Unit 42 Built a Deepfake Hire in 70 Minutes. Gartner Says 1 in 4 by 2028.
Unit 42 built a working deepfake candidate in 70 minutes. Why cross-platform footprint verification is now the floor for remote technical hires.
If your remote technical verification stack is still a LinkedIn profile, a Zoom interview, and a referenced resume, you are defending a perimeter that fell in 2025. Unit 42 just demonstrated that the cost to fake all three at once is about 70 minutes on a five-year-old laptop. The only signals that still take years to fabricate are the ones spread across multiple platforms over time.
This is not a "be careful out there" piece. It is an argument that single-source verification is dead for senior engineering hires, and that the floor has moved to cross-platform footprint matching: GitHub commit history, conference talks, paper authorship, and open-web mentions, checked against each other and against the person on the call.
The 70-minute demo that should reset your verification policy
In a recent writeup, Unit 42 (Palo Alto Networks) had a researcher with no prior image-manipulation experience and only limited deepfake knowledge build a working real-time synthetic identity from scratch. The toolchain: a thispersonnotexist-style face generator, off-the-shelf face-swap software, and a roughly five-year-old GTX 3070. Total elapsed time from "nothing" to "ready to sit a live interview" was 70 minutes.
The trigger for that research was a Pragmatic Engineer case study from a Polish AI company that hit two separate deepfake candidates in the same pipeline. The interviewers suspected the same operator behind both personas because the second candidate did suspiciously better on the same technical questions. The economics now favor the attacker: one operator, many faces, infinite attempts.
If you are still relying on a "turn your head, wave a hand" liveness check, Unit 42 is explicit that today's deepfake artifacts (temporal inconsistency, occlusion errors, lighting adaptation) are "rapidly diminishing." Treat liveness as a 12-month patch, not a strategy.
The volume is not theoretical
Three numbers anchor the scale problem.
First, Gartner now projects that by 2028, one in four candidate profiles globally will be fake. In Gartner's 2Q25 survey of 3,000 job candidates, 6% already admitted to participating in interview fraud, either posing as someone else or having someone else pose as them.
Second, Okta Threat Intelligence tied roughly 130 DPRK-linked personas to more than 6,500 job interviews across about 5,000 companies between 2021 and mid-2025. Of those targets, 27% were outside the US and 50% were outside the tech sector entirely (finance, healthcare, public administration, professional services). North Korean IT worker hiring is no longer a Silicon Valley problem.
Third, CrowdStrike recorded a 220% year-over-year increase in North Korean IT worker activity, with 320 incident-response cases in the year ending August 2025. Mandiant's Charles Carmakal told reporters that "almost every CISO of a Fortune 500 company" he has spoken to has a North Korean IT worker problem.
And the named cases are not edge cases. DOJ confirmed that Christina Marie Chapman's Arizona "laptop farm" alone placed DPRK workers at 309 US companies, including Fortune 500 banks, a top-five TV network, an aerospace manufacturer, an auto OEM, and Nike, which paid roughly $70K to an unwitting DPRK hire. Chapman was sentenced to 102 months in July 2025. KnowBe4, a security-awareness company, has publicly admitted hiring a North Korean IT worker. Hypr's CEO Bojan Simic accidentally hired a fake engineer himself and then built a product against it. g8keep founder Harrison Leggio estimates 95% of the resumes he receives are from DPRK engineers pretending to be American.
number: 457%
label: Growth in reported job-related fraud losses, 2020 to 2024
note: FTC data shows losses rising from $90M to over $501M annually.