Anatomy of an AI Imposter: Inside a Hiring Scam

10 minute read

Date

7/15/2026

Share

“Am I being targeted by a North Korean hacker?” 

It’s not a question most hiring managers expect to ask after a routine job interview. But that’s exactly what crossed Ilya Kroogman’s mind after interviewing a candidate for a senior software engineering role. 

As the founder of The Digital Panda, a remote-first creative agency with designers, engineers, and product people spread from Vancouver to Eastern Europe to South America, Kroogman has been hiring remotely for more than a decade. 

Conducting video interviews isn’t new to him. It’s how his company has always operated. So when a senior software engineer applied through LinkedIn for an open role, nothing about the hiring process seemed unusual.

How the call unfolded

Kroogman told GetReal Security’s Emmanuelle Saliba that he typically conducts the first round of interviews for new roles himself, especially for senior roles to make sure the candidate is the right cultural fit. 

The candidate started by telling Kroogman that he was from Poland, born and raised, but was now living in Holland. Kroogman introduced himself, mentioned he'd recently traveled to the region, and gave the applicant the floor.

For the first few exchanges, the candidate barely spoke. But asked to walk through his background, he talked for 30 to 40 seconds straight: studied at Atos, built front-end applications, moved between companies, mentored a few junior developers. And as Kroogman listened, something stopped making sense.

"Oh my God," he told Saliba during a video interview recalling the moment, "this is a Korean accent." 

Kroogman grew up in Vancouver, speaks several Asian languages, and knows the difference between an Eastern European cadence and a Korean one. By chance, his stepfather is also from Poland — where the candidate claimed to be from.

Kroogman waited a moment longer to be sure. Then he stopped the candidate mid-sentence: “Why do you have a Korean accent?”

The call ended immediately. No explanation, no follow-up, no attempt to reconnect.

Only afterward, when reviewing the recording, did the visual clues come into focus for Kroogman. The candidate's face had barely moved throughout the conversation. It held a fixed, faintly morose expression, almost no change in the underlying musculature, and a slight lag between the audio and the picture. The hair was untouched. And in retrospect, there was no photo with the candidate’s résumé or LinkedIn profile that could help Groogman match the face on the video call with the credentials submitted with the application.

The candidate was likely using a real-time face swap: software that overlays a synthetic face onto the operator’s own face in real time, while preserving their natural head movements and expressions.

The face was convincing enough that a seasoned interviewer didn't catch it, at least not initially. The accent finally gave it away, and only because Kroogman happens to have a well-trained ear.

The shadow of North Korean remote-hiring fraud

Kroogman’s encounter fits a pattern that U.S. and international authorities have been tracking and warning about for years: North Korean operatives posing as remote IT workers to secure jobs at Western companies, funnel salaries back to the regime, and increasingly, steal sensitive data and extort employers from the inside. It’s a campaign GetReal has been tracking closely.

The FBI has explicitly warned that North Korean actors hired as IT workers have been using synthetic identities and face-swapping technology during video interviews to conceal who they really are. Sometimes the identities belong to a real person whose information has been stolen and other times they are entirely fabricated.

The objective isn’t to simply land a job, but to earn a salary that can then be funneled to the North Korean regime.

The United Nations has estimated these schemes generate between $250 million and $600 million annually, with operatives active in more than 40 countries.

CrowdStrike, which tracks one of the groups behind much of this activity known as "Famous Chollima," has reported a sharp increase in infiltrations over a single 12-month period. Investigators now field roughly one related incident per day. 

The U.S. Justice Department has brought case after case. In December 2024, it indicted 14 North Korean nationals accused of generating $88 million over roughly six years. And the regime leans heavily on U.S.-based "laptop farms" — homes where a domestic accomplice hosts company-issued machines so an overseas operator appears to be logging in locally. In May 2026, two U.S. nationals were sentenced to prison for running exactly that kind of operation.

"The North Korean remote-hiring scheme isn’t a fringe scam. It's an industrialized operation,” says Tom Cross, head of threat research at GetReal Security. He’s been tracking how the North Korean threat has moved into hiring pipelines.

“These groups run synthetic personas at scale, and a real-time face swap enables a team of different operators to interview for and work on a role under a single assumed identity. The tell Kroogman noticed — an accent the mask couldn't cover — will not work forever as a method of detecting these attacks. We have already seen the use of real time tools that can change a person’s accent. As time goes on, it is becoming harder and harder for interviewers to detect these threats based on their own intuitions.”

