and ballistic missile programs, which are prohibited by the United Nations Security Council.”
The advisory warned that state-affiliated North Korean IT workers often pose as freelancers based abroad, offering services in app development, gaming, database management and IT support. To disguise themselves, they rely on VPNs, encrypted communications, proxy accounts, and increasingly, AI-powered deepfake technology.
Canadian officials also outlined a set of “red flags”: frequent money transfers, requests for payment in cryptocurrency, inconsistencies in personal information, reluctance to appear on camera, unusually low bids for work, and suspicious logins from multiple countries.
The UK government added in its advisory last year that requests for prepayment but failure to attend check-in meetings, and initially offering free services to earn trust are also red flags to look out for.
Small businesses and start-ups, in particular, were highlighted as attractive targets, both for their need for affordable talent and for their limited resources to screen applicants.
