Expel AI CEO interviews deepfake candidate despite security expertise - third such case this month

Chris Rebholz has researched deepfakes for years. He's presented on them at conferences. He runs Expel AI, a threat modeling startup. None of that stopped him from interviewing a deepfake candidate for a security researcher position.

"I did not think it was going to happen to me, but here we are," Rebholz told The Register.

The setup was textbook: LinkedIn introduction, anime profile picture, AI-generated resume hosted on Vercel. Each red flag got rationalized. Security people use aliases. Developers deploy portfolios with Claude. The urgency? Maybe just enthusiasm.

"I've never had that level of urgency for an introduction before," Rebholz said. Five minutes after sharing his email, the LinkedIn contact was checking if he'd replied.

Rebholz isn't alone. Vidoc Security Lab CTO Dawid Moczadlo caught a deepfake candidate this month by asking them to cover their face during the interview - the video glitched. The Justice Department reported over 300 US companies hired North Korea-linked deepfake workers last year.

The real problem isn't technology

Seventeen percent of hiring managers have spotted deepfakes in interviews, per recent surveys. Industry projections suggest one in four applicants will use some form of fakery next year.

The NSA, FBI, and CISA recommend layered verification - unpredictable tasks like whistling or in-person checks - because detection technology can't keep pace with generation quality. Attackers need one image and three seconds of audio.

But hiring pipelines optimize for speed, not security. Remote-first companies post roles, collect resumes, and schedule Zoom calls within hours. That's where the trade-off bites.

What this means in practice

Enterprise security leaders need to treat recruitment as an attack surface. Zero-trust principles apply: verify identity through multiple channels, especially for IT and security roles with system access.

The fine print matters here: liveness detection APIs and face verification tools help, but determined attackers bypass them. Process design beats technology - require camera-on interactions with unpredictable requests, verify previous employment through back channels, and flag overseas candidates for US-based recent roles.

Rebholz's experience is instructive precisely because he knew better. When experts justify red flags to maintain hiring velocity, what chance do understaffed HR teams have?

Worth noting: Some security forum members questioned why Rebholz proceeded despite his expertise. Fair criticism. The answer matters less than the pattern: recruitment fraud scales faster than defenses, and no one's immune.