He Passed Three Interviews. He Had Never Existed.
A remote-first London tech company hired for a senior backend role. The candidate from Kazakhstan sailed through a coding test and three technical interviews. Days before the contract was issued, HR requested a pre-employment check. The university had no record of him. The employer had no record of him. The identity itself had no record of existing before the year of the application.
£85,000 annual salary — plus access to production codebase, internal repositories, client data, and third-party API credentials from day one of onboarding.
4 days. The company cancelled the offer before the contract was issued. They subsequently updated their hiring policy to require verification for all remote international candidates.
What "Daniyar Aliyev" claimed on his CV.
The CV listed a Computer Science degree from Nazarbayev University in Nur-Sultan (now Astana), Kazakhstan — one of the country's most respected institutions, established with substantial international funding and genuinely selective admissions. Five years of backend development experience followed at a Russian software firm in Novosibirsk. The firm was real and well-known in the regional tech sector. The final section listed contributions to three open-source repositories on GitHub.
The profile photo was a clean headshot: professional, neutral background, good lighting. The coding test results were genuinely strong — the technical interviewers noted that the candidate clearly understood distributed systems architecture.
There was one recurring observation from the three interviewers: the video quality was consistently poor. Not unusably so, but persistently degraded — compression artefacts, occasional pixellation around the face, slight lag between audio and lip movement. Each interviewer noted it and each attributed it to connection quality from Central Asia.
Nazarbayev University: no match.
Nazarbayev University maintains a verifiable graduate registry. We submitted the name, claimed graduation year, and degree programme through the institution's official verification channel. No graduate matching the name and year appeared in their records.
We also checked the claimed student ID number format against the university's published format guide. The number on the candidate's scanned ID card used a prefix format discontinued in 2018 — three years before the claimed graduation date.
The Novosibirsk firm: no record of employment.
The software company in Novosibirsk exists and has a public profile. Its employee directory on LinkedIn lists 340+ people. We searched for any employee named Daniyar Aliyev or phonetic variants. No match. We contacted the company's HR department through their public contact form. They confirmed no employee by that name had ever worked there.
This is a deliberate tactic: attach a fabricated employment history to a real, verifiable company. A casual check confirms the company is real and stops there. A thorough check confirms the person was not employed there.
GAN artefacts confirmed.
The headshot showed several characteristics consistent with GAN (generative adversarial network) image synthesis: ear asymmetry beyond normal human variation, hairline pixellation at the boundary of hair and background, and left-right facial feature imbalance in the ear cartilage region. These are well-documented artefacts of current generative image models.
Reverse image search returned zero results — confirming the image was not stolen from a real person, but generated specifically for this identity.
Repositories created, not contributed to.
The three GitHub repositories listed in the CV were all created within a six-week window in the months before the application. Each had zero external contributors and zero stars. The commit history on each showed large initial pushes of well-structured code followed by no subsequent activity — a pattern consistent with seeding a portfolio rather than building one.
A real senior developer working in distributed systems for five years would typically have a visible history across multiple platforms, conference talks, Stack Overflow activity, or at minimum pull requests on established projects. The digital footprint was a constructed stage set.
Why synthetic candidates target tech companies specifically.
Access to a software company's internal systems on day one of employment is extraordinarily high. A developer hired into a backend role typically receives credentials for version control, production deployment pipelines, database access, internal APIs, and communications platforms within the first week. In a remote-first environment where this access is granted before any in-person verification, a synthetic candidate with genuine technical skills — or with a real person doing the actual technical work while the synthetic identity handles the hiring process — can extract proprietary code, client data, and third-party credentials before anyone notices.
This pattern has been documented by the FBI and by several cybersecurity firms operating in the DPRK attribution space. North Korean IT worker schemes specifically have used synthetic and composite identities to gain employment at technology firms, with the goal of intellectual property theft and long-term access rather than immediate financial extraction. We cannot attribute this specific case to any nation-state actor, but the methodology is consistent with documented patterns.
The practical response is straightforward: require identity verification as a condition of offer for remote international hires, with the same rigour applied to the degree and employment history claimed on the CV.
What to verify before you issue a contract.
A candidate check for an international remote hire covers identity document authenticity, university degree verification via the institution, employment history verification via the named employer, and profile photo analysis. We also flag inconsistencies in the digital footprint — GitHub history, LinkedIn account age, and cross-platform consistency.
For senior or security-sensitive roles, we can extend the check to include criminal record databases where publicly accessible in the candidate's home country, and court records for civil disputes.
The cost is a fraction of one month's salary — and the alternative is granting production access to someone whose identity may not exist.
See more real investigations.
We regularly post anonymised case results and scam‑awareness tips on Instagram. Follow @allrussian.verify to stay informed.
Other document and identity fraud
The offer is contingent. Make verification part of it.
We verify international candidates before they get keys to your systems. Four days. Written report. Clear findings on identity, education, and employment — all from public sources in the candidate's home country.