Remote-first hiring has introduced a new insider-threat class: the fully onboarded contractor who never physically exists. This vector is currently being aggressively exploited by state-sponsored actors (specifically DPRK groups) targeting technology and AI sectors across APAC and the US.

Across multiple enterprise tenants, we observed coordinated patterns of fraudulent remote IT workers who maintained access through persistent refresh tokens, shared MFA devices, and VPN-assisted country hopping. The same device fingerprints, browser signatures, and usernames resurfaced under different identities across organizations.

This presentation introduces InsiderWatch, a privacy-preserving, open-source tool designed to help analysts validate suspicious device reuse. We will demonstrate how client-side hashing and incremental confidence scoring can safely surface repeated patterns that a single tenant cannot see on its own.

Attendees will learn:
The Forensic Patterns: How to detect shared MFA devices and "impossible travel" anomalies specific to ghost worker clusters.
The Tool: A deep-dive into the InsiderWatch architecture and how to deploy it.
The Defense: Deployable detection logic (KQL) to evict these actors before they establish persistence.