A federal court recently sentenced the ringleader of a North Korean IT worker scheme to nine years. Investigators put the network at 100,000+ operatives across 40 countries, with American facilitators handling logistics — laptops, I-9s, drug tests — while roughly $500 million a year routed back to Pyongyang. Nearly every Fortune 500 company, they estimated, has unknowingly hired at least one.

The instinctive read is nation-state espionage: targeted, rare, a policy problem. The indictment tells a harder story: industrialized labor fraud running through standard enterprise hiring pipelines.

This scheme works because it clears every layer identity security is designed to protect. Fabricated identities, coached interviews, forged documents.

By the time an operative starts, they hold a valid offer letter, active directory access, and legitimate system permissions. The identity provider issued a token. It cannot tell you whether the person behind it is who they claim to be.

What persists is behavioral deviation. Legitimate employees build communication patterns over time: who they work with, what systems they touch, how their email activity looks across a normal week. A fraudulent hire doesn't inherit those patterns. Outbound communications route differently. Access activity doesn't fit the role.

SaaS apps broadcast activity through notification emails. Workday flags payroll changes. Salesforce flags export permission shifts. A fraudulent hire accumulating access generates a trail of these.

Against a behavioral baseline for the role and the person, those signals add up.

Abnormal builds that baseline from PeopleBase context and communication signals. An employee who cleared every pre-boarding check still stands out when their activity doesn't match the role.

See the latest from Abnormal's product and engineering teams.