Most stories about fake remote IT workers start with the resume.
That is probably the wrong place to stop.
The uncomfortable part begins after the hire: the laptop ships, the account gets created, the repo invite lands, the cloud role gets assigned, and suddenly the fake identity has real access.
That shift matters because it changes the defender question. This is not only about catching suspicious applicants. It is about asking what happens when one gets through and starts touching systems the business already trusts.
The useful intelligence move is not panic. It is forecasting: define the claim, set the deadline, watch the signals, and decide what evidence would change your mind.
AlphaHunt breaks down the access model and the forecast here.