By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: IncodePublished August 14, 2025

TL;DR: Hundreds of fake identities were reportedly used to win remote IT jobs in a North Korean scheme, according to an Incode-cited BBC report from a defector, while UN estimates put secret IT worker revenues at $250m to $600m annually. The case shows that hiring controls now sit on the identity security boundary, where verification failures can become insider risk and breach exposure.


At a glance

What this is: This is an identity verification and fraud analysis showing how state-backed candidate fraud can bypass remote hiring controls using fake identities, stolen credentials, and synthetic media.

Why it matters: It matters because hiring pipelines now intersect with IAM, access governance, and insider-risk management, so weak verification can create trusted access paths into corporate systems.

By the numbers:

👉 Read Incode's analysis of North Korean candidate fraud and workforce identity risk


Context

Candidate fraud is the practice of using stolen, fabricated, or synthetic identity evidence to pass hiring checks and gain trusted access. In remote-first environments, that deception can move from an HR problem into an identity security problem, because a successful hire may inherit access to systems, data, and internal collaboration tools.

The article’s core issue is not simply fake resumes. It is the boundary failure between identity verification, workforce onboarding, and access provisioning, where poor proofing can let an external actor become a trusted insider. That intersection is especially relevant for IAM, IGA, and privileged access teams responsible for onboarding controls and access lifecycle governance.


Key questions

Q: What breaks when candidate verification is weak in remote hiring?

A: Weak candidate verification lets a false identity enter the employee lifecycle, which means the organisation may issue real credentials, collaboration access, and system entitlements to an untrusted person. Once that happens, the problem is no longer just hiring fraud. It becomes an identity governance failure with insider-risk, data-access, and audit consequences.

Q: Why do fake employees create more security risk than ordinary fraud?

A: Fake employees can receive legitimate internal access, which turns deception into persistent trust. That access can expose code, customer data, finance systems, or privileged workflows. Unlike one-off payment fraud, this type of attack can persist across onboarding, normal work, and offboarding unless identity proofing and access governance are tightly linked.

Q: How can security teams tell whether workforce identity verification is working?

A: Look for proofing decisions that consistently block synthetic identities, force manual review on higher-risk applicants, and prevent any account creation before verification completes. Effective programmes also show low exception rates, fast revocation of failed candidates, and clear linkage between proofing results and IAM provisioning controls.

Q: Who is accountable when a fraudulent hire receives corporate access?

A: Accountability usually spans HR, security, and the identity team, but the control owner should be the function that approves identity proofing and access issuance. If onboarding, access provisioning, and privileged access are not governed together, no single team can credibly own the risk boundary or the audit trail.


Technical breakdown

How candidate fraud bypasses remote hiring controls

Remote hiring reduces the friction between application, interview, and onboarding, which makes identity proofing the main control boundary. Fraudulent applicants can combine stolen identities, forged documents, and AI-generated personas to satisfy separate checks that were never designed to be used together as a chain of trust. Once the organisation treats the applicant as verified, downstream systems often inherit that trust automatically through HR and IAM integrations. The result is not only a false hire, but a false identity entering the access lifecycle with legitimate credentials and internal visibility.

Practical implication: verify identity before account creation, not after the onboarding workflow has already propagated access.

Why deepfakes and synthetic identities change identity verification

Deepfakes and synthetic identities raise the quality of fraud without changing the attacker’s goal. A deepfake can defeat biometric liveness assumptions, while a synthetic identity can survive document checks by combining real and fake attributes across multiple systems. This matters because many workforce verification processes still assume that each control is independently meaningful, when in practice fraud succeeds by stitching together weak signals into a convincing identity. In identity governance terms, the attacker is not just bypassing KYC style checks, but entering the access chain with a profile that appears internally consistent.

Practical implication: require cross-signal verification that combines document, biometric, device, and behavioural evidence.

Candidate verification as an identity lifecycle control

Candidate verification is not just a fraud screen. It is a lifecycle control that determines whether a person should ever receive corporate identity, credentials, or collaborative access. That makes it adjacent to IAM and IGA, because the control objective is to stop untrusted identities before they are provisioned and to ensure offboarding reverses that trust cleanly. When verification is weak, later controls such as access reviews or anomaly detection are operating on a compromised assumption. Once a fraudulent worker is onboarded, the problem becomes access governance, not just recruitment fraud.

Practical implication: align HR onboarding, identity proofing, and access provisioning under one control owner.


Threat narrative

Attacker objective: The objective is to convert a fake hire into trusted internal access that can be monetised through salary fraud, espionage, data theft, or extortion.

  1. Entry begins with fraudulent applicants using stolen identities, fabricated credentials, or AI-generated personas to pass remote hiring checks.
  2. Escalation occurs when the false worker receives legitimate corporate access through normal onboarding and identity provisioning workflows.
  3. Impact follows when the insider uses trusted access to exfiltrate data, abuse systems, or support state-sponsored espionage and extortion activity.

NHI Mgmt Group analysis

Candidate fraud is now an identity governance problem, not only a hiring fraud problem. The article shows how a false applicant can cross from recruitment into corporate trust simply by passing proofing and onboarding gates. That shifts the control question from “was the interview convincing?” to “did the organisation bind a verified person to the right access lifecycle?” For IAM and IGA teams, candidate verification is an upstream control on privilege creation, not a downstream HR formality.

