They found this person at the top of the funnel, before they even started the process, and then chose to go through with it out of curiosity / for advertising. I personally think it's silly (I don't think the advertising or learning about some comically basic TTP like "interview coaching" was worth their team's time) but it's not a lack of basic process in this case.

I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI, these type of candidates (whether state-sponsored malicious actors or overemployment shops) are appearing in every industry and every role constantly by the hundreds. I disagree completely with other posts claiming only crypto and finance are being targeted; while it's hard to confirm and the North Korean operation specifically may be more tailored, fake candidates are rampant throughout the tech industry now.

Not sure why this would be any different for remote jobs. All job interview processes (remote and in-office) I've ever done have had an in-person step, and that should be enough to filter these fake candidates, no? Are companies really doing 100% remote interviews, as in: you sign the offer letter without even meeting a single person in person??

Also, the in-person step is usually at the end, which means yes, you can waste a lot of time phone- and Zoom-chatting with fake candidates, but that is equally true for in-office vs. remote roles. Nobody starts with the in-person, on-site interview.

Though we have been burned by someone we believe (but cannot prove) was 100% remote and working two jobs at the same time (they were laid off in a recent downsizing before we could get enough evidence, but they didn't seem as productive as we would expect). So I expect even if you apply for a 100% remote position you will need to do one round of interviews onsite. (though who knows if this will protect us)

You're dating yourself with that question. (yes, and they have been for a while)

EDIT: I also had interviews with Credit Suisse some years back (decade or so), they wanted me to speak to some people in the US and London, but didn't allow the video conference from home, but they asked me which major city in Europe I was in, so they book some meeting room in their own offices or some WeWork facility in case I was somewhere where they wouldn't have offices.

Stuff can be forged but that needs local spy level of skills to make it work.

They were also hiring a company specialized in background checks, I literally had to fill up a form with the 14 places I had been living in all my life with dates of entry and exit, super annpying given the UI was slow as hell and that I had low recollection of addresses and date of my early years, I had to ask my parents. I may have been able to cheat probably but I didn't try.

I am also seeking a new position and I have realized that most b2b / work from anywhere jobs you could apply for were for cryptocurrencied / blockchain related companies so they surely make it easier for malicious remote applicants. I think it means they are kind of desperate / have difficulty to find talents. In other areas most companies only hire people who live in same juridiction they have an office and hr department.

So… you mean the way it's been done for the last hundred years?

If your company is so small that you can't afford to bring someone in, then you hire locally.

Also, $8-10k per hire is too much for an interview. We do ours for under $1,000 with round-trip airfare, hotel, and meals. It's always the last step before signing.

Personally, I wouldn't feel comfortable working for a company that didn't bring me in for an in-person interview, even for a remote job. It's just as important for me to evaluate the company as it is for them to evaluate me.

Yes, I got multiple job offers like that back in 2022 at FAANG and similar places, and a lot of my friends who interviewed recently had plenty of processes that were fully remote as well. The first time I’ve actually met someone irl from the company I signed my offer with was at least a month after I already started working, and it was just an optional lunch meetup.

However, afaik, these days most serious companies like big tech or tech-centric finance (JS/Citadel/Jump/etc.) or top AI places (OpenAI/Anthropic/etc.) would have the final rounds in-person.

Yeah, absolutely. The company I work for is in a different country, seeing anyone else would require flying over there, I interviewed and got the job without meeting anyone in person.

However, there was a background check done by third party agency. Basic check: criminal record, education and employment history (is it fake or real).

I can definitely confirm it’s not just finance and crypto being targeted.

I can also confirm it’s not just state sponsored North Korean agents too. Sometimes it’s just individuals trying to fake it until they make it.

However I dont agree with your conclusion that remote interviews are not dead because of this. Yes it’s annoying and time consuming filtering out these culprits, but the interview process already was an annoying and time consuming process to begin with. So I wouldn’t be so quick to throw the baby out with the bath water.

  I will say that hiring for remote jobs has gotten to be a gigantic time waste lately. Even though even moderate background checking can filter these candidates out, it's quite time consuming and with the rise of generative AI...

This never stopped and is still the case for "good" jobs btw.