There's another detail in Kroogman’s story that reflects the newest phase of the operation: the candidate claimed to be Polish. That's likely not random. 

As U.S. enforcement has intensified, the operation has pushed into countries across Europe. In the same CrowdStrike report referenced above, the company says they’ve found laptop farms now running in Poland and Romania, with operators taking developer jobs under stolen or fabricated European identities and having equipment shipped to those farms. 

The interview is now the intrusion vector

For decades, recruiters and hiring managers sat outside the security perimeter. Their job was to evaluate talent, not be investigators who need to verify identities. 

That's no longer true. 

Today, the job interview has become a live, high-value entry point, and the people staffing it were never trained, equipped, or asked to treat it as one.

"The job interview has quietly become one of the most exposed surfaces in the enterprise,” says Matt Moynahan, GetReal Security CEO and cybersecurity veteran of over 30 years. 

“Recruiters and hiring managers were never asked to be the security perimeter, but that's exactly where they now sit. Organizations have to start treating the identity of the person in a live interaction as something you verify, not something you assume. The days of implicit trust are over."

What organizations can do

Kroogman was candid that he got a little lucky. His ear for accents caught something the technology couldn’t hide. Most interviewers might not have that advantage — and even if they did, tools will eventually be in place that mask accents and voices as well.

But there are some concrete, low-cost habits that recruiters and those working in talent acquisition can keep in mind, several of them straight from the FBI's guidance:

  • Ask specific, verifiable personal questions. Where did you go to school? Who was your manager? What's their name? Can I call them? Fabricated histories tend to fall apart under deeper inspection and follow-up.
  • Use the in-person test. Mention that final-round interviews are conducted in person and that you'll fly the candidate out. Genuine applicants engage; operatives who can never meet in person tend to lose interest fast.
  • Cross-check the paper trail. Reused phone numbers and email addresses across "different" applicants, missing photos, résumé typos, and timelines that don't add up (a 22-year-old with a decade of senior experience, for example) are all documented red flags.

But the deeper lesson is the one Kroogman’s interview illustrates almost perfectly: the face fooled a professional, and the only thing that prevented the hire was an inconsistency that had nothing to do with the video itself — the kind of clue that may not exist next time.  

Another supposed tell that goes viral every so often on social media is a faceswap check where the operator is asked to move their hand in front of their face. In the past, this would break the filter, meaning imposters either sign off or their mask is exposed. But, as we’ve discussed before at GetReal, this isn’t reliable anymore as faceswap technology continues to improve rapidly.

The bottom line is that no single check is enough. This is why both the FBI and independent researchers recommend the same thing: a layered defense, where a failure at one step gets caught at another. 

That means detection technology, results wrapped in context and intelligence, and historical evidence that can be referenced when an incident occurs.

That’s why we focus on forensic-grade evidence and explainable results at GetReal.

The shift toward a new trust infrastructure 

"For most of my career, a trained eye could catch a manipulated face. That era is ending,” says Dr. Hany Farid, co-founder of GetReal Security and a pioneer in digital forensics and synthetic media detection. 

“What's telling about this case is that a sharp interviewer nearly missed it, and the giveaway wasn't the face at all. You cannot ask people to be the last line of defense against synthetic media. That job has to be done with technology built specifically for it."

That's the shift we think matters most at GetReal. Perceiving whether the person on a video call is real, or is who they say they are, is no longer a reliable human skill. The durable answer is to verify identity continuously and in real time with purpose-built detection layered into the live interaction itself, not bolted on afterward. 

Recruiters shouldn't have to be forensic analysts. They should be able to have trust in the voices and faces on the other side of the screen. And they deserve the infrastructure and tech stack to do so.

Kroogman put it plainly at the end of his conversation with Emmanuelle: there are a lot of leaky holes in non-sophisticated hiring processes. The more people at the hiring and executive level who know that, he said, the better off everyone will be.

He's right. Restoring trust in what's real and who’s on the other side of the screen starts with recognizing where it's already broken.

Written byJames Kerley, Head of Digital Communication & Emmanuelle Saliba, Head of Investigations

This was originally published on the GetReal Security Newsroom. Subscribe to receive insights, investigations, and deep dive into the world of AI deception.

See what "no compromise" looks like on a live call.

Schedule a demo of GetReal Protect