Extending GitLab’s Findings: What Hiring Telemetry from Pulse for Meetings Reveals

Last Friday, GitLab’s Threat Intelligence Team published a report on North Korean tradecraft, or how DPRK-aligned threat actors use “Contagious Interview” and fake IT worker scams to spread malware and generate revenue for the sanctioned nation. The report offers one of the clearest public views into North Korean IT worker operations: structured revenue tracking, synthetic identity pipelines, VPN infrastructure, and facilitator-based laptop hosting.

These are elaborate and strategic attacks designed to exploit a new entry point for enterprises.

After reviewing their findings, we examined confirmed fraudulent applicants across a number of engineering roles and compared those cases against broader suspicious activity observed in our hiring telemetry.

The goal here is to document measurable, repeatable patterns, demonstrating that it is no longer sufficient to rely solely on deepfake detection.

Pindrop Research: Fraud runs rampant in job applicant pools

GitLab’s research mirrors what Pindrop found in our own hiring pipeline, which included DPRK-affiliated applicants. Our analysis showed:

Device telemetry

Across all confirmed fraudulent applicants who booked an interview, operating system distribution differed materially from baseline applicant traffic. In legitimate applicant traffic, modern operating systems dominate. Here, not a single confirmed case originated from a current-generation OS.

The complete absence of modern systems across confirmed cases is consistent with centralized device pools, reused hardware, or virtualized environments rather than independently maintained personal machines.

Geography & network characteristics

Network signals tell a similar story. Most confirmed fraudulent sessions appeared to be domestic by IP address.

GitLab documented facilitator-based laptop hosting and in-country device access. This model may help explain why 59% of confirmed fraudulent sessions in our dataset originated from U.S. IP addresses. If a device is physically located in the U.S. but remotely operated, however, IP geolocation reflects the device’s location, not necessarily the operator’s.

At the same time, 41% of confirmed fraudulent applicants connected from non-U.S. IP addresses. We predominantly hire within the United States, and interviews that originate outside the U.S. are flagged within Pindrop Pulse for Meetings for additional review.

VPN usage presents a different question. Approximately 29.6% of confirmed fraudulent applicants were using VPNs. In a subsequent review, we will compare VPN usage rates against non-fraudulent interview cohorts to determine whether the delta is statistically meaningful. We do not automatically escalate risk based solely on VPN presence since many legitimate candidates use commercial VPN services.

However, certain VPN services do trigger elevated scrutiny, particularly when the associated IP address or ASN matches known indicators of compromise (e.g., public IOC lists such as those maintained by Mandiant).

If we group confirmed fraud cases by geography, we see:

GitLab’s report includes geography in a different form than our dataset. Their write-up ties specific clusters to assessed operating locations (for example, activities they associated with Moscow and Beijing) and separately documents facilitator recruitment in the U.S. and U.K. to host laptops for remote access. There is directional overlap: we see a non-trivial share of confirmed cases originating from U.S. IP space alongside a smaller cluster from Russia.

Ultimately, geography remains a valid control when candidates drift from expected hiring regions, regardless of whether they’re tied to DPRK activity.

Email patterns

GitLab also revealed, “Threat actors created accounts using Gmail email addresses in almost 90% of cases. We observed custom email domains in only five cases, all relating to organizations we assess are likely front companies controlled by North Korean threat actors.”

In the appendix of GitLab’s report, we noticed developer-themed email address patterns appearing repeatedly in the account list associated with their observed activity. Within that dataset:

After reviewing that breakdown, we applied the same lens to our own suspicious cohort (1,433 flagged resumes).

Within that group:

GitLab’s appendix shows repeated keyword patterns across attributed accounts (e.g. [email protected]). In our dataset, those same keywords appear at materially higher frequency within a suspicious cohort. GitLab also noted that roughly 90% of accounts tied to their observed activity used Gmail email addresses. This is exactly the same distribution we saw in our suspicious cohort.

Synthetic identity construction

One of my favorite callouts from the GitLab research is the identity fabrication workflow they discovered (summarized below).

The primary detail that stood out was that the fabricated passports were used operationally. GitLab documented that fake passports were used to obtain enhanced identity verification on professional networking platforms. We’ve noticed this in at least two cases where the candidate matched at least one other indicator for a North Korean IT worker (e.g., IP address, email address, or phone number).

This was the first time we’ve seen deepfakes pass the document verification process.

From one suspicious node to a cluster

Once an applicant is confirmed fraudulent, we extract available attributes, including emails, phone numbers, resume templates, GitHub repositories, project descriptions, profile images, and build a relational graph across historical applicants.

Image: Pindrop research exposes an interconnected web of suspected shell companies and fraudulent job applicants.

In one instance, pivoting from a single confirmed case surfaced 23 additional suspicious applicants dating back to 2023. The overlaps were structural:

The connections were not obvious during resume review. They emerged only after graph expansion. A confirmed identity becomes a pivot node. Shared artifacts define the cluster boundary.

Beyond deepfakes: What hiring telemetry actually shows

GitLab documented the structured backend of persona cultivation. Hiring telemetry exposes the operational artifacts that support that structure.

Individually, the signals are subtle. Correlated across device, network, resume artifacts, and cluster expansion, they are not.

When we originally built Pulse for Meetings, the focus was on detecting emerging deepfake fraud in audio and video. What we have learned mirrors what we see in contact centers: AI-generated media is only a small percentage of overall impersonation activity.

For organizations evaluating their own remote hiring processes, understanding what signals are available during interviews is a practical starting point.