So many roles are basically interchangeable and I’ll choose whichever one looks best on my resume or gives me some other tangible benefit. And I am prepared to bounce as soon as my vesting schedule drops. We all game this system too.

The days of us loyally working at any firm for 20 years, singing the corporate cheer songs and retiring with a pension are stuff of a different age.

I can't see how the fake-candidate epidemic blows the hiring process up in anything but a candidate-hostile direction.

With the open hiring market becoming more inefficient, companies will move more towards hiring through networking and vetted sources (select college job boards etc.) rather than the open market. In situations where they evaluate candidates from open market listings, companies will now have invasive proof-of-identity red tape earlier and earlier in the funnel (for example, background checks prior to application rather than offer in places where that's legal). Plus, look forward to overly clever hiring panels introducing annoying "trap" questions and weird hoops like this article alluded to - I hope you're ready to review local restaurants and pick up random stuff in the room during your interview!

Firm that looks like it is hiring for remote jobs, but is actually a honeypot that harvests credentials and identifiers that will enable our clients tondetect scam applicants.

Hate to be that person, but what are you reading that makes you think this is true?

Agree that the article is pretty dumb though, especially the OSINT and Crypto “don’t trust, verify” comments. Feels like content marketing that didn’t really hit.

https://www.theregister.com/2025/04/29/north_korea_worker_in...

According to Crowdstrike (the company that wiped out most of global technology last year) at least

> My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly

I'm sure there were a lot of false positives with that question.

If I was not reading HN and a few other sources I would likely hang up the phone too.

Thinking that it couldn't be a real job,... some phishing scam or hoax, asking ridiculous questions like that.

Depending on the job, it is quite likely the real talent would not be able to take the interview seriously after hearing suck a question.

Seriously weird times...

Ha if I got asked that during an interview, I'd think either I went to the wrong interview or the interview is a red flag.

Maybe you’re contributing to the narrative with the posts like above. It’ll certainly drive engagement.

It's really, really bad. We post a role, get 500 applicants, and nearly all of them are not legitimate. They all look amazing, really great resume, impressive LinkedIn, etc... but when you dig a little deeper, it's not that hard to find a bunch of red flags (LinkedIn profile create < 3 months ago, VOIP number, using VPN to submit job application, etc). You really have to know what signs to look for. They're very convincing fakes.

We're extremely vigilant about this issue as a company, yet we've had people get through 2 or 3 rounds before someone realized something was off (some people are really, really good at faking it).

I feel bad for small companies trying to hire. For us, it got to the point where we literally couldn't open a role unless we had a full time recruiter to sift through all the international candidates pretending to live in the US.

Edit: We've been dealing with this for a couple years now, and there still isn't a great solution. Unfortunately the only surefire "solutions" we can think of are also things that would make the interview process less enjoyable for real candidates, which sucks. (One idea was to ask candidates to show us photo ID during the video interview, but something about making a candidate do that just doesn't feel good - although we have tried it, and it has effectively stopped a few fake people from getting through)

To me, what you call "red flags" rather looks like a description of often outstanding programmers who are quite privacy-conscious (think into the direction of "somewhat cypherpunky").

Is the issue skilled candidates that are misrepresenting where they live, unqualified candidates with fake resumes trying to land the position anyway, or something else?

What have you tried?

If they trip enough red flags and it's an international issue, you could just be up front that you're suspicious (including why) and ask them to go outside and take a video of themselves in front of wherever they live. Then you check it against street view, scrutinize the vegetation, that sort of thing. Require the rest of the interview process to be via video call with a wide view of the room to ensure it's the same person. That solution is respectful of their time since it's quick and easy for them. They also presumably already shared their address with you so it's not particularly invasive.

These rules have become weaponized in a culture war, such as the requirement that an ID match the name on the birth record, meaning women whose last names changed during marriage require additional paperwork, often crossing state lines and in person visits. Bingo, disenfranchised a large population of women.

Personally I think voting should be mandatory as some countries have done, and verification should be easy.

Obviously you need documentation to work, and it’s fair to gather that documentation as early in the process as is reasonable (as in when an application is submitted)

Elephant in the room, someone who can't produce photo ID to vote also can't produce it to work. So obviously you don't always need it to work (even if that's technically illegal). So long as the systemic issues remain I don't see an issue with that.

