The Impostor Got Verified. The Founder Couldn't.
On LinkedIn, a scammer impersonating a company can get verified more easily than the company can verify its own staff. The lock works; Microsoft owns the key.
In short: LinkedIn’s grey verification checkmark can mean two completely different things, and you cannot tell which without clicking.
It can mean “this is a real, documented person,” or “this person actually works where they say.” A scammer in Bogotá impersonating the AI startup 0G has the first kind. The startup’s own founder cannot get the second kind for himself, because on LinkedIn, proving you work somewhere runs through software his company does not use. So the trust mark is easier for the impersonator to earn than for the company being impersonated to secure for its own staff. On top of that, LinkedIn attaches a company’s logo to anyone who types its name, links it to the real company page, counts them in the employee total, and will not let the company remove them without a sworn legal filing or a court order.
The story here is how a verification system came to shield the wrong people, and why the obvious fix runs into an antitrust problem. Somebody pays for all of it, and it is neither the platform nor the scammer.
This piece and its companion publish together today. The companion, North Korea Is Hiring, follows the attack itself: a North Korean malware operation that used exactly this gap to target my business partner. Read the pair as system and specimen. Every social platform with a broken trust signal invites abuses like these; LinkedIn most of all, because the claim being faked there, employment, is the very thing the platform exists to certify.
Two people on LinkedIn carry the same small grey shield beside their name. One of them co-founded the company. The other, according to that company, has never worked there in her life.
Michael Heinrich built 0G Labs, an AI and blockchain infrastructure startup. Click the verification badge on his profile and it resolves to two things: a work email at Garten, the company he founded before this one, and an educational email at Stanford, where he took his master’s and still teaches. His current company, the one he runs and is publicly defending against impersonators, does not appear in his verifications at all.
Click the identical badge on the profile of a woman in Bogotá who lists herself as an HR Business Partner at 0G since October 2024, and it resolves to a Colombian government ID, checked in July 2024. It says nothing about 0G either. A 0G executive, asked about her directly, was unambiguous: the company does not know her, and never has.
The two shields match down to the shade of grey and the spot where they sit beside the name. To see that one badge attests to a former employer and a university, and the other to a passport, and that neither says a word about 0G, you have to stop and click each one. Nobody clicks. That is the point. On the platform where a billion people go to establish who they work for, the man who built the company and the woman it says it has never heard of wear the identical mark of trust, and it certifies, in both cases, something other than the thing a reader assumes.
Everything that follows is an explanation of those two badges. Hold onto them.
Two kinds of checkmark
The confusion starts with the badge itself, because a single icon stands for two entirely different claims, and the whole story flows from the gap between them.
LinkedIn offers a member two verifications that both produce the grey shield. The first is identity verification: a member submits a government ID and a selfie to one of LinkedIn’s partners, and the badge confirms that a real, documented human is behind the account. Anyone with a passport can get it, alone, in about ten minutes. The second is workplace verification: it confirms that the member actually works at the employer listed on their profile. That one is harder, because it requires the employer’s cooperation, and most of what follows explains why.
The two look the same. In a message or in search results, the shield sits beside the name and says nothing about which kind it is. You have to open the profile and click it to find out. If you wear the shield yourself, click it and see which of the two claims you have been making. Some readers will find a former employer in there, still vouching for a job that ended.
The two people from the top land on opposite sides of that split. The woman in Bogotá has an identity verification. Her badge is real and it is doing the job LinkedIn built it to do: it confirms she is a documented person. It says nothing about 0G. Heinrich has workplace and education verifications, but they point at Garten and at Stanford, the places he can prove he belonged to. Neither points at 0G. A reader glancing at either shield would never guess it, but neither badge certifies the one fact a jobseeker cares about, which is whether the person works at 0G. One of these people cannot honestly claim it. The other built the company and cannot conveniently prove it. Both wear the same mark.
That the badge buys real advantage is not in dispute. LinkedIn’s own marketing says verified members see 60% more profile views and 50% more engagement, and its Trust Product VP has put a number on the record: more than 90 million members carry verified information, and the attention follows them. The shield purchases reach and trust; clarity about what was checked is not part of the bargain.
A real person is exactly what the scam needs
The impersonator’s badge first, because the way it misleads is the cruelest part.
