Photographic Identification Comparison

A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.

The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.

Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls.

The subject enters the organization with a pre-formed intent to exploit their position, gain access to sensitive data, or otherwise contravene internal policies. Unlike most new hires (who align with organizational values and security expectations) joiner-motivated subjects present a latent threat from day one, often embedding their intent within the onboarding process, role selection, or early-stage access decisions.

Joiner motivation may stem from pre-existing agendas including espionage, competitive intelligence, ideology, or personal financial gain. The subject may deliberately target roles that offer visibility into proprietary systems, customer data, intellectual property, or internal governance. Their background may be curated to pass pre-employment screening, and they may arrive with pre-established exfiltration methods or operational security tactics designed to avoid detection.

Risk is highest during the early tenure period, when access is granted but behavioral baselines are not yet established. These subjects often exploit onboarding leniency, trust-building phases, and provisioning delays, taking advantage of initial low scrutiny to stage preparatory actions or initiate incremental infringement.

Investigators should treat joiner cases with heightened sensitivity. Detection may implicate upstream controls such as hiring processes, third-party screening providers, or internal referral pathways. Missteps in attribution may also generate legal or reputational risk, particularly if the subject was placed in a position of elevated trust.

The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.

Common methods include:

• Using AI-generated (GAN-based) profile photos that cannot be reverse-image searched.
• Employing real-time deepfake tools during video interviews to alter facial appearance or impersonate another individual.
• Substituting a more technically skilled individual to complete a remote hiring assessment or interview under a fabricated identity.
• Presenting credentials or documentation (e.g., CVs, diplomas, certifications) created using forgery tools or generative AI.

This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.

Example Scenarios:

• A subject uses a synthetic LinkedIn profile with AI-generated imagery and falsified work history to apply for a remote DevOps role. During the live video interview, they use a deepfake overlay to match their fabricated profile photo.
• A technically skilled individual conducts a coding interview using a deepfake of another person, allowing a less qualified "puppet" to be hired under false credentials. The qualified subject later assists or directs actions remotely.
• A malicious actor obtains employment under an assumed identity to infiltrate a target organization on behalf of a third party, using synthetic documents and deepfake liveness checks to pass onboarding.

The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.

Common methods include:

• Wearing uniforms or branded clothing associated with the target organization or a trusted third party.
• Mimicking attire patterns of specific departments (e.g., IT, facilities, catering).
• Carrying props such as tools, ID lanyards, or delivery equipment to reinforce the impersonated role.

Example Scenarios:

• A subject dresses in a facilities maintenance uniform to gain access to server rooms under the pretense of conducting HVAC repairs, with no scheduled work order.
• An insider recruits an accomplice who dresses as a delivery driver to stage equipment drops and tailgate into a secure loading dock.
• During an internal staff shift, the subject wears a borrowed lanyard and IT polo shirt to move through restricted floors without being challenged.
• A former contractor retains high-visibility branded clothing and uses it months later to re-enter a secure building undetected.

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

Example Scenarios:

• A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
• A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
• The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
• A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.