The Professional Trojan Horse: How Foreign Spies Are Infiltrating Tech Companies

Introduction

A few weeks ago, we received a meeting request from one of our global IT clients. The company provides nearshore and offshore IT services to top clients, including some in the Fortune 500. We didn’t have a clue about the topic of the session, but it seemed pretty important and kind of confidential. The meeting started like any other, with everyone saying hello, but then the atmosphere turned cold and hard to digest.

The head of HR mentioned they had some rare cases in Europe related to hiring. Individuals with specific characteristics had been hired for positions in a global American company. Then something happened: they tried to sabotage or perform activities related to espionage. We were not given the details, but we were asked to be careful, as they hadn’t seen any such cases in Mexico… yet. The meeting finished.

A few weeks later, members of our team asked me to join an urgent meeting. What was happening? Why the hurry? I joined, and the manager and customer success managers were waiting for me. The cold ambient from the previous meeting returned. A headhunter started to speak. “We have something strange,” they said. We had a candidate who was not from this continent. They had a name from another country and a last name from Latin America. They told us they were born in Guadalajara, which is possible, as we have many migrants, but they were living in the USA and didn’t speak Spanish, only English. We had a one-on-one interview, and they didn’t have a Latin face but rather one from another country. They had the skills, but the case was strange. So we tried to ask for some IDs. They gave us their INE (ID) and CURP. The INE seemed valid, and the CURP was valid, but it said they were born in Puebla, not Guadalajara. “So what should we do? Should we keep them in the process? What are the best steps? What would you have done in this scenario?”

My decision was to reject that candidate. Are we really having these kinds of cases that seem to be straight out of a movie? In the Mexican market? Mexico is one of the top nearshoring markets for the USA, so sooner or later it was bound to happen. But was this the first case? No. Just a few days ago, there were two more. The second case involved a candidate with a full Mexican name but no Latin features. He said he didn’t speak Spanish because he had a brain problem that caused him to lose the memory and fluency of the language, so his wife would translate for him. In addition, he lived in the USA and wanted to return to his origins in Mexico. We asked for an ID, and we got no more responses. The third case was a candidate who said, “Hello, I’m from Mexico, but I live in another country, and I want to come back to my Mexico. There is only one issue: since I was born in Mexico and my parents needed to go to the USA, I don’t speak Spanish.” We asked for an ID, and again, no more responses.

We have a lot of questions. What is happening? Are the cases increasing? What should we do? How can we protect our clients and ourselves?

The New Frontier of Corporate Espionage

The digital landscape has become a new frontier for geopolitical competition. Foreign state-sponsored actors are actively targeting American companies, not through overt military action, but through the insidious infiltration of their IT departments. These operatives, often disguised as legitimate employees, seek to steal intellectual property, sabotage critical infrastructure, and gain strategic advantages for their home nations. The tactics employed often blend traditional human intelligence (HUMINT) with advanced cyber capabilities.

Documented Cases: A Look at the Evidence

While the incidents you’ve described seem like something out of a spy thriller, the reality is that such cases are well-documented and have a significant impact.

In one case, an engineer pleaded guilty to stealing thousands of files containing classified infrared sensor blueprints for missile launch detection. In another case, a Foreign Consultant working as a software engineer at a major tech company was arrested for secretly founding a Foreign AI startup and uploading hundreds of Google’s AI chip designs and infrastructure specifications to his personal accounts. He was accused of stealing trade secrets to benefit foreign companies.

Another scheme involved individuals using stolen or fabricated American identities to pose as legitimate remote employees. These operatives worked from foreign locations while using U.S.-based facilitators to manage “laptop farms” that they accessed remotely. Paradoxically, these individuals often became high performers, working two to three times more productively than typical employees by operating as teams. However, their true objective was to pose a significant security risk, with some attempting to extort employers or steal assets when discovered. Authorities have seized millions in related assets and arrested facilitators who helped generate revenue for the foreign regime through this scheme.

Long-term operations are also a common tactic. One engineer, who worked for two major aerospace firms from 1979 to 2006, systematically stole hundreds of thousands of documents related to the Space Shuttle program and military cargo aircraft. Over 27 years, he has collected an immense amount of sensitive technology.

Quantifying the Threat: The Economic Toll

The financial and strategic impact of this type of corporate espionage on American companies is substantial, affecting economic growth, innovation, and national security. The FBI estimates that economic espionage costs the American economy between $200 billion and $1 trillion annually.

One report found that the average annual cost of insider threats reached $17.4 million per organization in 2025, with credential theft incidents averaging $779,797 per event. The financial services sector faced the highest average costs at over $20 million annually to resolve insider incidents.

Individual cases can be particularly devastating. For example, one company lost $800 million in contracts and was forced to lay off two-thirds of its workforce after an insider stole proprietary software. This demonstrates how a single compromised employee can wreak havoc on an entire organization.

