Cybersecurity in Recruitment Processes

I just walked in from a coffee with Kraken Digital Asset Exchange's sanctions lead Crystal Noe and see this! According to an excellent blogpost today, Kraken's security and recruitment teams recently uncovered and thwarted an attempted infiltration by a North Korean state-sponsored hacker—disguised as a job applicant. The incident, which began as a routine interview for an engineering position, quickly escalated into a high-stakes security operation and offers important lessons for the broader crypto and fintech ecosystem. The hacker raised immediate red flags: they joined their interview using a name different from the one listed on their resume and appeared to be coached in real time, switching voices mid-call. Kraken had already received intelligence from industry partners that North Korean actors were actively applying to jobs at crypto firms using networks of false identities. One of the flagged emails matched that of this candidate. Kraken’s red team initiated a deeper investigation, using open-source intelligence (OSINT) tools to identify ties between the applicant and other known aliases across GitHub, breached credential databases, and company systems. The candidate’s technical footprint—use of colocated remote desktops with a VPN and a doctored government-issued ID—added further weight to the suspicion. As the evidence mounted, Kraken advanced the applicant through its hiring funnel—not to recruit, but to study. The final interview, with Kraken’s CSO Nicholas Percoco and others, was a masterclass in subtle operational security. While asking standard technical questions, the team embedded “live” verification challenges—asking the candidate to hold up a government ID, confirm their physical location, and name local landmarks or restaurants. The hacker stumbled on basic geography and could not complete the two-factor authentication steps. By the interview’s end, the team had full confidence this was not just a suspicious candidate but a North Korean agent attempting to gain privileged access through the front door. Key Takeaways? ✔️Don't Trust, Verify—Every Step of the Way ✔️Use OSINT to Investigate Anomalies ✔️Incorporate Real-Time Identity Challenges ✔️Train Your Entire Organization, Not Just Security ✔️Leverage Industry Intel ✔️Recognize State-Sponsored Threats Are a Reality Kraken’s experience is a reminder that modern cybersecurity is no longer just about perimeter defense. Sometimes, attackers try to walk through the front door—wearing a suit and carrying a resume. Resilience begins with awareness, collaboration, and the creativity to think like a threat actor before they reach your systems. Congratulations to Nick, CJ Rinaldi, Crystal Noe, Sarah W., and the excellent team at Kraken working to keep the ecosystem safe. 📄 Read the full post here: https://lnkd.in/eM6r_RNN

Candidate fraud is becoming its own full-time job to manage. It feels like every recruiter I know has a wild story from the last six months. Fake resumes. People using AI to answer interview questions in real time. Full-blown imposters taking technical interviews or, even worse, showing up on day one after getting hired. One recent study reported a 92 percent increase in fraudulent candidates since 2022, and projections show that with AI adoption, this could climb another 30 to 50 percent. Fraud in recruiting isn’t new, but the scale and sophistication definitely are. Here are some things that my network and I have incorporated into our processes that actually work at catching bad actors early: • 𝗦𝘁𝗮𝗿𝘁 𝘄𝗶𝘁𝗵 𝗯𝗲𝘁𝘁𝗲𝗿 𝘁𝗼𝗼𝗹𝘀: Many ATS platforms now offer fraud detection as an add-on feature, and new tools like tofu help flag suspicious profiles upfront. Huge time saver. • 𝗥𝗲𝗱𝘂𝗰𝗲 𝗮𝘂𝘁𝗼-𝗮𝗽𝗽𝗹𝘆 𝘀𝗽𝗮𝗺: AI auto-apply tools are flooding pipelines. Work with your ATS and IT teams to block domains that are clearly mass-application bots. • 𝗔𝗱𝗱 𝗮 𝗽𝗿𝗲-𝘀𝗰𝗿𝗲𝗲𝗻 𝘀𝘁𝗲𝗽 𝗯𝗲𝗳𝗼𝗿𝗲 𝗮𝗻𝘆 𝗹𝗶𝘃𝗲 𝗶𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄𝘀: A simple video intro request weeds out a shocking number of questionable candidates. Most bad actors never submit anything, and the ones who do tend to be easy to flag. • 𝗨𝘀𝗲 𝗭𝗼𝗼𝗺 𝗮𝘀 𝘁𝗵𝗲 𝗱𝗲𝗳𝗮𝘂𝗹𝘁 𝗳𝗼𝗿 𝗵𝗶𝗴𝗵-𝗿𝗶𝘀𝗸 𝗿𝗼𝗹𝗲𝘀: This allows IT/security to verify IP addresses and confirm basic location info. • 𝗔𝘀𝗸 𝗵𝘆𝗽𝗲𝗿-𝗹𝗼𝗰𝗮𝗹, 𝗿𝗲𝗮𝗹-𝗹𝗶𝗳𝗲 𝗾𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝘀: If someone claims they lived in NY for ten years, they’re going to know the code of their preferred airport without hesitation. Same with local sports teams or college mascot. Real candidates answer instantly. Fraudsters need time to stall and panic google the answer. • 𝗔𝗱𝗱 𝗶𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄 𝗿𝗲𝗰𝗼𝗿𝗱𝗶𝗻𝗴: Tools like BrightHire, Metaview, and ATS-native recording features in Ashby or Kula help add another layer of protection as cheating in interviews has become extremely common. • 𝗦𝘁𝗿𝗲𝗻𝗴𝘁𝗵𝗲𝗻 𝗽𝗿𝗲-𝗯𝗼𝗮𝗿𝗱𝗶𝗻𝗴 𝘃𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗽𝗿𝗼𝘁𝗼𝗰𝗮𝗹𝘀: Double down on ID checks, verification steps and flags for anyone who asks to send equipment somewhere that doesn’t match their application details. These inconsistencies are usually early indicators of a bigger problem. The fraud problem isn’t going away, but neither is the TA community’s ability to adapt. If you have other tactics, tools or red flags you’ve seen, drop them in the comments.

