From Romanian passports sold to sanctioned Russians, to North Korean operatives applying for developer roles in Germany with fabricated Serbian degrees - the cross-border hiring process has become an active threat surface. Here is what the evidence says European employers must do differently.
In December 2025, Le Monde published the findings of an investigation that should have sent a chill through every HR and compliance team across the European Union. A small commune in northern Romania called Varfu Campului, population officially around 3,400, had somehow registered more than 10,000 residents. Those residents - citizens of Russia, Moldova, and Ukraine - had been issued Romanian identity documents using fictitious addresses, sometimes without the knowledge of the property owners whose addresses were used. Civil registry officials had processed the applications in exchange for bribes. A criminal network had, in effect, manufactured European Union identities at industrial scale.
Some of the Russian applicants had used the identities of Ukrainian soldiers killed on the front line to support their citizenship claims. Romanian passports were being sold on social media channels targeting Russian speakers for between 4,000 and 7,500 euros, with prosecutors noting one client paid 75,000 euros to an intermediary for a fraudulently obtained citizenship certificate. By the time Romanian authorities began systematic enforcement, more than 18,700 people from former Soviet republics had registered fictitious residences in the country. Hundreds had already received Romanian passports - and with them, the right to live and work freely anywhere in the European Union.
The direct employment implication is straightforward and serious. An employer in Prague, Warsaw, or Munich who hires a worker presenting a Romanian passport has no reason, from a document authenticity perspective, to treat that document differently from one issued by the Czech or German state. Romanian citizenship is EU citizenship. Yet a subset of Romanian passports now in circulation are fraudulently obtained, issued through a corrupted administrative process, and may belong to individuals - including Russian nationals evading sanctions - whose true identity and background would disqualify them from employment in regulated environments. An employer who accepts the document at face value has completed a right-to-work check. They have not verified who the person actually is.
The systematic targeting of European hiring pipelines
The Romanian passport case illustrates one dimension of the cross-border identity verification challenge: the fraudulent acquisition of apparently legitimate EU documents. A separate and equally well-documented challenge involves the systematic fabrication of entire professional identities for use in European employment applications.
In April 2025, Google's Threat Intelligence Group (GTIG) published findings documenting a significant escalation in North Korean state actors targeting European companies for fraudulent IT employment. Investigators found fabricated personas with resumes listing degrees from Belgrade University in Serbia, claimed residences in Slovakia, and specific operational guidance for navigating European job sites - including instructions to use a Serbian time zone during communications to avoid detection. North Korean operatives were seeking work through Upwork, Telegram, and Freelancer, with facilitators in the UK and US helping to manage company-issued laptops and receive salary payments on their behalf.
Germany and Portugal were specifically identified as primary European targets. The scheme involved not only fabricated qualifications and work histories but also stolen identity documents from real people in Italy, Japan, Malaysia, Singapore, Ukraine, and Vietnam - giving the fraudulent personas a paper trail that appeared to reference genuine individuals who could be found online. Rafe Pilling of Secureworks described the threat plainly: hiring practices are not something most people think about in terms of cybersecurity, but they should be.
ESET Research's findings, published in September 2025, added further granularity. Their analysis of the DeceptiveDevelopment group - a North Korean-aligned operation active since at least 2023 - documented specific targeting of developers in France, Poland, and Ukraine. The group used fake job interview processes and social engineering techniques to deliver malware and steal cryptocurrency, with the fraudulent employment pipeline serving as the access mechanism. CrowdStrike has reported investigating at least one European incident per day involving these operations.
Why CEE employers are structurally exposed
Central and Eastern European employers sit at the intersection of several overlapping vulnerabilities that make them particularly exposed to cross-border credential fraud.
The first is the scale and speed of cross-border labour dependency. Eurostat data for 2022 and 2023 shows the Czech Republic received among the highest levels of net migration relative to population of any EU member state, driven by Ukrainian displacement and sustained economic migration from Central Asian countries. The International Labour Organization has estimated that approximately 1 in 4 workers in certain Czech manufacturing and logistics sub-sectors is of non-EU origin. Poland and Germany have experienced comparable dynamics. At this volume, hiring processes that were designed for a relatively homogeneous domestic labour market are being applied to an internationally diverse candidate pool for which they are structurally inadequate.
The second vulnerability is document trust. The Romanian passport fraud case demonstrates that EU identity documents are not a reliable proxy for verified identity. A document that looks genuine, was issued by a legitimate EU state authority, and passes a visual inspection may nonetheless have been obtained through a fraudulent process. The employer who relies on document presentation as their verification method is operating on a false assumption of security.
