Research from Gartner® highlights employee onboarding as part of the attack surface

KnowBe4 hired a North Korean threat actor.

The cybersecurity training company conducted four video interviews, ran background checks, verified references, and sent the new hire a company laptop. Within 25 minutes of receiving it, the device started loading malware.

The latest Gartner CISO Edge research opens with this assessment:

"Businesses have inadvertently hired people from OFAC-sanctioned countries such as North Korea. CISOs must collaborate with CHROs to put appropriate safeguards in place to prevent bad actors walking through the front door and stealing intellectual property or carrying out cybersecurity attacks."

This is a coordinated, state-sponsored operation happening at scale, not an isolated incident.

The common denominator is a lack of identity verification early on in the hiring process, long before onboarding happens.

The scale of the problem

Gartner's Strategic Planning Assumption in the report states:

"By 2028, one in four candidate profiles worldwide will be fake.”

That planning assumption reflects what security teams are already seeing.

The FBI has issued formal warnings about nation-state actors such as North Korean IT workers that are using stolen identities and deepfakes to infiltrate U.S. businesses. Amazon blocked more than 1,800 suspected North Korean job applications between April 2024 and December 2025, and KnowBe4 admitted publicly that they hired one.

What are nation-state actors?

Nation-state actors are highly sophisticated, government-backed cyber threat groups. Unlike independent hackers driven by personal profit, these operatives are funded by hostile nations to steal intellectual property, disrupt critical infrastructure, or generate illicit revenue to bypass international sanctions and fund state programs.

How the attacks work

These operatives use stolen identities, fabricated documents, and AI-enhanced photos to pass background checks. During video interviews, they deploy deepfake technology to obscure their true identities.

Once hired, their goals are straightforward:

• Steal intellectual property and proprietary source code

• Plant ransomware or establish persistent backdoors

• Funnel salaries back to sanctioned regimes to fund weapons programs

The infrastructure supporting these schemes is sophisticated. Operatives work with U.S.-based facilitators who run "laptop farms," physical locations where company-issued devices are hosted and accessed remotely. The workers VPN in from North Korea or China, working night shifts to appear as though they are logging in during U.S. business hours.

Why this landed on the CISO's desk

For years, hiring fraud was an HR compliance problem. Candidates inflated their credentials, resumes contained exaggerations, and background checks caught most of it. That model no longer works.

The moment a fraudulent hire receives credentials and access, they are inside the perimeter. Traditional security controls are designed to detect external threats, not credentialed insiders who were hired through normal processes.

Gartner outlines four required CISO actions:

"Collaborate with CHRO counterparts to understand how the recruitment process is structured today and where there is scope for improved risk mitigation…Encourage the HR team to deter attackers by explicitly communicating verification requirements and integrity expectations throughout the recruitment process…Deploy detection and prevention capabilities, such as automated identity verification and assessment of contextual risk signals, at different stages in the recruitment process such as at the interview or offer stage…Extend your insider risk monitoring program to monitor all new employees specifically to detect possible suspicious activity such as installation of unauthorized remote access tools or abrupt changes of location."

What bad actors can do once inside is significant. They can move laterally across networks, exfiltrate sensitive data, and establish footholds for future attacks. In some cases, they have remained undetected for months or even years.

The CISO-CHRO collaboration gap is real; HR teams aren’t trained to detect nation-state tradecraft, and security teams aren’t embedded in the hiring process.

The result is a structural blind spot that sophisticated actors are exploiting at scale.

What we’re seeing

At 1Kosmos, we work with organizations deploying identity verification during the hiring process. The sophistication of fraud attempts has escalated sharply over the past 18 months.

We're seeing AI-generated profile images that pass visual inspection and fabricated government-issued IDs that mimic authentic documents down to the hologram placement, alongside candidates who can answer soft interview questions fluently but whose biometric data does not match the identity they claim.

These attackers are clearly not amateurs. They’re trained, well-resourced, and operating with state backing. The tools they use are commercially available, the identities they steal are real, and the threat is not theoretical.

Closing the gap

On the role of early-stage deterrence, Gartner writes:

"The goal here is to have attackers self-select out, go elsewhere, and not waste their time in applying for a role with you.”

On where to place the minimum bar for verification, the report states:

"At an absolute minimum, from a cybersecurity perspective, identity verification should be carried out in the Hire phases at the point of bestowing credentials and access, to ensure that the person now receiving credentials to access systems is the correct person. However, it could also be carried out at the point of offer acceptance in the Select phase, and also further upstream during hiring manager interviews in the Assess phase, subject to local regulatory constraints.”

Get the full Gartner CISO Edge report to see their framework for addressing employee onboarding as an attack surface.

Sources

Aliieva, E. (2025, December 23). Amazon blocks 1,800 job applications from suspected North Korean agents. BBC News. https://www.bbc.com/news/articles/c3e0kw80wwzo

FBI. (2025, January 23). North Korean IT Workers Conducting Data Extortion. Federal Bureau of Investigation. https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-workers-conducting-data-extortion

Gartner. CISO Edge: Employee Onboarding Is Now Part of the Attack Surface. Akif Khan, Emi Chiba.(2026, February 2).

Gartner, CISO Edge: Employee Onboarding Is Now Part of the Attack Surface, By Akif Khan, Emi Chiba, 3 February 2026. Gartner is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

KnowBe4. (2024, July 23). How a North Korean Fake IT Worker Tried to Infiltrate Us. https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

FAQs

How are groups like DPRK infiltrating the employee onboarding process?

North Korean operatives are using stolen identities, fabricated documents, and deepfake technology to bypass standard background checks and ace video interviews. They frequently collaborate with domestic facilitators who manage "laptop farms," allowing remote workers to VPN into corporate networks while appearing to work locally.

How does identity verification solve for employee onboarding fraud?

Identity verification stops fraud by requiring candidates to prove they are who they claim to be before receiving corporate credentials. By combining government document authentication with live biometric matching, organizations can definitively catch deepfakes and stolen identities that easily slip past traditional background checks.