We spend a lot of time talking about how to catch hiring fraud. The signals, the tools, the checks to add at each stage. What we talk about less is the other side of it, the steps fraudsters take to pull it off in the first place. You can't fully understand how hiring fraud works without looking at how it's actually built.

Hiring fraud is a supply chain. Different people in different countries each handle one piece, and the finished candidate lands in your ATS.

Here's how it works, stage by stage.

Stage 1: Stolen data

It all starts with real personal information stolen from data breaches. Names, social security numbers, dates of birth, addresses. This data sells in bulk on underground markets, where a single email account with some history goes for a few dollars and a full identity package with matching documents runs anywhere from $200 to $800.

The market is enormous. In June 2025, the DOJ seized 145 domains tied to one marketplace called BidenCash, a platform that had over 117,000 customers and at one point gave away 3.3 million stolen records for free as a promotional tactic!

How this shows up in your interview process: applications using the same SSN, phone number or email address across multiple candidate profiles

Stage 2: Synthetic identities

Once the data exists, profile builders assemble it into what's called a synthetic identity. Background checks are designed to confirm a candidate's paperwork is real. The SSN matches the name, the name matches the date of birth, everything lines up in the database.

The supply chain gets around this by not making anything up. The SSN is real, the name attached to it is real, the date of birth is real. What changes is the contact information. The address on file becomes one the operation controls, the phone becomes a VOIP line they answer, the email becomes an aged inbox they monitor. When a background check runs, it sees a real person whose data lines up, and clears them.

This is why synthetic identity fraud causes $30 to $35 billion in losses every year in the U.S., and 44% of fraud teams now rank it as their top threat. The identity isn't fake, it's a real person rerouted.

How this shows up in your interview process: candidates whose backgrounds check out on paper but whose digital footprint is too clean, like brand new email accounts, no social presence, and credit histories that don't align with their stated age or work tenure.

Stage 3: Verification bypass

Background checks confirm the paperwork. Identity verification goes a step further and asks whether the person on this video call is actually the person that paperwork describes. The candidate holds up their ID, shows their face, and the system compares the two.

This is where the supply chain has built the most workarounds, because the answer can't come from a database. It has to come from a real human moment, so the operation uses a real human. Underground markets recruit what they call verification mules, real people who get paid around $20 to sit in front of a camera and complete a liveness check for someone else. The mule looks close enough to the ID photo to pass, and the system records a successful verification.

The whole step can also be bought as a package called KYC as a service, which runs $500 to $800 per case. The buyer submits the stolen ID, the vendor passes the check, and they get a verified account ready to use.

How this shows up in your interview process: ID verification passes but the person on the live video looks different, or candidates who pass a liveness check but then resist any unscripted face-to-face meeting afterwards

Stage 4: Resume building

This part has become trivial. AI tools generate convincing employment histories tuned to a specific job posting in minutes. With the right tools anyone with no special skills can build a resume in a few minutes convincing enough to score an interview.

How this shows up in your interview process: resumes that mirror your job description almost verbatim, comprehensive skills sections, and employment claims at companies whose timelines or org structures don't match public records.

Stage 5: The interview itself

Some operations use deepfake software during the video call, but the more common approach is to split the work. One person fluent in English handles the interview, and the actual job after hiring goes to someone else entirely. Underground markets now recruit what they call AI video actors, who are hired specifically to sit on camera for fraudulent interviews.

This is called seat swapping. Each round looks plausible on its own as the fraud signal lives in the interviews themselves, and the only way to catch it is for interviewers to take detailed notes on how the candidate looked, sounded, and acted, and then share those notes with the next round.

How this shows up in your interview process: a candidate who looks, sounds, or behaves differently between interview rounds. Slight delays before answering, different lighting or background, or technical answers in round two that don't match the conversational style from round one.

Stage 6: The laptop receiver

If the fraudulent candidate gets hired, the company ships them a laptop. The address on the offer paperwork is usually a U.S. residence, but it's a laptop farm run by someone the operation pays. The laptop farm operator installs remote access software and hands control to whoever is doing the actual work, usually overseas. To the company, everything looks normal: the laptop is in the U.S., the IP address looks domestic, the worker shows up on Zoom.

Christina Chapman ran a laptop farm out of her home in Arizona, where she handled ninety laptops at peak and helped North Korean operatives land jobs at 309 American companies, generating $17.1 million in fraudulent salaries. She was sentenced to 8.5 years in 2025.

Stage 7: Money movement

Fraudulent salaries get routed through shell companies, prepaid cards, crypto exchanges, and money mules. By the time anyone realizes a hire was fraudulent, the money has moved through three countries. The UN estimates the North Korean IT worker scheme alone has generated between $250 million to $600 million per year on the back of these operations.

The unit economics are absurd

A North Korean operation can get a fraudulent candidate hired at a Fortune 500 company for under $1,000 in upfront costs, and the operative then earns up to $300,000 a year. That's a 300x return on a single hire, before counting the additional revenue from data theft, extortion, or stolen IP.

The full pipeline is cheap because each piece is commoditized. A stolen identity package runs $200 to $800. KYC bypass costs $500 to $800. Resume generation is essentially free now that AI tools exist. A laptop farm operator takes a few hundred dollars a month. None of it requires technical skill, because the specialists handling each stage have already built the infrastructure and sell it as a service.

Let's run the numbers on a single fraudulent hire from a North Korean operation, end to end.

The return

• Upfront cost: $1,455
• Year one net profit: $266,000
• Return on investment: 183x

And that's before the secondary revenue. Many of these operations also exfiltrate source code, sell access to corporate systems, or run extortion campaigns once they're inside.

Why a one-stage fraud tool can't defeat a multi-stage supply chain

Most hiring fraud defenses inspect the candidate and do so at a singular point in time. Check the resume, identity, references,etc,. The problem is that every step in the supply chain is engineered to defeat the exact check it's meant to pass.

Companies that add more inspection tools often don't catch more fraud, because they're adding another layer the supply chain has already adapted to. A multi-stage supply chain can't be defeated by a one-stage fraud tool. The fraud lives in the connections between stages, not within any single stage, and inspecting the candidate alone is inspecting the wrong layer.

This is the gap Tofu was built to close. Resume screening, identity signals, interview-stage detection, and deepfake detection working together as a connected layer across the chain, not as separate point tools.

If you want to see what that looks like inside your ATS, book a demo with Tofu.