We Caught a North Korean Operative in a Hiring Pipeline. Here's What We Learned.

The Case

A U.S. Department of Defense contractor was hiring for a remote technical role. Two candidates made the shortlist. Strong resumes, solid qualifications, great interviews. By every traditional measure, both were excellent hires.

There was one problem: they were the same person.

Same face, same background on the video call. Different shirt, different name, different company. Had the applications gone to different recruiters, or been reviewed even a few days apart, no one would have noticed.

When Alex's Fraud Detection Agent analyzed both candidates, one triggered 34 fraudulent signals. The other triggered 92. New email accounts, thin digital footprints, location data that didn't match. Synthetic identity patterns specifically designed to game the traditional interview process.

Invisible to a human reviewer. Unmistakable to a system built to find it.

The Threat Is Wider Than You Think

Unfortunately this wasn't a one-off. This candidate was part of a network. 

In March, NBC News reported that threat intelligence firm Nisos had uncovered at least 20 North Korean operatives who had collectively applied to more than 160,000 jobs across the United States. Their motives range from intelligence gathering to earning U.S. salaries and routing money back to North Korea through intermediary bank accounts.

But North Korean operatives represent the far end of a much wider spectrum.

The more common version of this is happening in hiring pipelines every day:

• Candidates hiring proxy interviewers. 
• Fabricating credentials. 
• Building synthetic identities. 
• Creating LinkedIn profiles last week to support resumes that claim ten years of experience. 

Where Traditional Hiring Breaks Down

Remote hiring has made all of it even easier. 

When a candidate never walks into an office, the only thing standing between a fraudulent applicant and a job offer is whatever verification your process includes.

Most processes don't include enough.

Traditional background checks happen late, after recruiters have already spent hours screening and interviewing. They confirm that a Social Security number matches a name. They don't confirm that the person on your video call is the person behind that number.

Catching Fraud Before the First Interview

Alex's Fraud Detection works at the front of the pipeline. 

The moment a candidate is invited to interview, the system evaluates signals across email verification, phone analysis, LinkedIn validation, and indicators like disposable accounts, VOIP numbers, newly created profiles, fraud history. 

These are all flagged before a recruiter spends a single minute on the candidate. After the interview, a second layer cross-references IP addresses and identity signals against the candidate's claimed information.

It's not a background check. It's the question that comes before a background check: is this person real?

For the Department of Defense contractor, the answer was no. 92 times over.

If your process can't catch the same person applying twice with a different shirt, it's worth asking what else it's missing.

‍

Learn more about Fraud Detection →