Her verification confirms she is a real, documented human. That sounds like a safeguard. It is the opposite, and to see why you have to know how the fraud works. Identity verification does not defeat identity fraud. In the case the companion investigation documents, it completed it.
The dominant North Korean employment-fraud model does not forge identities. It rents real ones, or steals them outright. When the security-awareness firm KnowBe4 ran a background check on a North Korean operative it had unknowingly hired, the check came back clean, because the stolen identity underneath was a real American’s. A verification that confirms a real human exists is no defense against an adversary whose entire method is to wear a real human’s documents. It is a piece of the disguise. The badge does not fail. It works perfectly, and it certifies the wrong thing.
The founder’s badge, verified for the wrong company
The other badge misleads in a quieter way, and the founder illustrates it without doing anything wrong.
Workplace verifications do not switch off when the job ends. LinkedIn’s own troubleshooting pages say so plainly, in nearly identical language across all three of its workplace-verification methods: if you change jobs and your new company has not enabled workplace verification, your previous workplace verification stays visible on your profile. The same sentence appears for Microsoft Entra, the corporate identity software many companies use to manage employee logins, and for the LinkedIn Learning route.
Heinrich is the clean demonstration. His badge points at Garten, which he left, and at Stanford, which he attended, both verified back in October 2023. He has done nothing improper. He simply carries forward the marks he was entitled to at the time, because LinkedIn’s design keeps them lit long after they have stopped describing his present. A reader glancing at the shield reads “verified,” full stop, and moves on. Nothing tells them the attestation is a two-year-old artifact of a job that ended.
Put the two badges side by side and the failure is complete.
The impersonator’s mark is real but undated, and points nowhere useful. The founder’s is no less real, only stale, and it points at the wrong company. Neither is a lie. Both are true statements, rendered as a general-purpose signal of present trustworthiness, sitting next to whatever the person happened to type into their current-employer field. Which brings us to what a person can type there, and what LinkedIn does with it.
We tried to build the defense first
A quick word on how I came to be staring at these two profiles, because the failed attempt is itself part of the finding.
The idea was modest. A tool that would let a company find every person on LinkedIn claiming to work there, check those claims against its own payroll, and flag the strangers. Nothing touching private messages or data behind a login wall. Just a reconciliation between what people assert in public and what an employer knows to be true.
It cannot be built. The reasons arrive further down; the more useful discovery came before any of the legal or technical walls. LinkedIn does not merely fail to verify the claim that someone works at your company. It actively dresses that claim in your company’s clothing, and that became the real story.
The logo problem
Here is what LinkedIn does with an unverified employment claim, and nothing in the story fails quite so nakedly.
Anyone can add any company to their experience section. Type the name, pick the company from the dropdown, and the platform supplies the rest. The company’s logo appears on the profile. It hyperlinks through to the official company page, the one real employees maintain, with its genuine followers and posts. The claimant is folded into the employee count that page shows every visitor.
None of this requires verification. The logo is not a credential the company issues; it is a graphic LinkedIn attaches to an unverified assertion, and it lands on a reader with all the force of a credential. The whole fake-recruiter economy runs on that gap. The impersonator forges nothing. The platform does the forging, in good faith, as a rendering convenience. The woman in Bogotá did not have to counterfeit 0G’s logo; she selected 0G from a menu, and LinkedIn drew it for her and linked it to 0G’s own page.
And the impersonated company cannot see any of it in a systematic way. There is no admin dashboard listing everyone who claims affiliation. No queue to review, no alert when a stranger in another country suddenly lists your firm as their employer.
The company that has been shouting into the void
If you doubt that this is a live wound rather than a theoretical one, look at what the impersonated company has been reduced to doing about it.
0G is not a passive victim discovering this for the first time. It has been fighting it in public for months, with the only tools the platform leaves it, which is to say tools that do not work.
In March 2026 the 0G Foundation’s verified account posted a formal scam warning: someone was impersonating the company, running fake interviews and steering candidates to fraudulent booking links, and had begun approaching investors to close deals in 0G’s name. The notice tells applicants that every legitimate interview invite comes from an 0g.ai address; that real headhunters working for 0G will never ask a candidate to download files or clone a code repository, and that anyone unsure should verify through a named 0G mailbox first.
The graphic attached reads: If It’s Not From @0g.ai, It’s Not From Us. Heinrich himself posted a near-identical warning a couple of months later.
