How Fake Operatives are Landing Remote Tech Jobs

Artificial Intelligence | Security Awareness | Threat Intelligence

Posted: Friday, Feb 06

KBI.Media
$
How Fake Operatives are Landing Remote Tech Jobs

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

How Fake Operatives are Landing Remote Tech Jobs

From Karissa Breen

Remote workforce has changed how companies hire. It has also changed who can get in to these sought-out businesses.

Across global hiring pipelines, recruiters are encountering candidates who look legit on paper, interview well remotely and arrive with precisely the right skills organisations need. The problem isn’t poor vetting or rudimentary HR. It’s that some of these applicants aren’t who they claim to be and in some cases, they’re part of a coordinated effort tied to North Korea.

Alex Tilley, Global Threat Research Coordinator at Okta, talked about how North Korean IT workers are systematically exploiting remote hiring models not just in Silicon Valley, but across industries and geographies right around the globe.

This is no longer just a tech problem. It’s a global access problem and its not going to slow down.

The earlier narrative suggested North Korean operators were targeting US technology firms. That assumption no longer holds.

“This is not a US tech problem,” Tilley said. “This is a global problem across multiple verticals.”

Financial services, automotive, agriculture, healthcare or any organisation building software or running remote access environments is a potential target, which is pretty much every company nowadays. According to Okta’s research, once the US is removed from the data, nearly every major Western nation and many across Asia show signs of exposure.

Healthcare was a front runner for exposure. Organisations that never considered themselves targets for cyber espionage are now finding themselves amongst it.

The recruitment process is pretty straight forward, for those familiar with applying for a remote job.

Applicants submit highly-manicured CVs supported by full-blown LinkedIn profiles. Some identities are entirely fabricated. Others are borrowed or stolen. Online services exist specifically to help applicants craft a legend, which is a believable professional backstory that survives initial screening.

“You can find yourself a really good full stack developer’s LinkedIn profile and you can copy it and copy their CV,” Tilley explained. “And just change the email address and the phone number and maybe the photograph on it.”

Getting to interview stage isn’t difficult. Problems tend to surface only when deeper interaction begins or, conversely, when candidates are asked contextual questions, or to demonstrate familiarity with local environments, like not being able to show they’re in a particular city.

Still, many unfortunately make it through and actually land a job.

“If the bad guys can craft your applications to be one of that top 10%, they’re going to get through that first hurdle,” Tilley said. “And that’s enough to make it lucrative. Definitely.”

The main mission isn’t long-term employment and to hang around for the remote beers on a Friday.

Typically, the operator stays long enough to collect pay checks, extract accessible data and then move on sometimes even before detection, but sometimes after. Even brief access can expose sensitive systems, code repositories, internal documentation, or sensitive customer data.

When organisations do discover what’s happened, the reaction is mortification.

“People are shocked,” Tilley said. “And here’s the evidence that we [Okta] have or the intelligence that we have, people are genuinely shocked and they really want to work with us and help us to understand this threat.”

The aftermath usually triggers urgent coordination between security, HR, and legal teams often under pressure and often too late.

Companies want new hires to feel trusted and productive from day one. But that instinct now conflicts directly with security and potentially hiring not the right candidate. Tilley argues for staged access as the default, not full permissions on arrival from day one.

“Investigate why you would need to give every new starter full access to your internal network or your code repository,” he said.

Verification can no longer be a one-time event. Identity, access, and behaviour need to be reassessed continuously especially in fully remote environments.

The tension is real. Some roles require rare expertise. Limiting access can feel impractical. But open access is exactly what makes these operations viable.

Despite advances in detection, simple human checks still play an important role.

Local context questions. Regional references. Small, unscripted prompts that are difficult to fake consistently. None are foolproof but they will weed out obvious offenders.

“It’s pretty basic,” Tilley noted, “If it’s dumb, but works, it ain’t dumb.”

Remote work isn’t reversing. Global hiring isn’t slowing. That means organisations must adapt by balancing talent acquisition with layered verification, incremental trust, and tighter collaboration between security, HR, recruitment, and leadership.