Trellix uncovered a North Korean IT-worker employment fraud attempt after correlating applicant email addresses from OSINT reporting with telemetry from a major U.S. healthcare provider’s hiring process. The suspected operative used the persona “Kyle Lankford” and Gmail accounts to apply for a Principal Software Engineer role, complete a CodeSignal assessment, and send a routine follow-up email. The activity did not rely on malware, phishing links, spoofing, or suspicious attachments, so detection depended on proactive threat hunting and identity-focused intelligence rather than email-security alerts. The case shows how DPRK IT-worker schemes can create insider-access, sanctions, intellectual-property, and supply-chain risks even when the observed communications look like normal recruiting traffic.