Your Defense: What You Should Do

These threats are real, but companies can implement measures to mitigate the risks. While it’s important to be vigilant, it’s also crucial to avoid creating an environment of xenophobia. The focus should be on a robust and comprehensive approach to risk management.

Here are some key indicators and best practices to look out for:

• Behavioral Red Flags: Pay attention to sudden changes in an individual’s financial situation, such as unexplained wealth or affluence inconsistent with their income. Also, be wary of employees who are reluctant to take vacation time, as they may fear their absence will reveal unauthorized activities.
• Technical Red Flags: Abnormal system usage is a major sign. Look for employees who access company systems outside of normal business hours or from unusual geographic locations. Other red flags include attempts to access data for which they lack legitimate job-related authorization, downloading unusually large volumes of sensitive data, or trying to circumvent security controls.
• Recruitment-Related Red Flags: The “too good to be true” job offers you’ve seen are a classic lure. Insistence on communicating through unofficial channels, requests for sensitive information that isn’t required for a legitimate application, or a vague work history can also indicate malicious intent. Some of the most damaging cases involve high-performing individuals, as was seen in the case of foreign IT workers who were described as being “two to three times” more productive than their peers. This shows that a good resume and strong work ethic can sometimes mask a deeper, more malicious purpose.

A Proactive Approach to Protection

The modern IT landscape demands a proactive approach to security that extends far beyond firewalls and antivirus software. It must be an integrated strategy that combines technical vigilance with a deep understanding of human behavior. Given the increasing sophistication of these threats and the sheer volume of cases, can your organization truly afford to leave its talent acquisition to chance?

This is where a robust Background Verification (BGV) program becomes non-negotiable. BGV is the process of verifying an individual’s credentials and history, including their criminal records, employment, and education, to confirm the accuracy of the details on their resume. It’s a crucial step in the hiring process that protects companies from potential risks and fraud while ensuring a safe and secure work environment for all employees.

Every company, regardless of size, should integrate thorough BGV into their recruitment approach. This process helps to mitigate risks, prevent fraud, and safeguard the company’s reputation from the costly consequences of a bad hire. While the specific checks may vary, a comprehensive BGV process typically includes:

• Identity and Address Verification: To confirm the candidate is who they claim to be and legally resides where they say they do.
• Educational Verification: To validate the authenticity of degrees and certifications listed on their resume.
• Employment Verification: To confirm past job titles, dates of employment, and responsibilities with previous employers.
• Criminal Background Checks: To uncover any criminal history that could pose a risk to the company or its employees.
• Global Sanctions and Compliance Checks: Especially important for companies with an international presence, to ensure the candidate isn’t on any sanctions lists.

By taking these steps, organizations can make more informed hiring decisions and ensure their workforce is both competent and trustworthy.

If you need a reliable partner to help navigate the complexities of finding and vetting trustworthy IT talent, our services can help you reinforce your human firewall.

Guiding the Way: Advice & Questions from the Community

Navigating the complex and evolving landscape of work models and talent attraction across the Americas requires strategic foresight. Drawing on shared experiences and collective wisdom can provide invaluable guidance, especially when facing new and sophisticated threats. We’d love to hear your insights and learn from the challenges you’ve faced.

Here are a couple of questions to kick off the conversation:

💬 Adapting to New Threats: Given the rise of “professional Trojan horses” and other insider threats, what unexpected security challenge have you encountered in a hybrid or remote work model? What steps did your team take to effectively address it without creating a culture of distrust?

💬 Navigating Global Talent Pools in Mexico: With Mexico’s growing nearshoring market for IT, what unique challenges or opportunities have you encountered when recruiting specialized tech talent for on-site, hybrid, or remote roles? What strategies have proven most effective in ensuring the integrity of your hiring process, particularly concerning candidate verification and background checks?

Ready to accelerate your career?

• Looking for a new job? Check out our Careers Page.
• Struggling to land a role? Explore our Mentoring & IT Outplacement Services.
• Need high-value tech candidates? Visit our IT Headhunting Services.
• Are you a talent professional looking to implement AI? Get to Know our AI Training Programs for HR.

Sources:

• U.S. Department of Justice. Engineer Pleads Guilty to Stealing for Foreign Government’s Benefit Trade Secret Technology Designed for Missile Launch and Detection.
• U.S. Department of Justice. The Justice Department disrupts foreign remote IT Worker Fraud Schemes Through Charges and the Arrest of a Nashville Facilitator.
• U.S. Department of Justice. Florida Telecommunications and Information Technology Worker Sentenced for Conspiring to Act as Agent of Foreign Government.
• DTEX Systems. 2024 DTEX i3 Insider Risk Investigations Report – Foreign Interference: Special Edition.
• U.S. Department of Justice. Foreign Consultant Residing in California Arrested for Theft of Artificial Intelligence-Related Trade Secrets from Google.
• FBI. FBI Director Christopher Wray’s testimony regarding Foreign-related counterintelligence cases.
• Santoni Services. How Investigations Can Protect Your IP from Theft.