DPRK hiring fraud came up in more conversations at RSA last week than almost anything else. Not because it’s new — the advisories have been out for years. Because security leaders know they’re exposed and haven’t solved it, and the reason is consistent: the problem sits between teams that don’t share context.
The technology to solve this exists. The gap isn’t awareness and it isn’t tooling. It’s that nobody owns the chain.
The seam is the attack surface
Here’s how these operations typically work. A threat actor submits an application. HR runs a background check through one vendor. The resume looks clean. A video interview happens, possibly with AI-generated content. The candidate passes. They get hired, provisioned, and start pulling access to systems that matter.
At no point does the person who approved the hire talk to the person who provisioned the access. The threat intelligence team doesn’t get asked whether the hiring pattern matches known DPRK tradecraft. No one validates that the controls you think would catch this actually do.
That’s not a Zero Trust failure. Zero Trust assumes you’ve correctly established who the person is. The fraud happens upstream, before the identity is enrolled.
Four capabilities, one chain
Closing this gap requires connecting four things most organizations treat as unrelated.
Pre-hire intelligence. Threat actor patterns have signatures. The way DPRK-linked candidates construct resumes, the job boards they favor, how they handle technical assessments: these are learnable signals. Few security teams ever ask their threat intelligence function to look at hiring data, because hiring isn’t considered a security event.
Identity verification that holds against AI-generated content. A video call with a deepfake is now a realistic attack vector. The tools to handle this exist, but most HR teams don’t know they need them because no one has updated their threat model.
Identity lifecycle management that carries verified trust through onboarding. The background check result and the identity verification result need to travel with the identity record, not sit in separate systems that nobody integrates.
Ongoing validation. You need to know whether your controls would actually catch one of these actors if they’re already inside. That means testing your detection against the specific vectors these groups use, not generic red team scenarios.
The behavioral problem is the real problem
The most useful point from the conversation this post started was that knowing silos are the issue is not the same as unwiring them. That’s a behavioral and structural challenge, not a technical one. The technology to connect these four capabilities exists today. What doesn’t exist in most programs is the accountability structure that forces these teams to share signal. HR doesn’t report to the CISO. Threat intelligence doesn’t have a seat in the hiring process. Security operations gets engaged after onboarding, not before.
The fix has to move upstream. The hiring workflow is a security workflow, and until organizations treat it that way, the gap stays open.
Where to start
The teams making progress take five actions.
First, they map the identity chain in their hiring workflow from first contact to provisioning — every step, every handoff, every team that touches a candidate’s identity and what exactly they’re verifying. Most teams have never drawn this map. The gaps are obvious once you do.
Second, they identify who owns each seam. In particular, the handoff between background check clearance and video interview verification. In practice, nobody owns it. Naming an owner is the first structural fix.
Third, they brief their threat intelligence team on hiring. Most TI teams have never been asked to profile DPRK candidate patterns or review recent applicant data for known tradecraft signals. Ask them. Give them access. Their job is to know this threat and they’re not being used.
Fourth, they run a tabletop on the scenario — HR, identity, and security operations in the same room, walking through what happens when a DPRK actor clears the background check and gets provisioned. The accountability gaps surface in the first twenty minutes.
Fifth, they test their detection against the post-hire behavioral patterns these actors exhibit, not generic red team scenarios, and they use the results to close the loop back to the hiring workflow.
None of this requires a budget cycle or a new vendor. It requires someone with enough authority to convene the right people and enough clarity on the problem to keep the work focused on the end-to-end process.
If you’re working through this and want a thought partner on the accountability piece, connect@passarel.com is the right door.