Important note: the bad actor was not successful in gaining access to any c/side systems. This blogpost purely serves as a warning to other startup founders and employers.
When hiring for a Senior full-stack engineer we got quite excited when we quickly received a couple of hundred resumes that looked promising.
I spent a few hours selecting relevant profiles and sent them an assessment through Coderbyte. From a number of candidates I received the homework task back quickly and the results were decent so we moved forward to an interview to discuss the code that was written.
When joining the call, a few things caught my attention.
- The candidate in question had the most American made up sounding name. “Tommy Jackson” style.
- The candidate had background noise similar to a call center.
- The candidate’s English was garbage and they showed clear ethnic characteristics of Korean nationality.
- The candidate gave very scripted sounding answers to questions.
Having learnt about unconscious bias during recruiting I thought it was nothing but after having 3-4 near identical conversations, I got curious so I sent those candidates through Identity verification with a 3rd party service and was surprised to learn they passed.
So I checked with a fellow founder what this is about. And quickly after, information was shared about companies like KnowBe4 having hired these people and facing immediate severe consequences.
You’d expect for North Korean attempts to infiltrate companies to be common knowledge, but that was not the case.
What we faced were organised and deeply professional attempts to infiltrate our business.
So I got in touch with a fellow ex-founder, Bobbie Johnson to dig a lot deeper into this operation and find a way to make this more common knowledge. Today, the full Wired article was released going into great detail on the local operations of the scam.
During the process of hiring, as a solo founder, I grew increasingly frustrated with the amount of time wasted on screening resumes to filter out North Korean actors.
Firstly, by asking our friend Feross at Socket if I could borrow his AnnoyingSite project to annoy the North Korean actors and incentivise them to apply elsewhere instead. Which we did and mildly amused me, check the “take home assessment” here. This didn’t help though…
And then it clicked, I run a client-side security company. So naturally, I should use our client-side intelligence to figure out patterns to filter out this noise at the source.
So today, we are announcing our applicant fraud detection service to an early closed BETA.
Allowing startup founders and recruiters to dedicate their time to screening the resumes of legitimate candidates. Read more here.