Actually come to think of it the low skill jobs I had when I was younger never asked for ID. Just my social, full legal name, and date of birth for their tax paperwork. Whereas the higher skill ones I had later demanded multiple forms of ID - I generally furnished them with both my passport and driver's license, which they took copies of and independently verified.

None of that is relevant for a high skill 100% remote job though. Not only does that demographic generally have easy access to ID, those rules really should be strictly enforced for remote positions since the internet is global.

If I produce a social security card and any government ID, that is typically enough to work (in the US).

It won't be enough to vote under the proposed act. In many cases, what will be required is a birth certificate that exactly matches other ID. If your name has changed, unspecified documentation will be required beyond a marriage license or court approved name change. A government issued ID such as military or REAL ID will not suffice.

But the point remains - you often (in practice) don't need ID for low skill jobs whereas high skill ones generally carefully vet you. Thus hand wringing about requiring applicants for a high end fully remote tech job to fork over ID is a bit silly.

The blatant voter suppression efforts aiming at stopping a problem that results in less than a basis point of error in voting counts bothers me a lot, though.

Then next year it's a different guy, same schtick.

If the employer is satisfied with the employees output, who is being harmed?

Or a company that is handling HIPAA, GDPR or other sensitive data and is certifying that they are following policies around employee training, data sovereignty and document handling?

I worked at an adtech company, he would give talks with powerpoints talking about internet of things which was absolutely wild. (We never sold or touched a single piece of hardware.)

This isn’t happening left and right. It’s an attack against specific industries, like crypto and finance. It’s one part of a broader pattern of attacks.

"As a [role,gender,national ] posting from [country, city]..

[I agree with parent] *2 sentences .

[Actual opinion\story to push]

[Reminder on connting nationality/location ] "Thats my two Eurocents on that, take it or leave it ."

Its hyper fake, formulaic responses topic tugboats, but people go and engage in good faith all the time .

It's just like the bar scene in Inglorious Bastards, with the fingers. There are so many obvious tells you can have people divulge if they aren't actually telling the truth.

A counterstory: When my former boss started at the company, for the first years [!] he only "knew" very specific places (office, appartment, and one or two places associated with intensely practiced hobbies of him) in the city where the company is located, and basically lived inside the bubbles associated with these places and their surroundings.

Thus, to me it is very plausible that even if you lived in a city for many years, it is very easy to live in very isolated bubbles, and have barely any contact to people and their habits outside these bubbles.

Later I looked more closely at the resume and saw some more red flags, like, he had a degree from "CA State University" -- like, which of the 23 CSUs bro?

We did have a couple fake people make it to the final round, the last one was cheating and still bombing -- I sent a picture to the guy who did the second-round interview like "is this the Jason Smith you interviewed?" and he said "Lol, no"

I lived in NYC for a year and I have no clue. My answer would be probably something along the line of "Haha! Yeah. Traffic is terrible in the city... or so do my friends with cars say. I for one take the subway everywhere, so no clue what you are talking about. But sounds like a pain! Hope you were not delayed too long."

> It's just like the bar scene in Inglorious Bastards, with the fingers.

The problem is that's a work of fiction. These shibboleth tests work great in fiction where the author has full control over the whole universe. Work less well in reality where "universal" signals turn out to be a lot less universal. You will have a ton of false positives and a ton of false negatives.

But my point is that the “everyone in X calls Y Z” kind of trivia is not reliable way to say if someone is in X. For example because not everyone in X is native to X. Also because many would use the proper and official name of the landmark in an interview setting.

If you assist NK, then you’re hurting crypto but you’re funding NK operations (e.g. NK soldiers assisting Russia against Ukraine).

Regulation is just repression, rebranded.

An entire country has dedicated significant resources to getting some of their hackers hired. Those talented people you mention are likely trying to get hired by themselves. It’s not an industry problem so much as a coordinated attack.

Because I got no explanation the potential reasons for my rejection rolled over in my head. I finished the exam to the best of my ability - was my ability just not good enough? If I went to e.g. the library or something to hunt for a station with webcams in time would I have not come off so suspect?

