Why state actors and financial fraudsters are exploiting employment as a vector, and why no individual point tool can stop them.
Foreign IT-worker programs have placed operatives inside more than one hundred US enterprises, including security vendors and Fortune 500 firms. Public prosecution records and FBI advisories describe schemes generating hundreds of millions of dollars per year in fraudulent US salaries. The same operatives, after detection, have escalated to data theft and extortion against the very employers being defrauded.
Financial-fraud actors with no nation-state affiliation are running similar plays at smaller scale (synthetic identities, deepfaked interview personas, laptop farms in low-cost geographies) to draw multiple paychecks at once. The target list is broad and growing.
A single compromised security vendor is a multiplier across every customer it protects. Once an operator is inside such a vendor, they study how the product works, develop countermeasures, and in some cases attempt to modify code shipped to that vendor's customers. Hiring is therefore a supply-chain control: the integrity of the hiring pipeline is the integrity of every downstream control built on top of it.
Target selection (which companies, which roles), identity acquisition (synthetic, stolen, or shared).
Resume fabrication; persona assembly across LinkedIn, GitHub, and publication trails; interview rehearsal, sometimes with face-swap drivers tested in advance.
Application submission, often intermediated through laptop farms or facilitator networks.
The interview itself: deepfake video, voice clone, scripted Q&A, sometimes a live human stand-in performing the interview while the named candidate handles the actual work post-hire.
Onboarding and credential issuance: laptop shipment, SSO enrollment, MFA token activation.
Normal employment activity, often deliberately competent, with the operative's actual location masked through laptop farms or VPN egress.
Salary collection at minimum, escalating where the access permits to data theft, source-code modification, or post-discovery extortion.
Today's hiring stack is built from independent point tools, each correct on its own terms. Resume validation says the institutions exist and the dates are plausible. Background check says this name and SSN have no disqualifying record. Liveness detection says there is a real person in front of the camera right now. Each verdict is local and accurate. None produce a verdict about the whole candidate. None of them are aware of each other.
A resume that passes claim validation, a face that passes liveness, and a background check that passes against a stolen-but-clean identity will, individually, all return green, even when the joint pattern would be a clear red flag to any human investigator with full visibility.
The joint reasoning that point tools cannot perform is, today, performed by humans: recruiters, hiring managers, and security partners stitching verdicts together at high volume and under deadline pressure. The result is exactly what one would predict from the structure: inconsistent decisions, with the inconsistencies concentrated at exactly the points threat actors probe.
The facilitator playbooks reconstructed from prosecution exhibits include coaching on which background-check vendors specific employers use, which OSINT signals to plant in advance, and which interview platforms can be defeated by which face-swap stack. The adversary is reasoning about the joint defense and finding the seam. The defense has to do the same.
Combine resume, video, behavioral, and historical signals into one judgment.
Score at application, finalist, offer, and continuously after hire. Stop treating the moment of hire as a hand-off out of risk visibility.
The same operatives target many victims; today, when one organization rejects them, the next organization pays for the first to learn. That has to change.
If you take employment-vector intrusion seriously, we want to talk.