Dear Decision Maker,

Right now, someone on your payroll might be funding a ballistic missile.

You interviewed them. You liked them. You checked the references and shipped them a laptop.

They have written clean code for you ever since.

They join the stand-ups. They say good morning in Slack.

They are also sitting in Pyongyang, working under a stolen identity, wiring a slice of that salary home to a weapons programme.

This is not a hypothetical. Roughly 3,000 to 10,000 North Korean IT workers are deployed abroad, part of a wider operative network estimated north of 100,000, and a growing share of them are now sitting inside Western companies.

Not trying to get in. In.

Nearly every Fortune 500 has hired at least one, and they pull 300,000 dollars a year, often across three or four jobs at once.

And your HR department has no idea how to catch them.

I want to talk about this today because it is the cleanest example I have seen in years of a national security problem wearing an HR costume. And almost nobody is treating it as what it actually is.

What they are not telling you

The story gets told as a cybersecurity issue.

1. Firewalls
2. Endpoint detection
3. Zero trust architecture

That framing is comforting and it is wrong.

This is not a breach. Nobody picked a lock. You opened the door, signed an offer letter, and shipped them a laptop.

The DPRK did not need a single operative to cross a border. They used the exact same hiring pipeline you built to reach global talent.

Think about how elegant that is.

The remote work revolution was sold to all of us as access:

Founders loved it. I loved it.

But the same pipeline that lets you hire a brilliant developer in Lagos or Lahore lets a North Korean operative in Pyongyang apply through a stolen American identity, interview over a deepfaked video feed, and pass your technical screen with room to spare.

Because here is the uncomfortable truth. They can code. That was never the question.

The tradecraft is now AI-enhanced and frankly impressive.

Stolen identities cleaned up with generative tools. LinkedIn profiles with years of fabricated history and a respectable network. Interview footage that has been deepfaked in real time.

And on the American side, a network of facilitators running "laptop farms," racks of company-issued machines in someone's spare bedroom, so the worker in Pyongyang looks like they are logging in from Phoenix.

That is not a hacker. That is a cover identity. A legend.

The intelligence world has a word for all of this, and it is not "candidate."

The gap nobody is vetting

For decades, the background check answered a simple question:

It was built for a world where employees walked through a door, showed a face, and stayed in one time zone.

It checks the resume. It does not check reality.

In a remote-first world, that leaves a gap. The gap sits between two very different questions.

Can this person code?

And: is this person real?

Your engineering interview is brilliant at the first question. It is completely blind to the second.

We have spent fifteen years building hiring funnels that optimise for skill and assume identity. The adversary read the manual and walked straight through the assumption.

So let me say the thing plainly.

It is the same discipline an intelligence service uses to decide whether the asset across the table is who they claim to be, or a fabrication built to get inside. We just refuse to call it that, because calling it HR keeps it cheap and keeps it junior.

Why this lands on the founder

If you hire remote developers internationally, you are exposed.

Not in theory. In law.

Those salaries are sanctions territory. Under OFAC, unknowingly paying a DPRK worker can still trigger federal enforcement against your company. "We did not know" is not the shield people assume it is. The vetting was your job.

But strip the compliance risk away and something larger remains. Who is actually inside your systems right now. And if one of them were not who they claimed to be, how would you know.

Most founders cannot answer that. They can tell me their cloud spend to the dollar and their test coverage to the percentage point. Ask them to prove the human behind a key commit is a real person living where their tax forms say, and the room goes quiet.

We have all internalised that due diligence on the code matters.

Due diligence on the people writing it now matters just as much. Possibly more. Code does not wire its paycheck to a weapons programme.

How you actually catch it

Here is where it stops being abstract, because the skills that catch a fabricated legend are the same skills that catch a fabricated LinkedIn profile.

This is HUMINT. Old discipline, new battlefield.

A few things our HUMINT Fundamentals work teaches that map directly onto this problem:

• Identity verification as tradecraft. Intelligence officers spend careers learning how cover identities are built, and therefore where they crack. A legend is always thinner than a real life. You learn to pull the thread: the inconsistency in the timeline, the reference who only exists online, the "hometown" they cannot describe like someone who grew up there.
• Elicitation in the interview. Stop interrogating. Start eliciting. Open questions, the life-story approach, the small unscripted detour that a coached operative cannot rehearse. A real engineer lights up about the messy project that nearly broke them. A legend gives you a clean answer and changes the subject.
• Reading the tells. The reluctance to turn the camera on. The audio lag that does not match the city they claim. The request to ship the laptop somewhere other than the address on the ID. None of this is exotic. It is pattern recognition, and it can be taught.

The professionals who keep adversaries out of nation states already know how to do this. The question is whether your hiring process borrows even a fraction of that discipline, or whether it is still asking "can they code" and calling it a day.

Information costs money. Intelligence makes money. And in this case, intelligence is the difference between a great hire and a federal subpoena.

So this week, one question for your leadership team: of the people with access to your most important systems, how many have you actually verified are real. Not screened. Verified.

If you cannot answer that quickly, you already have your project for Monday.

Ahmed Hassan​
CEO Grey Dynamics
​Where headlines end, ground truth begins

PS: Catching this is a trainable skill. We teach it.

Everything I described above, spotting a thin legend, eliciting the truth in an interview, reading the tells most hiring managers miss, comes from one discipline: HUMINT.

Our HUMINT Fundamentals course is built and taught by Raymond White, a 27-year CIA Senior Operations Officer who designed the Agency's largest training programme for new case officers. He spent a career deciding whether the person across the table was real. The same instinct that flags a fabricated cover identity flags a fabricated LinkedIn profile.

If your team hires remote, this is not a nice-to-have. It is the cheapest insurance you will buy this year.

→ Learn the tradecraft: HUMINT Fundamentals​

Articles and Guides Read More

Read More

Read More

Read More

Intelligence Analysis Read More

Read More