TL;DR: Hundreds of fake identities were reportedly used to win remote IT jobs in a North Korean scheme, according to an Incode-cited BBC report from a defector, while UN estimates put secret IT worker revenues at $250m to $600m annually. The case shows that hiring controls now sit on the identity security boundary, where verification failures can become insider risk and breach exposure.
NHIMG editorial — based on content published by Incode: North Korean Defector Reveals Inside Story of State-Sponsored Candidate Fraud
By the numbers:
- Incode says its Workforce Candidate Verification can detect up to 99.6% of fraudulent attempts.
Questions worth separating out
Q: What breaks when candidate verification is weak in remote hiring?
A: Weak candidate verification lets a false identity enter the employee lifecycle, which means the organisation may issue real credentials, collaboration access, and system entitlements to an untrusted person.
Q: Why do fake employees create more security risk than ordinary fraud?
A: Fake employees can receive legitimate internal access, which turns deception into persistent trust.
Q: How can security teams tell whether workforce identity verification is working?
A: Look for proofing decisions that consistently block synthetic identities, force manual review on higher-risk applicants, and prevent any account creation before verification completes.
Practitioner guidance
- Bind hiring verification to access provisioning Require verified identity evidence before any account is created in HR, IAM, collaboration, or payroll systems.
- Correlate document, biometric, and device signals Use multiple independent signals to validate the same applicant, including document authenticity, selfie liveness, network context, and device reputation.
- Restrict early-stage access until trust is established Delay access to sensitive repositories, codebases, finance systems, and internal admin tools until the candidate passes enhanced checks and role-specific approval.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- Biometric and document-verification workflow specifics for workforce candidate screening.
- How deepfake detection and behavioural risk scoring are combined before interview and onboarding.
- Integration points with ATS, collaboration, and onboarding systems such as Greenhouse, Workday, Slack, Zoom, and Teams.
- The vendor's explanation of its detection claims and candidate-verification workflow design.
👉 Read Incode's analysis of North Korean candidate fraud and workforce identity risk →
Candidate fraud and state-backed hiring infiltration: what should teams do?
Explore further
Candidate fraud is now an identity governance problem, not only a hiring fraud problem. The article shows how a false applicant can cross from recruitment into corporate trust simply by passing proofing and onboarding gates. That shifts the control question from “was the interview convincing?” to “did the organisation bind a verified person to the right access lifecycle?” For IAM and IGA teams, candidate verification is an upstream control on privilege creation, not a downstream HR formality.
A question worth separating out:
Q: Who is accountable when a fraudulent hire receives corporate access?
A: Accountability usually spans HR, security, and the identity team, but the control owner should be the function that approves identity proofing and access issuance. If onboarding, access provisioning, and privileged access are not governed together, no single team can credibly own the risk boundary or the audit trail.
👉 Read our full editorial: Candidate fraud and fake IT workers expose hiring risk models