The line that matters is the one where he spells out the limits of his own power: anyone on LinkedIn can list 0g as their employer, we do not control this, and only LinkedIn can remove fraudulent profiles. The co-founder of the impersonated company, verified, telling his own audience that the only party who can act is the platform, and that the platform has not.
Read what these notices actually are.
On the professional network whose entire proposition is verified professional identity, a company’s remedy against impersonation is to leave the platform and publish, somewhere else, a plea that people check an email domain instead. That is how an organization behaves when it has run out of options inside the system meant to provide them. The scam recurs anyway, because a public warning removes no profiles, and the profiles are where the deception lives.
There was, in this case, even a fake product to complete the illusion. The North Korean operation the companion piece traces built its lure around a Web3 poker game it called “0G RollPlay,” a name chosen to borrow 0G’s brand. It is not a 0G product. The real company’s code repositories contain no such thing and it ships no such game. The attackers took a generic open-source project, painted 0G’s name on it, and used it as the pretext to get an engineer to clone and run a poisoned repository. Even the product was invented, and the platform still rendered the affiliation.
Can an organization fight back?
So the company knows about a specific fake profile. What can it do to get that one profile taken down? Almost nothing, and the process is stranger than that summary suggests.
LinkedIn’s help center is direct about the limits. It is not possible for a page administrator to remove someone who claims to work there, because the member supplied the data. The company must instead file a report of inaccurate employment, and LinkedIn’s own page notes that any assertion made in that form is made under penalty of perjury.
A stranger can assert an employment relationship with your company, and LinkedIn will render it in your branding with no evidence required. To contest the assertion, the company that actually holds the payroll must swear a legal oath.
It gets worse in practice. By the account of impersonated companies who have described the process publicly, there is a counter-notice step: a formal objection from the reported profile that, under LinkedIn’s process, stops the removal cold. LinkedIn contacts the profile owner. If the owner disputes the takedown, LinkedIn declines to act and tells the company it can revisit the matter with formal judicial process. Reported timelines run to a fortnight at minimum, and success is not guaranteed. A company can find itself needing a court order to remove a fabricated employee from its own page.
The structure is borrowed from copyright takedowns, where notice-and-counter-notice makes sense because two parties may hold genuinely competing claims to a piece of creative work. Employment is not like that. There is exactly one authoritative source for whether a person is on a payroll, and it is not the person. Apply a symmetric dispute process to a question with only one right answer, and the outcome writes itself: the party holding the evidence carries the burden, and the party with the incentive to lie enjoys the presumption.
The loophole that swallows the remedy
Even that grim process turns out to be a footnote, because most impersonators never trigger it in the first place.
The 0G executive spelled it out. Most of the impersonators, he said, do not claim to work at 0G at all. They claim to work at a recruiting agency, recruiting for 0G. And that, he said, makes it impossible to get them removed.
Follow the logic. The inaccurate-employment process exists to correct a false claim of employment at your company. A person who claims to work at Acme Recruiting, sourcing candidates for 0G, has made no false claim about employment at 0G. They have made a claim about Acme. 0G has no standing to report it, because the tool addresses a claim that was never made. The brand is being used, the jobseeker is being deceived, and there is no mechanism at all.
The woman in Bogotá ran both patterns at once, a doubling that makes her the clean illustration. Her profile lists 0G as a current employer, the removable kind of claim, the kind 0G could at least file a perjury declaration against. But when she actually approached my business partner, she presented herself as an ecosystem partner to a different company entirely, and 0G was never mentioned. That second form, the agency claim, is the one no company can touch. One operator, running the removable con and the unremovable con in parallel, on the same verified account.
And underneath both sits a deeper fact: trademark law, not platform policy, is the only thing that even describes the wrong when someone borrows your brand while claiming to work somewhere else. That matters because of a specific gap in the American law that shields platforms. Section 230 makes a platform immune for what its users post, but the statute carves the immunity back at 47 U.S.C. § 230(e)(2), which provides that nothing in the section limits “any law pertaining to intellectual property,” and a federally registered trademark is intellectual property. The carve-out is the statute’s own text, not a litigant’s theory. So LinkedIn is immune for the sentence the user typed. Whether it is immune for the registered trademark it chose to render beside that sentence is the open question Congress deliberately left unanswered. It is open twice over, in fact. Courts have also divided on when a platform’s automatic display of a mark its user selected counts as the platform’s own use of the mark in commerce rather than the user’s, and a claim against LinkedIn would have to win that question too. The argument is live, not settled.