The third vulnerability is the gap between IT hiring and security awareness. The specific targeting of European IT roles - developers, cloud engineers, DevOps professionals - by North Korean and other state-linked actors exploits a structural gap between HR hiring processes and the security sensitivity of the roles being filled. A developer with privileged access to production systems is a high-value target. The hiring manager filling that role is typically focused on technical skills, not counterintelligence.
What makes cross-border verification genuinely difficult
The verification challenges are specific and layered, and it is worth being precise about each rather than treating them as a single undifferentiated problem.
Identity document authentication goes well beyond visual inspection. The Romanian passport fraud demonstrates that even government-issued EU documents can be fraudulently obtained through corrupted administrative processes. Effective authentication requires technical verification against known document standards, biometric matching between the document and the individual presenting it, and - for candidates from higher-risk originating countries - awareness of the specific fraud typologies documented in that jurisdiction.
Criminal record verification is operationally complex for non-EU nationals. Czech criminal record checks through ISKN operate efficiently for Czech nationals. For a Ukrainian or Kazakh national, obtaining a formal criminal record certificate requires engagement with the relevant national authorities, apostille certification, and translation - a process that most employers simply skip, defaulting to a self-declared statement that carries no evidential value.
Employment history verification must involve independent contact with prior employers through channels that are not provided by the candidate. In the Warsaw case documented in the Scaut Threat Intelligence Report, the developer's claimed employment at Estonian and Lithuanian banks was never independently verified. The employers were never contacted. The fraud that followed cost the firm 840,000 euros and eight months of undetected data exfiltration. A verification process that calls numbers the candidate themselves supplied is not verification - it is confirmation of the narrative they want you to accept.
Sanctions and watchlist screening must be applied consistently across nationalities and conducted in the worker's native language. An adverse media search conducted only in English will not reliably surface entries in Ukrainian, Russian, Kazakh, or other relevant language sources. For employers in regulated sectors with NIS2 obligations, the inconsistent application of sanctions screening across the workforce is both a security gap and a compliance failure.
The regulatory environment is tightening from multiple directions
European employers face a converging set of regulatory obligations that are raising the standard for what constitutes adequate cross-border workforce verification.
NIS2 and the Czech ZKI impose personnel security requirements on regulated entities that do not distinguish by nationality or employment type. A Ukrainian IT contractor with access to critical systems carries the same screening obligation as a Czech national in an equivalent role. The legal standard does not have a carve-out for workers whose background is harder to check.
The EU Corporate Sustainability Due Diligence Directive (CSDDD), entering progressive force from 2026, will require companies to conduct due diligence on labour conditions and practices across their supply chains. For employers using staffing agencies to source foreign workers, this creates obligations that extend to the credibility of the vetting applied by those agencies.
The Employment of Foreigners Act in the Czech Republic requires employers to retain copies of identity documents and work permits for third-country nationals. This is a documentation requirement that many employers fulfil without any meaningful verification of the documents being retained - filing a potentially fraudulent document with administrative efficiency while creating a false sense of compliance.
What proportionate verification looks like in practice
The cases reviewed here - the Warsaw financial services fraud, the Romanian passport network, the North Korean IT worker campaigns targeting Germany, Poland, and France - share a common characteristic. The fraud succeeded not because it was undetectable, but because the detection was not attempted, or was applied at an inadequate standard.
Effective cross-border verification requires document authentication that goes beyond visual inspection: technical verification of security features against known standards for the issuing country, biometric matching between document and individual, and awareness of the specific fraud typologies relevant to each originating jurisdiction. The Romanian passport case in particular means that EU citizenship documents from certain issuing contexts should no longer be treated as inherently reliable.
Employment history verification must involve independent contact with prior employers through channels researched independently, not provided by the candidate. For employers in Estonia, Lithuania, Ukraine, or Central Asia, this requires language capability and in-country partner access. This is a specialist resource, but it is the difference between confirmation and verification.
Criminal record verification for non-EU nationals requires structured engagement with the relevant authorities in the originating country - either through direct request processes or through specialist partners with established access. The shortcut of accepting a self-declaration is not a proportionate response to the documented risk.
Sanctions and adverse media screening must be applied consistently across the full workforce, regardless of nationality, and conducted in the candidate's native language. The convergence of state-sponsored employment fraud, sanctions evasion through document manipulation, and the industrial-scale falsification of professional credentials means that the cross-border hiring process is now an active threat surface. The employers who recognise this and build their verification processes accordingly will be better protected. Those who continue to rely on a document check and a reference call to a number the candidate provided are leaving a door open that motivated bad actors already know how to walk through.