Remote hiring has created a verification trust gap that fraud actors can industrialise. The combination of video interviews, digital documents, and AI-generated personas makes individual checks weaker when they are not correlated. This is where identity verification governance matters: controls must prove continuity between the claimed person, the device, the document, and the session. The practitioner conclusion is simple: treat workforce proofing as a multi-signal trust decision, not a single-point authentication event.

Workforce identity and non-human identity programmes now share a common failure mode: trusted access can be granted to the wrong subject. In human fraud cases, the compromised subject is a fake employee; in NHI cases, it is a fake service account or over-trusted token. The governance lesson is the same, which is why identity teams should stop treating onboarding controls, privilege assignment, and offboarding as separate silos. Practitioners should build one trust boundary across human and non-human entry points.

Candidate verification should be measured as an access-risk control, not a fraud KPI. The meaningful question is whether a hiring workflow can prevent untrusted identities from becoming authenticated users with internal reach. If onboarding, HR systems, and IAM are not aligned, the organisation may detect fraud too late, after account creation, device enrollment, or collaborative access has already occurred. The practitioner conclusion is that verification must be tied to access provisioning policy.

What this signals

Candidate fraud is becoming an identity boundary issue for the whole programme. When proofing, onboarding, and provisioning are disconnected, the organisation can validate a person socially while failing to validate them cryptographically. That creates a trust gap that IAM and IGA teams will increasingly need to close with stronger proofing policy, tighter provisioning rules, and clearer exception handling.

Verification trust gap: the organisation’s exposure now depends on whether identity proofing can carry all the way through to access issuance without being diluted by manual process handoffs. Practitioners should design controls so that failed proofing blocks identity creation, not just interview progression. For identity-related governance patterns, the OWASP Non-Human Identity Top 10 remains relevant wherever trust is being extended to digital subjects.

As remote hiring and AI-generated personas keep improving, verification teams will need to think less like recruiters and more like access-risk managers. A candidate who can convincingly present multiple identities is not just a fraud case; they are a potential entry point into privileged systems, and that should change how onboarding exceptions are reviewed.


For practitioners

  • Bind hiring verification to access provisioning Require verified identity evidence before any account is created in HR, IAM, collaboration, or payroll systems. Make account issuance conditional on proofing outcomes rather than on recruiter approval alone.
  • Correlate document, biometric, and device signals Use multiple independent signals to validate the same applicant, including document authenticity, selfie liveness, network context, and device reputation. Single-signal approval is too easy to game with synthetic identities.
  • Restrict early-stage access until trust is established Delay access to sensitive repositories, codebases, finance systems, and internal admin tools until the candidate passes enhanced checks and role-specific approval. Early onboarding access should be minimal and time-bounded.
  • Treat identity proofing as part of IGA Map candidate verification outputs into lifecycle controls so that a failed or downgraded proofing decision blocks privilege assignment and forces manual review. Offboarding procedures should also revoke any pre-hire access artifacts immediately.

Key takeaways

  • Candidate fraud becomes a security problem the moment a false identity is allowed into the access lifecycle.
  • The scale of the threat is material, with UN estimates placing secret IT worker revenue at $250m to $600m annually for North Korea.
  • The control that matters most is binding identity proofing to account creation, privilege assignment, and immediate revocation when verification fails.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing governs applicant verification before account creation.
GDPRArt.32Biometric and document checks process personal data and need security safeguards.
NIST CSF 2.0PR.AC-4Candidate verification affects how access permissions are granted and reviewed.
NIST SP 800-53 Rev 5IA-2Identity assurance is required before granting system access to workforce users.
ISO/IEC 27001:2022A.5.16Identity management controls support secure onboarding and account assignment.

Document lawful processing, minimize retention, and protect verification data under Art.32 controls.


Key terms

  • Candidate Fraud: Candidate fraud is the use of false, stolen, or synthetic identity evidence to pass hiring controls and obtain trusted access. In security terms, it is an upstream identity compromise that can lead directly to insider risk, account misuse, and access governance failure.
  • Synthetic Identity: A synthetic identity is a blended or fabricated identity built from real and false attributes. It can survive superficial checks because its components look plausible across different systems, which makes it especially dangerous in remote hiring and other distributed identity proofing flows.
  • Identity Proofing: Identity proofing is the process of establishing that a claimed identity is real and belongs to the person presenting it. It sits before authentication and access provisioning, and in workforce settings it is the first control that decides whether a subject should enter the identity lifecycle at all.
  • Verification Trust Gap: A verification trust gap is the space between successfully checking an applicant and safely granting them access. It appears when proofing, onboarding, HR, and IAM controls do not operate as one chain, allowing an apparently legitimate identity to become an internal user too easily.

What's in the full article

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • Biometric and document-verification workflow specifics for workforce candidate screening.
  • How deepfake detection and behavioural risk scoring are combined before interview and onboarding.
  • Integration points with ATS, collaboration, and onboarding systems such as Greenhouse, Workday, Slack, Zoom, and Teams.
  • The vendor's explanation of its detection claims and candidate-verification workflow design.

👉 Incode's full post covers the fake identity tactics, hiring pipeline controls, and candidate-verification details.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps practitioners connect upstream identity trust decisions to access control, offboarding, and risk reduction.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org