This article highlights a St. Louis federal court indicted 14 North Korean nationals for allegedly using false identities to secure remote IT jobs at U.S. companies and nonprofits. Working through DPRK-controlled firms in China and Russia, the suspects are accused of violating U.S. sanctions and committing crimes such as wire fraud, money laundering, and identity theft. Their actions involved masking their true nationalities and locations to gain unauthorized access and financial benefits. To prevent similar schemes from affecting you businesses, we recommend a multi-layered approach to security, recruitment, and compliance practices. Below are key measures: 1. Enhanced Recruitment and Background Verification - Identity Verification: Implement strict verification procedures, including checking legal identification and performing background and reference checks. Geolocation Monitoring: Use tools to verify candidates’ actual geographic locations. Require in-person interviews for critical roles. - Portfolio Validation: Request verifiable references and cross-check submitted credentials or work samples with previous employers. - Deepfake Detection Tools: Analyze video interviews for signs of deepfake manipulation, such as unnatural facial movements, mismatched audio-visual syncing, or artifacts in the video. - Vendor Assessments: Conduct due diligence on contractors, especially in IT services, to ensure they comply with sanctions and security requirements. 2. Cybersecurity and Fraud Prevention - Access Control: Limit access to sensitive data and systems based on job roles and implement zero-trust security principles. - Network Monitoring: Monitor for suspicious activity, such as access from IPs associated with VPNs or high-risk countries. - Two-Factor Authentication (2FA): Enforce 2FA for all employee accounts to secure logins and prevent unauthorized access. - Device Management: Require company-issued devices with endpoint protection for remote work to prevent external control. - AI and Behavioral Analytics: Monitor employee behavior for anomalies such as unusual working hours, repeated access to restricted data, or large data downloads. 3. Employee Training and Incident Response - Cybersecurity Awareness: Regularly train employees on recognizing phishing, social engineering, and fraud attempts, using simulations to enhance awareness of emerging threats like deepfakes. - Incident Management and Reporting: Develop a clear plan to handle cybersecurity or fraud incidents, including internal investigations and containment protocols. - Cross-Functional Drills and Communication: Conduct company-wide simulations to test response plans and promote a culture of security through leadership-driven initiatives. #Cybersecurity #HumanResources #Deepfake #Recruiting #InsiderThreats

I was recruited by the DPRK to infiltrate corporations. Not through malware. Not through zero days. Through the hiring process. An individual claiming affiliation with DPRK actors approached me with a proposal. I would pass technical interviews on their behalf. They would then secure roles inside targeted companies. In exchange, I would receive a significant share of the salary. The pitch was structured, calm, and financially attractive. It felt less like a crime and more like a business transaction. This is what it reveals: • Hiring processes have become active attack surfaces • Professional identities are being weaponized • Recruitment pipelines are strategic entry points • Corporate trust models are being exploited at scale This is happening right now. It is organized, scalable, and adapted to remote hiring, overemployment and globalized talent markets. For organizations, recruitment must operate like a secure corridor, with identity verification, background checks, live assessments, and continuous monitoring established as baseline safeguards. For workers, resist the lure of offers that promise easy money at the expense of integrity. Turning a blind eye is not a defense. Deliberate involvement in such schemes constitutes a serious offense. It may rise to the level of national security violations and carry severe criminal penalties, including lengthy prison sentences. The perimeter has extended. It now starts before day one.