Since then I've gotten no other interview offers elsewhere and feel like a moron for blowing my one chance last month over such a stupid coincidence, if it really was the case they rejected me for thinking I was some kind of corporate spy. It really was the definition of "too good to be true." I will now pay way more attention to how I appear to the interviewer from now on, and carry extra devices/webcams in case the worst happens.

It seems like there's a very WIDE range of quality people / companies, and an awful lot of compete FRAUDS.

For whatever reason "security" seems to have attracted a lot of carpetbaggers.

The good folks are very sensitive about it.

Nothing gives someone away as a poser as much as bragging about OSINT as if it's some sort of tradecraft meanwhile they're executing the same skills your average wine aunt does stalking her ex-boyfriend on Facebook.

It IS "broken" by design as employers just don't want to go through the effort into finding great candidates (even if they are truly exceptional) and now it is even easier for candidates to cheat it thanks to AI.

The ones claiming to "fix" it aren't fixing anything and are making it worse for both the interviewer and the candidate and are just extracting money from the process.

The reality is, there is no fix.

I've been through multiple rounds of interviews with some companies with no end in sight, as many people have. I refer to the endless number of interview rounds as an obsession with process because employers tend to think that the more they evaluate people, the better result they get, regardless of how useful the processes they subject applicants to are. I've generally found people to be going through motions more than anything else, and the additional process is just more work that is not particularly useful to evaluate the candidates. It's still a lot of effort for both the employer and applicants.

That said, I do agree wholeheartedly that they should direct their efforts more towards the result of hiring a good candidate rather than just falling back to blind devotion to some series of processes to weed people out. They should focus on getting the most meaningful bit of information at each round to eliminate the most candidates possible, kinda like a form of optimal experimental design [1] if you are familiar with that term.

[1] https://en.wikipedia.org/wiki/Optimal_experimental_design

LinkedIn et al make everything worse by making the application process so easy.

If you're a small company, the fix is to outsource the top of your funnel to a recruiting company you trust.

If you're a medium or large company, the fix is to require on-site work.

> employers just don't want to go through the effort into finding great candidate

The notion that employers can put in the effort to give every candidate a totally fair shot so they can find the best ones is, I think, wrong, let alone the notion that they could but choose not to.

At my last company, we would have needed more people doing application reviews and interviews than we actually had employees if we wanted to do that.

Hell, I remember in college applying for a stock job at the local liquor store. When I went to hand in the application, I was told to put it on the pile- a stack of filled out applications thicker than several of my textbooks put together, suspiciously placed at the edge of a desk right next to a trash can.

Sure there is. Randomly sample N, filter down to M, go through preliminary interview stages. Depending on how many that leaves you with rinse and repeat.

The important thing here isn't fairness from the perspective of the applicant. It's a process that works reliably for the company and doesn't unfairly waste applicant's time.

If the very first stage (application plus resume) is no longer a reliable signal then accept that fact and rework the process to match.

All this goes to show is that, for many companies, their hiring process for offshore employees is so sad that basic human interactions that would easily uncover blatant attempts like this are skipped.

The problem is that it's very difficult to assess how good someone is in their job. The solution is to promote the best engineers into management so they can vet the candidates.

Get a new CISO? You'll probably be buying the software from the last company he worked with and spending the next 3 years installing it all over just in time for them to declare mission accomplished you are secure and move on to the next square in the C-suite game of Life these dudes play. Then there's the people beneath them who want to be them mucking up the system playing get to the c-suite and not 'secure the company' or 'build good things'

Oh and if you've gone public your core business is probably on auto pilot with some gremlins keeping it running while your execs placate shareholders with layoffs and introducing AI.

People who actually want to do things, help people, and understand why the work needs done and is worth doing (the work that is anyway) are burnt the fuck out.

If you have a system that is down for 12 hours 3 times a year, it's fine - as long as a lot of other companies are also down. If you have one that's down for 2 hours once every 3 years, but you're the only one affected, that's terrible. Not because you're "losing sales", but because you can't bemoan a common supplier, point to "it's a global problem", and then get taken for a nice apology lunch by the account manager when your bill goes up 10% next year.

More like the whole system...