I still don’t fully know how to write this out so I’m just going to type it and see what happens.
so we’re a small product team of 6 people, fully remote, and the backstory starts earlier this year when we were looking for a senior backend engineer.
someone applied through our jobs page with an impressive portfolio, open source contributions, a detailed GitHub history going back 4 years, a LinkedIn with 500+ connections and 2 mutual contacts we recognized, and a face that looked back at us from a professional headshot that felt completely unremarkable in the best possible way.
Interviews went well, really well actually, the guy gave sharp answers, good questions, talked through architectural decisions with the kind of nuance that’s hard to fake if you don’t actually know what you’re talking about.
so we made an offer, he signed, we onboarded him, gave him repo access, and he started shipping code within the first week.
I won’t say the code was exceptional but solid enough that nobody raised a flag, also his camera was always off on calls but half our team does that so nobody pushed back. He was responsive on Slack, hit his deadlines…
it was all good until what broke it open was completely accidental. so our designer was putting together a team page for the website and asked everyone to send a recent photo. He sent one, I happened to run it through a reverse image search out of pure habit because I do that for stock photos sometimes and it came back clean, no matches anywhere on the internet, not even the LinkedIn profile photo we’d seen during hiring.
That’s not how real photos work…
I sat with that for a day before I did anything because I didn’t want to believe where it was pointing.
Then I looked closer at the GitHub history and noticed something I’d missed completely during hiring, the commit timestamps clustered in 2 very distinct windows, never overlapping, always either early morning European time or late afternoon, like two different people working in shifts.
The open source contributions had a similar pattern, different writing style in the issues versus the PRs, subtle enough that you’d never catch it unless you were looking.
We requested a live video call, camera mandatory, identity document on screen but he didn’t show up. Sent a message saying he was dealing with a family emergency, then another, then crickets.
We pulled his access and started untangling what had actually happened, best we can figure from what our security consultant found afterward, the entire identity was constructed, the headshot was AI generated, the GitHub history was seeded over years probably across multiple fake personas they rotate, the LinkedIn was built slowly enough to accumulate real connections through second degree requests that people accept without thinking.
We never met a real person, not even once.
The legal situation was its own nightmare because we had a signed contract with a name attached to payroll and no idea whose name it was or what jurisdiction any of this fell under.
3 months of salary had gone somewhere and we had no clean way to terminate something we couldn’t prove existed.
I’ll spare the full details of how we got out of it but it took a lawyer, an amended termination agreement sent to an email address we’re not sure anyone reads, and a very uncomfortable conversation with our bank.
I’ve heard some pretty unhinged hiring stories over the years and always assumed I was too careful to end up in one, apparently not…