The one time the question was put to LinkedIn directly, LinkedIn declined to answer it. In 2020 the poultry company Wayne Farms sued LinkedIn in federal court in Illinois after an impostor used its logo and a real sales manager’s identity to solicit fraudulent orders, inducing buyers in the United States and Italy to wire deposits. The fake profile had been reported, briefly taken down, then relisted and left running despite further reports, the same report-and-relist cycle a company faces today. Wayne Farms brought claims under the Lanham Act, the federal trademark statute, for infringement, counterfeiting, and dilution, all of which sit inside the § 230(e)(2) carve-out. LinkedIn did not litigate a Section 230 defense to judgment. It settled, on confidential terms, and was dismissed. A settlement sets no precedent and proves no liability, and I am not claiming it does. It shows something narrower and still useful: faced with a trademark claim that the statute’s own text places outside its immunity, the platform paid to exit rather than move to dismiss on the immunity it invokes everywhere else.
The trademark route, for all that, reaches only half the injury. It describes the company’s harm, a brand rendered beside a stranger’s claim. The jobseeker’s harm, a logo and a badge that read as checks the platform never ran, belongs to a different and older body of law: consumer protection, the Federal Trade Commission’s ban on deceptive practices and its state-law cousins, which ask one question only, whether a design misleads a reasonable person. That route needs no trademark registration and no European regulator. The rest of this story dwells on the competition frame because it is the frame that explains why the fix has not shipped; a regulator hunting the fastest path to the person being deceived would reach for the duller statute.
The case against a delete button
Before demanding the obvious fix, sit with the strongest reason LinkedIn has for not shipping it, because the reason is genuinely good and the argument fails without it.
Give company administrators unilateral power to remove anyone who claims to work there, and you have handed every employer a tool to erase employment history. Consider who gets removed first. The whistleblower whose tenure the company would rather deny. An employee in the middle of a discrimination claim. Any contractor whose status the company disputes for reasons of its own. The person fired in circumstances the employer would prefer undocumented. An employment record is one of the few assets a worker carries between jobs, and a platform that lets employers delete it on demand has built an instrument of retaliation.
The messy cases are real too: subsidiaries and parent companies, acquisitions whose pages linger for years after the deal, agency staff and loaned employees and contractors whose tie to the brand is genuine but appears on no payroll. A blunt delete button breaks all of them. None of that makes the counter-notice process stupid. It exists for reasons that deserve respect, and a writer demanding its abolition would be arguing for something worse than what exists.
But watch what that justification actually covers. Caution about removal, yes. Attribution, not a word. The reason a company cannot be trusted to delete a claim has no bearing on whether LinkedIn should attach that company’s logo to the claim, hyperlink it to the company’s own page, and count the claimant among its staff before anyone has checked a thing. Those are two separable decisions, and the second is not protected by any argument that defends the first. You can decline to erase a person’s stated history while also declining to lend them a corporation’s visual identity.
Why can’t the founder get verified, either?
This returns us to the two badges, and to the question everything else has been circling. If workplace verification is the answer, why does the founder of the impersonated company not have it?
Start with LinkedIn’s own definition. A workplace verification means a member confirmed their association with a company through one of four routes: a work email, Microsoft Entra Verified ID, a LinkedIn Learning license provided by their company, or an active LinkedIn Recruiter license provided by their company.
Read that menu again.
Entra is Microsoft’s identity product. LinkedIn Learning and LinkedIn Recruiter are paid LinkedIn subscriptions, the latter running to five figures a seat. Three of the four routes to being a verified employee run through a Microsoft or LinkedIn commercial relationship. The fourth, work email, is the only vendor-neutral option, and LinkedIn’s help page describes it as currently eligible to a limited set of companies. It is a pilot, and admission is at LinkedIn’s discretion.
LinkedIn will point, fairly, to a change it made in September 2025: it now requires workplace verification when a member adds or updates a recruiter or executive title, precisely to fight recruiter impersonation. Take the improvement seriously, then look at where it bites. It triggers only when someone edits their title to something like “Recruiter.” It does nothing about the logo, the hyperlink, or the headcount rendering on an ordinary profile, and nothing about the agency-claim loophole either, since a person recruiting for 0G from an outside agency is not listing a 0G role. And it still runs through the same four-route menu, so the requirement can only be met by someone who already has a qualifying commercial relationship to meet it with.
