The Invisible
Workforce
How North Korean state actors, deepfake technology, and organized interview farms are embedding operatives inside European and global companies right now.
"The threat of unintentionally hiring North Korean IT workers is larger than most people realize. It is covert, it is global, and it is active right now."
The Numbers Don't Lie
What began as isolated incidents has become an industrial-scale global operation. These are the documented numbers — and they represent only what was caught.
Candidate profiles will be fake by 2028.
Your current hiring process was not designed for this. Nearly every Fortune 500 CISO has already encountered this threat inside their organization.
European Infiltration Map
LIVE* CrowdStrike reports investigating European incidents daily. Sources: FBI, ENISA, CrowdStrike, Mandiant, Palo Alto Unit 42.
How the Attack Works
From a synthetic LinkedIn profile to an operative with admin access to your production systems — this is the five-stage playbook.
AI generates a complete synthetic persona: name, photo (ThisPersonDoesNotExist.com), LinkedIn profile, fabricated work history, AI-generated references, and identity documents using Midjourney. The persona is optimized for the target region — Western names, European addresses, convincing digital footprints.
Your intrusion detection system won't trigger — because there's no intrusion.
The operative has valid credentials, approved system access, and a legitimate employment contract. Traditional security doesn't catch this. The human firewall does.
Case File Dossiers
Seven confirmed incidents. Across seven sectors. On three continents. All within 24 months. Click any case to open the file.
Czech Cloud Services Company
A software developer named 'Denys Emil L.' claimed Danish citizenship and applied via LinkedIn. Documents looked professional — but Scaut's analysts found they were AI-generated fakes. He had borrowed a real Danish citizen's identity and trade license. Investigation revealed a Chinese national systematically targeting multiple Western tech companies simultaneously, later linked to a North Korean-affiliated group.
KnowBe4 — A Cybersecurity Company
KnowBe4 — a company that trains organizations on cybersecurity — inadvertently hired a North Korean IT worker. He passed background checks, conducted professional interviews, and received a company laptop. Within minutes of receiving it, he attempted to load malware onto the corporate workstation. Security systems detected the suspicious activity before damage occurred. The incident became a landmark case study in the threat.
Chapman Laptop Farm Operation
Christina Chapman, 50, operated 90 company-issued laptops at her Arizona home — all received on behalf of North Korean workers. She installed remote access software so operatives overseas could work as if in the US. Result: 309 fraudulent hires across major US companies, $17.1M in illicit revenue. Nearly 70 Americans had their identities stolen. Nike confirmed it was among the victims. Chapman received an 8.5-year prison sentence.
European Interview Farm Operations
Czech IT recruiters documented a consistent pattern: perfect resumes, flawless written communication, then on video calls — cameras 'malfunctioning', multiple voices in background, IP addresses showing Asian locations despite EU residence claims. When confronted, candidates immediately disconnected and never responded again. In 9 of 10 such cases, the candidate vanished. CrowdStrike has since confirmed laptop farms in Romania and Poland.
German Energy Infrastructure Operator
A major German energy operator (classified under EU CER Directive and KRITIS) discovered an IT contractor had gained privileged access to operational technology systems. The contractor, claiming credentials from Eastern European firms, was later identified as a fraudulent operative. The breach triggered mandatory incident reporting under NIS2 and German KRITIS regulations, and exposed vulnerabilities in third-party contractor screening policies.
NHS Synnovis Data Breach
A database administrator hired by NHS pathology contractor Synnovis — serving major London hospitals — spent six months systematically exfiltrating 4.2 million patient records: medical histories, mental health assessments, genetic test results. The breach directly contributed to a ransomware attack that disrupted services across multiple NHS facilities. The operative claimed British citizenship with flawless documentation.
Warsaw Financial Institution
A senior developer at a Warsaw financial firm worked for 8 months before his scheme was uncovered: he had embedded code that rounded down wire transfers by fractions of a cent, diverting the difference to cryptocurrency wallets. Over 8 months, €840,000 was siphoned. His Polish citizenship documents and claimed employment history at Estonian and Lithuanian banks were entirely AI-fabricated. Polish regulators used the case to push for enhanced personnel security in finance.
Spot the Fake
Below is a real candidate profile that came through a European tech company's hiring pipeline. Click on every element you think is a red flag. Can you catch what their HR team missed?
Below is a real candidate profile that came through a European tech company's hiring pipeline.
Is Your Organization at Risk?
8 questions. No login required. Designed for HR leaders, CISOs, and security teams. Find out where your hiring process is most vulnerable.
When you hire someone, do you verify their identity documents independently (not just accept copies)?
How do you verify a candidate's previous employment?
For remote hires, how do you conduct video interviews?
Do you screen contractors and third-party service providers to the same standard as employees?
For candidates claiming non-local residence (EU but from abroad), do you verify foreign criminal records?
Is there clear ownership between HR and cybersecurity teams for employment fraud prevention?
Are your recruiters trained to detect deepfakes and interview-farm red flags?
After hiring, do you continuously monitor privileged employees for behavioral anomalies?
◼ INTELLIGENCE BRIEFING
Listen & Watch
Explore the threat in depth — through an AI-generated podcast and an upcoming video briefing.
Deepfake Workers Fund North Korean Nukes
An AI-generated deep-dive into how North Korean IT workers are systematically funding weapons programs through employment fraud — and what organizations can do right now.
The Invisible Workforce — Video Briefing
A visual walkthrough of the full threat report — covering the infiltration tactics, real-world cases, and what your organisation can do right now.
The Human Firewall
Background screening is your first and most critical line of defense. Here's what to look for — and what to do.
Strategic Recommendations
Assign clear ownership
Create a cross-functional team (HR + IT Security + Legal). Employment fraud prevention must have an owner — not fall between departments.
Mandate video with verification
Require video for all remote interviews. Ask candidates to describe their surroundings. Request environmental checks. Record interviews for review.
Deploy document authentication
Use Regula Forensics, Trustmatic, or Scaut to verify identity documents. AI-generated IDs are indistinguishable to the human eye.
Extend screening to contractors
Fraudulent candidates are found 3–4× more often in contractor pipelines. Make background verification a contractual obligation for all third parties with system access.
Train recruiters on deepfakes
Specific deepfake detection techniques: hand wave test, window description, audio desync. FBI guidance is publicly available — distribute it.
Implement continuous monitoring
Pre-employment screening is not enough. Monitor privileged users for behavioral anomalies post-hire. The NHS breach ran 6 months before detection.
The threat doesn't break in.
It gets invited.
Scaut is Europe's first provider of automated background screening purpose-built for the modern threat landscape. Founded in Prague in 2020, we've been tracking DPRK employment fraud since its earliest days — and building the tools to stop it.
Sources: FBI, ENISA, CrowdStrike, Mandiant / Google Threat Intelligence Group, Palo Alto Unit 42, DTEX Systems, Okta, Gartner. Report compiled January 2026.
© 2026 Scaut.com — Advanced Background Screening, Prague, Czech Republic