top of page

The Industry’s First Agentic SOC for Autonomous MDR is Here

Meet Kanati

The Industry’s First Agentic SOC for Autonomous MDR is Here

Meet Kanati

Suspect a Breach? 

!

Contacts Us:

Pondurance_Logo_R-10pxMargin_312px_REV-wordmark.png

Battlefield Cyber: Employment Scams

Gartner_Resources-Tout_Exposure-Management (2).png
Doug Howard
April 1, 2026

Organizations across multiple industries are continuing to encounter fraudulent job applicants.  This has been a problem for the past couple years, but has increased in frequency 


These efforts break these into two primary groups:

  • Linked to North Korean IT worker operations. These actors pose as legitimate software developers, engineers, or technical contractors—often presenting themselves as recent college graduates or early-career professionals to justify limited work history while appearing credible. Their goal is to gain remote employment with Western companies in order to generate revenue for the North Korean regime and, in some cases, obtain access to corporate systems and intellectual property. These campaigns are sophisticated, persistent, and increasingly common in fully remote hiring environments.


  • Linked to applicants trying to join the workforce with fraudulent representation of experience. We can all sympathize with college graduates trying to get their first job, but in no way should they do so through fraudulent means.  We have currently seen applicants applying for jobs that claim to have prior work experience but in reality they have opened an LLC or a group of students have opened a LLC and represent that they performed certain work and gained experience.  In this scenario, they claim they have a year or more of experience performing certain work and can be validated with a legitimate company (the standup LLC) and through a reference (another member of the standup LLC).   


North Korean Threat Overview

North Korea has developed a global network of fraudulent IT workers who seek employment with companies in the United States, Europe, and Asia. The activity is part of a broader effort to circumvent international sanctions and generate foreign currency.


Typical characteristics of these operations include:

  • Applicants claiming to be recent graduates or junior developers to explain short employment histories.  This sometimes varies and we have seen resumes representing more experienced applicants.

  • Use of stolen or synthetic identities.

    • Conduct interviews through video filters or stand-ins

    • Route internet traffic through U.S. residential VPN services


In some cases, the person hired is not the same person who performed the interview.

  • Heavy reliance on remote contract work, freelancing platforms, or distributed engineering teams.

  • Applicants requesting remote-only roles where identity verification is weaker.


Once hired, these individuals may:

  • Route salary payments through international intermediaries.

  • Access internal systems and source code repositories through PC farms that don’t create immediate alerts that they are working from an offshore location.

  • Performance of work falls into two very diverse experiences; 1) producing acceptable work to prolong employment, 2) performing minimal amounts of work such as logging in daily and staying online, but not producing any meaningful output.


Fraudulent Representation of Experience Overview

Fraudulent representation is not a new approach to getting a job.  That said, in this approach applicants with limited to no experience are claiming to have prior work experience through a company that did not actually have them perform any work.  The way it works is someone, or a group of people, open an LLC and represent that they, as an employee of this shell company, performed certain work and gained experience.  In this scenario, they claim they have a year or more of experience performing certain work and can be validated with a legitimate company (the standup LLC) and through a reference (another member of the standup LLC).   


1. Fabricated Companies and Work Histories

  • Register shell companies or fake startups

  • Create websites and LinkedIn profiles

  • List these entities as previous employers

  • Validate reference checks for each other


This allows applicants to present a believable resume while claiming experience as:

  • Junior software engineers

  • DevOps engineers

  • QA testers

  • Data engineers


The “recent graduate” narrative helps reduce scrutiny of the fabricated employment history.  Note the above focus on technical roles, but it is suspected this is happening more broadly across different disciplines.


2. Identity Masking and Proxy Interviews

Many applicants:

  • Use borrowed identities from U.S. citizens

  • Conduct interviews through video filters or stand-ins.  In some cases, the person hired is not the same person who performed the interview.

  • Route internet traffic through U.S. residential VPN services.  


Potential Impact

Organizations that unknowingly hire these individuals may face:

  • Unauthorized access to source code repositories

  • Exposure of customer data

  • Intellectual property theft

  • Compliance or sanctions risk

  • Financial loss from fraudulent salary payments

  • Potential insider threat activity


These risks are amplified in environments with broad developer access privileges.


Indicators of Suspicious Applicants (under both Schemas)

Organizations should be alert for candidates who exhibit:

General resume Indicators

  • Multiple short roles at unknown startups

  • Companies that have no operational footprint

  • GitHub portfolios with copied or minimal activity

  • An employee base recently graduating from or part of a similar affinity group or geo with similar employment periods.


Indicators of Suspicious Applicants (North Korea)

Interview Indicators

  • Refusal to enable video

  • Poor English communication inconsistent with claimed background

  • Delays or excuses when asked for real-time coding demonstrations

Operational Indicators

  • Requests to use their own hardware

  • Request for hardware to be shipped to a location inconsistent with their employment application

  • Logins from multiple geographic locations or known fraudulent laptop farms


Defensive Recommendations

Strengthen Hiring Verification

  • Perform identity verification checks

  • Require live coding interviews

  • Validate previous employers and references

  • Verify university graduation records


Enforce Secure Onboarding

  • Require use of company-issued devices

  • Enforce VPN and endpoint monitoring

  • Implement least-privilege access for new employees


Monitor Access Behavior

Security teams should watch for:

  • Logins from multiple IP geographies

  • Use of remote access tools

  • Large downloads from code repositories

  • Abnormal working hours inconsistent with stated location


Key Takeaway

North Korean employment fraud campaigns exploit the growth of remote technical hiring. By posing as recent graduates with fabricated company experience, these actors are able to bypass traditional employment screening and gain access to sensitive corporate systems.


Organizations should treat hiring pipelines, especially for technical roles, as a potential attack surface and apply the same security rigor used for other access vectors.

wave pattern background

Featured Posts

Battlefield Cyber: Employment Scams

April 1, 2026

Agentic AI in the SOC: How It Reduces Alert Fatigue and Improves Threat Detection

March 27, 2026

March Cyber Threat Download™

March 26, 2026

bottom of page