The profile at the center of this story shows how little the mandate reaches. Her 0G entry is not titled “Recruiter” or any executive role. It reads “HR Business Partner,” part-time, October 2024 to present, nearly two years, carrying 0G’s logo linked through to 0G’s own company page. That title trips no requirement. The check built to stop recruiter impersonation never fires, because the impersonation did not use the word the check looks for.
The obvious accusation, that Microsoft charges companies for the privilege, is false, and better shot down at once. Entra Verified ID’s core issuance and verification is free with any Entra subscription, and the free tier of Entra ships with any Microsoft cloud subscription. Nobody pays a per-badge toll.
The cost is not money. It is ecosystem membership. A company that runs Okta for identity and Google Workspace for email has no Entra account, and therefore no route to Entra-based verification. Its remaining options are to buy a LinkedIn Learning or Recruiter subscription, or to wait at the door of the pilot. Whether an organization’s staff can prove where they work, on the platform where that claim matters most, comes down substantially to whose software the company happens to buy. Small wonder 0G appears on none of its own people’s badges, Heinrich’s included.
Which produces the sentence the two badges were pointing at all along. LinkedIn’s verification is easier for the impersonator to obtain than for the company being impersonated. An individual with a passport gets an identity check in ten minutes, alone, for free. A company cannot get workplace verifications for its own people without a qualifying commercial relationship. The trust signal is more available to the person doing the lying than to the party being lied about. None of that accuses anyone of bad faith. It describes a menu, drawn from LinkedIn’s own help pages, and the menu explains everything upstream.
Open standard, closed gate
An obvious objection comes straight from Microsoft’s own marketing, and it needs answering head-on.
Microsoft describes Verified ID as built on open standards, noting it works with existing HR systems and a range of identity systems, including ones companies run on their own servers. That is true, and it does more rhetorical work than it appears to. Verified ID does rest on the W3C verifiable-credentials standard, an open, non-proprietary format, and it genuinely can ingest from whatever identity infrastructure a customer already runs. But that describes what Microsoft’s product accepts as input, not what LinkedIn will honor from outside issuers.
And nothing LinkedIn has published points that way. Every route it documents runs through Entra, a LinkedIn subscription, or the limited email pilot. There is no path by which Okta, or Ping, or a university, or a government issuing credentials to its own civil servants, can vouch for a person’s employment in a form LinkedIn will display.
The credential format is an open standard. The list of issuers LinkedIn honors is not. One honest difficulty remains, and it is not a pretext: an open issuer list cannot be an unguarded one. Honor any conformant credential from anyone, and an attacker stands up a conformant issuer of his own and mints fake workplace attestations by the thousand, leaving the badge worse than useless. Opening the gate means building the layer that decides which issuers to trust, an accreditation registry of the kind that already governs website security certificates and academic credentials. Real work, and a fair reason for care. Not one for paralysis; adjudicating trust among independent issuers is the very problem the standard was designed to carry.
The trap
The safety failure and the competition problem meet at this point, and turn out to have been one problem wearing two coats.
The obvious safety fix, the one anyone proposes after five minutes with this problem, is to make verification consequential. Show a jobseeker at first contact whether a sender’s employment claim is verified or merely typed, and withhold the borrowed wardrobe, logo and hyperlink and headcount, from unverified claims. Then ask whether an unverified account presenting itself as a recruiter should really have unrestricted reach into a billion inboxes. LinkedIn has done a narrow version of that last one and none of the rest. Part of the reason is ordinary commerce: friction on messaging reduces messaging, and messaging is the product. If that were the whole story, this would be a short essay about incentives. The longer story is that even a LinkedIn that wanted to go further would find the most direct road legally hazardous, and the hazard is one of its own construction.
Here the relevant fact is regulatory, and the Act names it rather than leaving it to atmosphere. Under the European Union’s Digital Markets Act, LinkedIn is a designated “gatekeeper,” the term the EU uses for the handful of dominant platforms that face special rules meant to keep markets open, and Microsoft is the gatekeeper on the hook for it. One of the Act’s black-list prohibitions, Article 5(7), forbids a gatekeeper from requiring users to use its own identification service in the course of using its platform. Entra Verified ID is an identification service.
