For years, companies focused on keeping attackers out by investing in firewalls, endpoint protection, and email security.
That model is no longer sufficient.
Attackers are finding ways to enter organizations through legitimate channels. One of the most concerning developments is the use of AI-generated identities to pass hiring processes.
Deepfake personas and synthetic profiles are turning recruitment into a potential entry point for cyber attacks. Evidence from multiple security reports shows that this is no longer theoretical.
The actors behind this activity include state-backed groups, organized cybercrime networks, and fraud operations using AI to scale their efforts.
According to Microsoft Threat Intelligence, there has been a rise in candidates using fake or stolen identities to infiltrate organizations through hiring processes.
Some of the most documented cases involve North Korean-linked operations, including groups such as Jasper Sleet, which have used deepfakes, voice manipulation, and fabricated identities to secure employment.
Their objective is not to bypass systems from the outside, but to gain legitimate access from within.
Once hired, they operate with valid credentials, reducing the need for traditional intrusion techniques.
This approach relies on exploiting trust in hiring processes rather than technical vulnerabilities.
Attackers use deepfake video techniques to pass interviews, sometimes combining generated faces with controlled movements to reduce detection. Voice manipulation tools allow them to mask accents or modify speech in real time.
They also build synthetic identities using fabricated resumes, stolen personal data, and professional profiles that appear consistent across platforms.
AI is often used during interviews to generate answers in real time and support technical discussions. In some cases, it continues to assist after hiring, helping maintain credibility in day-to-day work.
According to Microsoft, AI acts as a force multiplier, allowing these operations to scale while making detection more difficult.
This activity has already led to real-world impact.
Investigations and reports indicate that hundreds of companies have unknowingly hired individuals operating under false identities, particularly in the context of North Korean remote worker schemes.
Security firms such as Huntress have documented cases where attackers impersonated IT professionals, gained employment, and used that access for data theft or extortion.
These incidents are most commonly observed in remote roles, especially in technical positions where access to systems and data is required.
This is not limited to hiring fraud. It represents a shift in how attackers gain entry into organizations.
Once inside, an attacker can access internal systems, escalate privileges, and move across the environment. This creates the conditions for more serious attacks, including data exfiltration and malware deployment.
This makes deepfake hiring comparable to other initial access vectors such as phishing or credential theft, with one key difference. The access appears legitimate from the start.
Traditional hiring checks are not designed to detect AI-driven deception at scale.
Organizations need to treat hiring as part of their security model. Identity verification should be strengthened, with consistency checks across multiple sources and platforms.
Access should be limited by default, especially for new employees, following Zero Trust principles. Monitoring should continue after hiring, with a focus on detecting behavioral anomalies rather than relying solely on credentials.
Incorporating threat intelligence can also help identify risk signals earlier in the process.
Deepfake-driven hiring attacks highlight a broader shift in cybersecurity.
The boundary of the organization is no longer defined only by networks or systems. It increasingly depends on identity and trust.
This changes how risk should be evaluated.
At Defendis, the focus is on identifying threats beyond traditional perimeters, monitoring identity exposure, and strengthening proactive defense strategies.