Cybersecurity is not just a technical issue, it’s also an economics and people issue. On the latter, the latest research from our Counter Threat Unit (CTU), now part of Sophos from our Secureworks acquisition, further reinforces that position.   CTU has been tracking the North Korean IT workers scheme - which has been in operation since at least 2018 - as NICKEL TAPESTRY. Recent findings show this campaign has expanded beyond U.S. tech firms into Europe, Asia, and industries including finance, healthcare, and cybersecurity. These actors are applying for remote roles using AI-generated resumes, falsified identities, and cloned online profiles. Their goals range from salary diversion to data theft and extortion. In 2025, CTU observed a shift toward targeting cybersecurity roles and using more diverse personas. Given the level of trust and access that cybersecurity companies generally have, this becomes a large-scale keys-to-the-kingdom problem.   This is not just a cybersecurity concern, it’s a general hiring hygiene concern. HR and recruitment teams are now enlisted in the front lines of organizational risk controls. Our nutshell recommendations: - Enhanced identity verification during interviews - Live or video validation of candidates - Monitoring for cloned resumes and VoIP-linked contact info - Control of remote access tools and BYOD usage post-hire   This is a persistent, evolving threat. Organizations must adapt hiring and onboarding practices accordingly. Our full report: https://lnkd.in/gcruvt67

Scammers are now running recruitment plays. And I don't mean sloppy DMs from accounts with 12 connections. I mean nation-state hackers impersonating real recruiters at real companies. Running full interview loops. On Google Meet. Fireblocks just exposed a North Korean operation that cloned their entire hiring process on LinkedIn. Fake recruiter profiles. Real-looking job posts. Coding assessments on GitHub. The "take-home test" installed malware the moment candidates ran it. Their target? Crypto developers' wallets and production systems. The attackers? North Korea's Lazarus Group. The same crew behind the $1.5 billion Bybit heist. And their LinkedIn profiles were nearly flawless. Meanwhile the numbers are getting worse: → LinkedIn removed 80.6 million fake accounts in the second half of 2024 alone. Up from 70.1 million the prior six months → FTC reports job scam losses hit $501 million in 2024. Up from $90 million in 2020 → Job scam reports have tripled in that same period → Amazon blocked 1,800+ fake North Korean job applications in 18 months This isn't just phishing anymore. This is organized crime and foreign intelligence services weaponizing the hiring process. As a recruiter, here's what I tell every candidate: → Verify the recruiter's profile against the company's actual LinkedIn page → Never run code from a "take-home test" without researching the company first → If they contact you from a personal email instead of a company domain... walk away → If they rush you past normal hiring steps, that's not urgency. That's a red flag And if you're a recruiter reading this? Build trust before you ask for anything. Verified profiles. Company email. Transparent process. Because scammers are copying our playbook. And candidates can't tell the difference. What's your #1 scam red flag on LinkedIn?

25 minutes after onboarding, the “perfect hire” tried to install malware. He didn’t break in. He got hired. This is the DPRK remote IT worker playbook (per FBI/DOJ/Treasury reporting): • Strong interviews + “real” portfolios (sometimes a stand-in on camera) • Hardware shipped to a laptop farm/proxy location • Months of normal work… then repo access, IP exposure, and sometimes crypto theft 🚩 If your remote hiring process still allows any of this, you’re exposed: - camera-off or low-scrutiny interviews - identity checks that aren’t tied to the live interview - untethered laptop shipping (no verified delivery, no geo controls) - references nobody actually calls What’s helping (when teams take it seriously): 1) verify identity live + match it to the person interviewing 2) ship hardware only to verified locations (or enroll + geo-lock) 3) treat hiring like an access-control event, not paperwork Has your org updated remote technical hiring in the last 12 months? What changed, and what’s still falling through the cracks? Until next time, think bad. Do good! #Cybersecurity #InsiderThreat #RemoteWork #Hiring #ThreatIntelligence

