An Unusual Employment Vetting Experience. General Grifter Chancing His Luck or DPRK?

Ok, so a little bit of context — my vanilla day job is ‘Head of Ops & Compliance’ for a specialist IT recruitment firm operating out of the UK, I have been doing this job for YEARS and the same job at another IT recruitment company before this one, also for years. The Offensive Security stuff I dabble in is more a deep personal interest but, one that also has a bit of crossover into my vanilla job, with aspects of security for the business falling under my remit.

We work with a large and diverse range of Public and Private sector clients throughout the UK, Europe and a bit in the US. We’re honest, we know our sh*t, and we work hard, which over the last twenty years of the business trading has afforded us a level of respect as small but successful consultancy in the tech space, resulting in the earning of places on various Crown Commercial Frameworks, Public Sector Resourcing Frameworks, and an untold amount of PSL’s etc- I guess I’m trying briefly to demonstrate that we’re not some backstreet set up of rouges. We’re passionate and we give a fxck.

An unusual set of findings uncovered during a very recent (as in yesterday) vetting process of a contractor that was destined for a public sector organisation with a significant amount of data and information assets under their control, I feel are worthy of sharing for awareness purposes given the ongoing wider conversations happening both in and out of the tech community relating to the rise in fake candidates and whispers of such activities being North Korea related.

Here is the low down; Apologies for the terrible formatting.

On Wednesday 30th July we were approached by a candidate with his CV who suggested that a [named] person at our clients organisation had referred him to us for this role specifically (not unusual in itself, we get a lot of referrals but i did not know this detail about this case till this morning, instant red flag on learning this, the named person did in fact did not refer him (i checked), he socially engineered that aspect to get a foot in our door).

A Senior Managing Consultant with more than 15 years IT recruitment experience undertook the initial screening, candidate passed this — was able to answer all questions accurately and with confidence etc. The consultant submitted CV to client. Client reviewed the CV, offered an interview, for the following day/PM.

Important note here that I feel is of relevance, with hindsight anyway: the client had struggled to fill this role for some months — they initially tried to hire for it as a perm role themselves and were not successful, then eventually allocated it to us as a contract role, to source a candidate for. They needed it filled to attain their deliverables, hence the much quicker than normal turnaround, interviews are not usually next day, even in our relatively fast paced world.

Client interviewed candidate on Thursday 31st July, a 1 hour video call via Microsoft Teams with (I believe) two client organisation employees conducting the interview. We as the consultancy had scheduled/sent invites for the video call interview. The interview according to both the client and the candidate went well.

On Friday 1st August the client made an employment offer, the candidate accepted.

It is at that stage we then begin our vetting processes, which involves collecting information from the candidate such as; Driving Licence, Passport, 3x proof of address documents, NI Number, address history for the last five years, employment references for last five years etc, then basically scrutinising the hell out of it, contacting all references for confirmation of employment, running security checks etc.

I do not let a contractor go on site until I am satisfied all is above board, even if this upsets my commission hungry colleagues.

We contacted the contractor to request the above info to commence vetting. He sent some but not all of the requested information, maybe half the requested documents, and offered his employment references as personal email addresses — a big no no for employment referencing, especially public sector. I want to speak to your prior employer, not your mate.

So, we push back on that as per the above email chain extract, the candidate replies. The above response is a little unusual, and we gave no well wishes? My ears prick up at this point, spidy senses start tingling and I start reviewing all the stuff to do with this contractor.

We push back again.

This response above, also a little unusual, just tell us the company or agency name we’ll do the rest buddy, but no. A resistance to provide the requested info, as requested, when a person wants a job is frankly very weird and unusual. A couple of hours later they get back to us with the below.

On receipt of the above, I look up the domains immediately bc I’m very nosy by nature; who are these people, what do they do, how do they do it. The former has no website, the latter is clearly not a company called 6Degrees. What business thats employing contractors in this day in age doesn’t have a website?! Nor a LinkedIn page, no public facing marketing materials, nothing, just a Companies House record where the company has been effectively dormant since its registration in 2022, which doesn’t support the concept of it being an active employer.

Idk why exactly, but it occurred to me to look up the DNS record immediately.

The domain had been created and registered 30 minutes earlier, only moments following our insistance of requiring the employer to confirm the employment.

Ok, well now I know something definitely isn’t as it should be. My Director was in the office, I walked over, show him the above and explain the sitrep, his face winced, we agree something is up. This time, I go back to the contractor (below). I can be a bit more blunt than some of my colleagues due to my role and responsibilities.

I, mostly for lols and bc I’m curious as to what the response could be, reach out to the reference for most recent employment (below) whilst awaiting confirmation of the other (which never arrived btw, shock)

The reference for this most recent employment replied very swiftly for an out of hours email (response below).

But it also read like, well, like chatGPT? (which multiple AI detectors strongly suggested to be the case).

I am not satisfied with this response, no where near close, so go back to the reference to request additional clarity (below)

Even more red flags and inconsistencies. He was an employee for a year 20 minutes ago, but now he is a contractor? Nah, not buying it.

(Internally it is decided at this stage that this contractor is not going on site, collectively these things are a major fail of vetting, raising more concerns the more we see/don’t get to see).

Still, I opt to continue the cherade, for research purposes and some giggles, so go back to the contractor to request his consent to share this info with us to confirm the employment.

And reply to the reference confirming our position

We (unsurprisingly) didn’t hear back from either of them ever again.

Was it something I said? LOL.

The candidate has ignored the above emails and our attempts to communicate today to ‘continue the onboarding process’ have been tragically unsuccessful, dude hasn’t even read the whatsapp messages despite being very swift and reliable on comms up to the point we showed our hand, he has ghosted us. Coward.

We held a meeting internally this mornning to establish how this happened, during which the info about him being a referral/approaching us in the way he did for this specific role came out etc.

The client has this afternoon been informed with full transparency on the matter of our findings and concerns, and accepted our decision to remove this candidate from process, they expressed a lot of grattitude and thanks for our evidently awesome checks.

All just in a days work I guess.

If any researchers want the metadata from emails, just hit me up. Sharing is caring on this stuff, its not that interesting but servers are overseas.

I have redacted on emails etc here, but have not redacted company names since they are in the public domain through companies house records.

Couple of other things that made me go hmm whilst we were actively investigating this; the address on ID didn’t match the proof of address documents. The energy bill for a month at his ‘home’ where he was reportedly a full time remote worker had the following usage, I mean come on man, that is not the energy usage of a home based remote IT worker.

I of course also contacted BNY Mellon seeking to confirm his employment there, they had no record of this person being employed by them as a permanent employee nor as a contractor what so ever let alone for three years, it was a very interesting phone call.

My hot take: entire employment history was fabricated, I don’t believe based on the information we have that he legitimately worked at any of the places doing the jobs as stated on the CV. I also question the authenticity of the documents and ID we were provided (which I have opted not to share as its clearly someones ID but I am not sure its the person we have actually been comunicating with).

In retrospect looking at the CV now with what we know now it doens’t read right at all. What do you mean you did ‘higher education in Computer Science’ but don’t mention the place of study or grade? I’ve never seen education presented on a CV like that. Small details.

Welcome to ping me questions via Twitter: https://x.com/Alph4betSoup