A growing pattern of tradecraft should be on the radar of every security manager who works with or hires former federal staff. Foreign intelligence services have long used recruitment and consulting covers to identify and cultivate insiders. That playbook can look innocuous: a polished company page, a LinkedIn outreach, or a short consulting gig pitched as harmless. But the case history shows how quickly a benign-sounding opportunity can become a vector for compromise.
How adversaries operate in the open
There are three reproducible techniques to watch for. First, adversaries set up either fake or opaque consulting firms that harvest resumes and professional histories. Those resumes, even when unclassified, map organizational roles, program timelines, subcontractor relationships, and individuals with privileged access. The Jun Wei Yeo prosecution is a clear example. He created a fake consulting cover, collected hundreds of resumes from cleared and otherwise sensitive employees, and passed selected information to his handlers.
Second, professional networking platforms are being used as collection funnels. The most prominent example in recent years involved a former intelligence officer who was approached through LinkedIn and later convicted for providing classified information to Chinese handlers. Open social platforms make it trivial for an operator to find candidates with the exact skills or clearances they need, and to start a recruitment conversation that appears legitimate.
Third, nation state services sometimes hide behind bona fide-looking corporate or technical infrastructure such as shell firms, third-party hosting, or regional front companies. U.S. indictments have documented front companies established to mask state-directed collection and intrusion operations. These fronts complicate due diligence because they blend a mixture of real services, copied branding, and intentionally thin public footprints.
Why former and transitioning federal employees are high value
People leaving government service often have up-to-date institutional knowledge, contacts, and program histories. They may also be financially stressed or uncertain, which increases their vulnerability to flattering approaches, offers for quick paid reports, and short-term overseas trips that are framed as benign. Adversaries exploit that combination of access, recency, and vulnerability to convert resumes and conversations into actionable intelligence. The intelligence community has repeatedly warned that platforms and job boards are attractive collection surfaces because individuals disclose their clearance histories, program names, and contractor relationships in public profiles.
Practical mitigation steps for organizations and individuals
1) Treat outreach as intelligence. Any unsolicited recruiting approach that asks for detailed job histories, nonpublic program descriptions, or encourages off-platform communications should be triaged by a security or counterintelligence point of contact. If the outreach is aimed at a former clearance holder, escalate to your agency security office or designated insider threat team.
2) Harden public profiles and resumes. Limit the publication of project-level details, exact program names, and explicit clearance statements on LinkedIn and other public job sites. Use role descriptions that highlight capabilities without disclosing sensitive program identifiers. This is a basic but effective reduce-the-attack-surface step.
3) Verify the recruiter and the company. Do a records check. Legitimate firms have verifiable corporate filings, office addresses, references, and a consistent digital footprint. Use open records, corporate registries, and direct phone verification with known corporate numbers rather than relying on contact details supplied by the outreach. If something is unusually opaque, treat it as suspicious.
4) Use formal reporting channels early. If anyone suspects that outreach might be foreign intelligence tradecraft, report it to your insider threat office, the FBI, or DCSA depending on your organization and existing protocols. Federal authorities and the DOJ have specifically encouraged reporting suspicious recruitment approaches. Prompt reporting both protects the individual and helps build threat intelligence that can warn others.
5) Operationalize continuous vetting and insider threat telemetry. Insider threat programs should combine behavioral monitoring, access controls, and personnel security processes so that elevated risk indicators trigger a nonpunitive yet direct response. The National Insider Threat Task Force and other government bodies outline how programs should detect and respond to insider indicators across personnel, physical, and cyber domains. Those programs must be resourced and integrated with HR, legal, and counterintelligence functions.
6) Apply technical controls around data handling. Enforce least privilege, segment sensitive repositories, require robust just-in-time access approvals, and use data loss prevention rules that flag bulk exports of project metadata or program rosters. Combine technical controls with mandatory secure-communication training for those handling sensitive program data. Regularly exercise insider-threat detection use cases in tabletop and red team exercises.
7) Prepare transition counseling for departing staff. Security teams should coordinate with HR to provide departing employees with briefings about targeted recruitment tactics, guidance on preserving obligations tied to prior clearances, and direct reporting contacts. Many recruitment lures are time sensitive; giving departing staff a short checklist and an authoritative reporting path materially reduces risk.
A few red flags to treat seriously
- Vague or unverifiable company contact information combined with urgent high-pay offers for “advisory” or “research” reports.
- Recruiters who insist on alternative communication channels early in the process or who pressure for travel to a specific overseas meeting.
- Requests for nonpublic schedules, contractor points of contact, or unclassified-but-sensitive program descriptions that reveal internal workflows.
Closing thoughts
Adversaries will keep adapting their tradecraft to exploit open job markets and social platforms. That means defenders must treat recruitment as a counterintelligence problem as much as an HR one. Small procedural changes yield outsized returns: verify companies, limit public disclosure of program details, empower departing employees with reporting steps, and keep insider threat programs active and well resourced. The cases we have seen are not theoretical. They are proof that a resume or a networking message can be the starting point of a breach. Stay skeptical, verify, and report.