Resume fraud ≠ interview fraud ≠ what Amazon is dealing with. We need to stop pretending these are the same problem. Padding a résumé with keywords? Annoying. Predictable. A symptom of broken job descriptions and ATS theater. Interview fraud? More serious. Someone misrepresenting who is actually doing the work. Still an assessment and verification failure. What Amazon faced is something else entirely. According to Amazon’s Chief Security Officer, the company has blocked 1,800+ suspected North Korean applicants since April 2024, with attempts rising 27% quarter over quarter.  This wasn’t résumé inflation. This was coordinated state-level infiltration. Fake identities. Stolen LinkedIn profiles. U.S.-based laptop farms. Remote access from sanctioned states. Detection via keystroke latency, geo-anomalies, network patterns, and human verification. That’s not “hiring noise.” That’s counter-intelligence. And yet… we still see teams respond to all hiring risk with: more résumé screening more keyword filters more personality tests more “hiring velocity” dashboards None of that stops this. Amazon didn’t solve this with vibes. They used AI + identity verification + background checks + structured interviews + human review—in that order. The takeaway isn’t “candidates are bad.” The takeaway is: trusting proxies instead of proof is reckless. The uncomfortable truth: If your process can’t tell who is actually doing the work + where they are + how they perform on real tasks, you don’t have a hiring process…you have a belief system. And belief systems don’t stop adversaries. #TrustTheWork #Recruiting #TalentAcquisition #HiringFraud #Cybersecurity #TrustInfrastructure #SkillsVerification 

In August, a Nashville man was indicted for running a "laptop farm." He allegedly convinced companies to hire him as a remote worker but instead of doing the work, downloaded and installed software on company computers that granted access to foreign bad actors posing as workers, breaching company security and funneling money abroad. This may sound like an outlandish story, but easy access to AI-generated audio and video heighten the risk of employee impersonation. Ways for companies to protect against employee impersonation: Before hiring: • Running background checks (and following state/local notice and disclosure requirements) • Vetting educational and employment background • Using secure methods for checking identity and work authorization. Especially for sensitive roles that are fully remote, consider flying the candidate out to meet in person or hiring a vendor who can vet their identity in person. • Requiring employees to sign robust confidentiality agreements During employment • Working with IT/InfoSec to develop best practices for securing company data • Monitoring employee login patterns and downloads • Developing protocols for exchanging money and sensitive information (for example, requiring multiple points of verification) • Even if you don’t regularly work on video, doing this occasionally. • Training managers to keep an eye out for suspicious activity After employment • Reminding employees of their confidentiality obligations • Securing company data immediately upon separation and monitoring use when employees give notice of resignation • Reviewing hardware that is returned and properly wipe equipment What else?

The Cybersecurity Hiring Paradox: Why So Many Candidates, Yet So Many Open Roles? If you talk to most executives today, they’ll tell you the same thing: security roles take months to fill. At the same time, if you talk to security professionals, many will say they’ve been actively applying and interviewing for weeks, sometimes months, without landing the right role. How can both be true? Let’s unpack the paradox. 1. The Supply–Demand Mismatch There’s no shortage of professionals with “security” in their background. But when employers need very specific expertise—cloud IAM, Oracle ERP security, OT/ICS security, or regulatory compliance—the talent pool narrows dramatically. Result: Hundreds of resumes may hit the inbox, but only a handful truly match. 2. Credentials & Clearance Bottlenecks High-value roles often demand CISSP, CISM, or active security clearances. These can’t be obtained overnight, and they limit who can be considered—even when there are talented professionals available without them. 3. Employer Selectivity & Longer Hiring Cycles Organizations are more cautious than ever after data breaches and compliance fines. More interviews. More technical assessments. More background checks. This stretches out the hiring process—even when good candidates are available. 4. Remote vs. On-Site Misalignment Many candidates today want remote-first work. Many employers still expect hybrid or on-site presence for security teams. That misalignment means great people and great roles often never connect. 5. Compensation Gaps Cybersecurity talent knows its value. Employers sometimes benchmark pay against general IT averages instead of security market rates. When offers fall short, roles stay open while candidates keep looking. The Bottom Line Yes, there are plenty of security professionals looking for new opportunities. Yes, companies are struggling to fill roles. The truth is that the overlap between what employers want and what candidates offer is far smaller than it appears on the surface. To solve the paradox, companies need to: Define must-have vs. nice-to-have skills. Move quickly on qualified candidates. Align compensation with market reality. Stay flexible on work arrangements when possible. The organizations that treat cybersecurity hiring as a strategic initiative—not just an HR function—will close the gap faster and build stronger teams.