Malik Haidar stands at the intersection of high-stakes corporate security and global geopolitical intelligence. With a career dedicated to shielding multinational corporations from state-sponsored cyber campaigns, he has become a leading voice in identifying the invisible threads connecting fraudulent remote hires to international weapons programs. His work goes beyond traditional perimeter defense, integrating behavioral analytics and business strategy to dismantle the complex networks used by foreign operatives to infiltrate Western markets.
In this discussion, we explore the evolving mechanics of the North Korean IT worker scheme, ranging from the use of AI-powered face-swapping and sophisticated VPN tunneling to the role of Western collaborators and cryptocurrency facilitators. Haidar provides a deep dive into how these operatives maintain long-term persistence within organizations and what businesses must do to safeguard their payroll and proprietary data from being weaponized by hostile regimes.
Operatives often use AI-powered face-swapping technology and stolen identities to bypass video interviews and secure remote positions. How can hiring managers better detect these fabricated personas during the screening process, and what specific technical red flags should interviewers look for when evaluating a remote candidate’s background?
The use of “Faceswap” and other agentic AI tools has made it incredibly easy for operatives to superimpose their likeness onto stolen identity documents or create polished, professional headshots that pass initial scrutiny. To counter this, hiring managers must move beyond a simple visual check and look for “micro-glitches” during live video calls, such as unnatural lighting transitions or blurring around the chin and neck lines when the candidate moves. We’ve seen cases where North Korean workers use these digital personas to land jobs at legitimate U.S. companies, relying on the fact that recruiters are often looking for skills rather than identity anomalies. Beyond the screen, a major red flag is a candidate who refuses to turn on their camera after the initial interview or who shows an unusual delay in responding to technical questions, which often indicates they are using translation tools like Google Translate or AI to bridge the language gap. It is also vital to cross-reference their “westernized” personas against established social footprints, as many of these fabricated identities lack the multi-year, organic history typical of a legitimate professional.
These workers frequently operate from overseas hubs like China or Laos, using VPNs to route their internet traffic through domestic exit nodes. What network monitoring strategies can distinguish a legitimate remote employee from someone using sophisticated tunneling, and how should companies update their geolocation policies to address this?
Detecting these operatives requires looking past the reported IP address, as they heavily utilize services like Astrill VPN to bypass regional restrictions and masquerade as domestic employees. One of the most effective strategies is to monitor for “impossible travel” alerts and consistent logins from known VPN exit nodes that don’t align with a worker’s supposed residential address. For instance, in August 2025, an organization successfully terminated a fraudulent Salesforce data hire just 10 days into the job after detecting persistent login indicators originating from China despite the worker claiming to be in the U.S. Companies should implement strict conditional access policies that block or flag traffic from high-risk regions like Boten, Laos, or specific Chinese provinces known for hosting these IT delegations. Furthermore, network teams should look for the use of decentralized internal communication tools like IP Messenger (IPMsg), which these workers often use to coordinate with their overseas handlers while staying under the radar of corporate monitoring.
Millions of dollars are being funneled through international proxies and converted into cryptocurrency to fund state-sponsored programs. What role do secondary financial facilitators play in obscuring these transactions, and what steps can businesses take to ensure their payroll systems are not inadvertently feeding into illicit laundering networks?
Secondary facilitators are the lifeblood of this scheme, acting as the bridge between corporate payroll and the DPRK’s weapons programs. We have seen entities like Quangvietdnbg International Services Company Limited facilitate the conversion of approximately $2.5 million into cryptocurrency over a two-year period, effectively “washing” the salaries earned by fraudulent workers. Individuals like Do Phi Khanh and Hoang Van Nguyen act as proxies, allowing operatives to open bank accounts using their legitimate identities to bypass Anti-Money Laundering (AML) checks. To prevent this, businesses must conduct deeper due diligence on the banking information provided by remote hires, especially if multiple employees are requesting payments to accounts linked to the same third-party facilitators. It is no longer enough to just pay a worker; companies need to verify that the destination of those funds isn’t a known crypto-gateway or a proxy account associated with sanctioned individuals.
In many cases, fraudulent hires eventually deploy malware or attempt to extort their employers by threatening to leak sensitive company data. Once a suspicious operative is embedded, what behavioral analytics help identify “low-and-slow” data exfiltration, and what are the immediate containment priorities for an affected organization?
Once an operative is inside, they often shift from being a productive “employee” to an insider threat, utilizing their legitimate credentials to move laterally through the network. Behavioral analytics should focus on “low-and-slow” activities, such as an IT worker accessing sensitive directories or databases that are not essential for their assigned Salesforce or development tasks. These actors are known to weaponize proprietary data, deploying malware to steal secrets or engaging in direct extortion by demanding ransoms to keep the data private. The immediate priority for any organization suspecting such an infiltration is the revocation of all active sessions and a comprehensive audit of all code or data the individual touched. Because these workers often stay for the long term to maximize revenue, detecting a sudden shift in their access patterns—such as late-night data transfers or the installation of unauthorized tools—is the most reliable way to trigger a containment response.
Western collaborators on professional platforms like LinkedIn and GitHub sometimes provide their real identities to help these operatives pass background checks. Why are these individuals being successfully recruited into such schemes, and what collaborative industry efforts are needed to prevent networking sites from being used as gateways for fraud?
It is a sobering reality that Western collaborators, often recruited through LinkedIn or GitHub, play a critical role by “donating” their identities to help North Korean workers bypass background checks and receive company-issued laptops. Some are lured by the promise of easy money or a share of the IT worker’s salary, while others may be unwittingly manipulated into what they believe is a legitimate subcontracting arrangement. This multi-tiered structure, involving recruiters who record initial interviews to coach the IT workers, makes the deception incredibly deep and reliable. To combat this, professional platforms need to implement more rigorous identity verification for accounts that are frequently used to vouch for others or participate in high-volume freelance hiring. There must be a shared industry “watchlist” of compromised identities and suspicious recruiting patterns so that a fraudster kicked off one platform cannot simply migrate to another to continue their operations.
Threat actors are now leveraging agentic AI tools to build fake company websites and refine malicious code at an accelerated pace. How does this shift toward AI-driven automation change the threat landscape for medium-sized businesses, and what defensive tools are most effective at countering these high-speed, low-cost campaigns?
The shift toward agentic AI is a force multiplier for groups like Jasper Sleet, allowing them to automate the reconnaissance process and create highly convincing digital personas at scale. For medium-sized businesses, this means the volume of sophisticated, targeted attacks will increase because the “cost of entry” for the threat actor has dropped significantly. They are even jailbreaking large language models to rapidly generate and refine malware components, which allows them to adapt their tools to a target’s defenses in real-time. The most effective defense is to adopt an “insider-risk” mindset, treating every remote hire—no matter how qualified they seem—as a potential vector for access misuse. Deploying AI-driven EDR (Endpoint Detection and Response) that can identify anomalous code patterns or unauthorized system calls is essential to keep pace with the speed of AI-generated threats.
What is your forecast for the future of remote hiring security?
I believe we are entering an era of “verification exhaustion,” where the sheer volume of AI-generated deception will force a return to more traditional, physical-first security measures even in a remote world. In the coming years, we will see a widespread adoption of cryptographically signed digital identities and mandatory “hardware-based” verification, such as requiring remote employees to use government-issued biometric keys to access corporate portals. The era of trusting a LinkedIn profile and a Zoom call is effectively over; businesses that do not evolve toward a “zero-trust” employment model will find themselves unintentionally bankrolling the very geopolitical threats that destabilize the global economy. Security will no longer be an IT function—it will be the foundational gatekeeper of the global workforce.
