Companies are seeing a surge of sophisticated fraudulent engineering applicants—over 80 suspicious resumes in two months—likely part of coordinated campaigns that include suspected North Korean operators using synthetic identities, AI-generated resumes, resume-builder fingerprints, and impersonation tactics. Organizations must treat hiring as a security function, implementing multi-layered verification (portfolio checks, metadata scans, identity verification, sandboxed evaluations, and cross-team collaboration) to stop fraudulent candidates from gaining access to code, credentials, and build systems. #NorthKoreanITWorkers #Enhancv
Keypoints
- Socket’s threat research identified 80+ fraudulent engineering candidates in two months, with signals pointing to organized campaigns and suspected North Korean involvement.
- Fraudulent applications share recurring tells: missing or nonfunctional LinkedIn/GitHub links, mismatched name/email pairs, marquee-employer stacking, and resume-builder PDF metadata (e.g., Enhancv).
- Attackers use synthetic identities, impersonation-style emails, scraped vacancy phrasing, and AI-assisted resume generation to bypass screening and appear credible.
- Insider risk is high: a fraudulent hire can access source code, credentials, build systems, and introduce malware or malicious dependency changes.
- Effective defenses include multi-layered verification: inspectable portfolios, ATS metadata enrichment, behavioral analysis in video interviews, sandboxed code evaluations, and identity verification protocols.
- Talent, HR, and security teams must collaborate, share signals across the interview loop, and automate enrichment and risk flags in applicant tracking systems.
- Supply chain protections (real-time PR scanning, CLI/CI checks, egress restrictions, and package risk tooling) should be enforced to block risky code introduced by applicants or new contributors.
MITRE Techniques
- [T1585.001 ] Establish Accounts: Social Media Accounts – Fake or newly created LinkedIn profiles and social footprints were used to support synthetic personas; “newly created LinkedIn accounts” and “LinkedIn profile resolves to ‘This page doesn’t exist’”
- [T1585.002 ] Establish Accounts: Email Accounts – Impersonation-style email handles and name-to-email mismatches were used to submit applications and impersonate real engineers; “email address did not match or correctly spell the candidate’s name” and “email handles that append terms such as dev, work, tech, or soft”
Indicators of Compromise
- [PDF metadata ] resume builder fingerprint – Enhancv listed as PDF producer in metadata (observed across multiple fraudulent resumes)
- [LinkedIn URLs ] nonfunctional or malformed profile links – LinkedIn URLs resolving to 404 or newly created profiles that do not corroborate claimed history
- [GitHub profiles ] insubstantial or sock-puppet repositories – profiles with two trivial repos and README claims but no real commits or outbound links returning 404s
- [Email addresses ] impersonation-style handles – examples include local-parts appending “dev” or “work” and name-to-email mismatches (e.g., name differs from email local part)
Read more: https://socket.dev/blog/fraudulent-engineering-candidates-investigation