Suppose LinkedIn gated all recruiter messaging on workplace verification, not just the title label. It would be conditioning full use of the world’s professional network on membership of Microsoft’s identity ecosystem, or on the purchase of a LinkedIn subscription. Every firm on a rival identity stack would find its recruiters quietly degraded against firms on Entra. Whether Article 5(7) would ultimately bite is for the Commission, not for me, to decide, and the provision’s scope, framed around services that business users offer through the platform, has not been tested against a case shaped like this one. But the fix a safety engineer would reach for first is one a designated gatekeeper cannot ship without walking straight at a named prohibition, not a vague regulatory mood. Microsoft’s competition lawyers will have mapped that long before its product managers did.
Therein lies the trap. LinkedIn cannot safely make verification fully consequential while verification remains proprietary. From where I stand that leaves one solution: open the gate to accredited outside issuers, and the safety lever comes unstuck. Until then, the impersonators keep their reach.
It wouldn’t be the first time the same leverage has drawn a regulator’s eye. When the European Commission cleared Microsoft’s acquisition of LinkedIn in December 2016, it did so subject to conditions, worried about this very species of leverage: that Microsoft would use its strength in one product to entrench LinkedIn against rivals. The remedies obliged it to let PC makers decline to preinstall LinkedIn, to preserve competitors’ ability to plug into Office, and to grant them access to a Microsoft developer gateway. Those conditions ran five years and lapsed at the end of 2021. The Commission was watching leverage flow one way, from Windows and Office into LinkedIn. The current runs the other way, through a channel that did not exist in 2016: LinkedIn’s trust layer now flows back into Microsoft’s identity product.
Only the Commission can say whether that amounts to self-preferencing, a gatekeeper favoring its own service, in the DMA’s sense. I note that the arrangement sits squarely inside the category of conduct the DMA exists to scrutinize.
The statute cuts both ways, and pretending otherwise would be convenient rather than honest. The same law that makes the lever dangerous to pull while the gate stays closed is also the likeliest instrument for forcing the gate open. The DMA’s whole design pushes gatekeepers toward interoperability and away from favoring their own services. A regulation with teeth enough to stop LinkedIn from requiring Entra can also, in principle, require LinkedIn to honor a credential Entra did not issue. The trap has a key, and the key sits in Brussels. Someone still has to turn it, and that is politics, not law. That it exists at all reclassifies the problem, from structural inevitability to unforced choice. Until someone makes it, the two badges from the top stay as they are: hers minted in ten minutes and attesting to nothing that matters, his pointing faithfully at a job he left.
Why the data cannot simply be opened either
One last fix will occur to readers, and it deserves a burial with honors rather than a wave of the hand.
Let LinkedIn expose a feed of everyone who claims to work at a given company, the argument goes, and let employers reconcile it against payroll. But that feed has a second reader. A defender would run it as an impersonation detector. To an attacker it is a spear-phisher’s census: the whole org chart, machine-readable, down to which junior employee books the executive’s travel and what name to drop with the helpdesk. It is the reconnaissance artifact the fraud depends on, and there is no technical way to hand it only to the good actors, because the adversaries here are intelligence services patient enough to found front companies and rich enough to buy legitimate access.
LinkedIn’s refusal to open the data is defensible, then, and probably correct. In fairness, it also protects a revenue line, since Recruiter is the only place this search legitimately exists. Both are true, and the first would hold even without the second.
The unofficial back door is closed too. In January 2025 LinkedIn and Microsoft sued Proxycurl, a service that resold scraped profile data, alleging it ran hundreds of thousands of fake accounts to harvest member information. Proxycurl shut down rather than fight, and the settlement required it to delete the data, with the order reaching downstream to its customers. Those fake-account farms were real. It is hard to build a principled objection to shutting them down.
Front door and back door, closed for equally good reasons. That leaves the design of the front room, and the ownership of the only key that could lock it.
What to do in the meantime
None of the structural fixes are yours to make, so here is what helps while the structure stays as it is.
For companies, the practical measures are duller than a product, and they work. Obtain workplace verification if any route exists for you, a thing to check rather than assume. Manage your verified email domains through page administration, the one real lever LinkedIn hands you, since withdrawing a domain also withdraws the verifications resting on it. Publish an unambiguous statement of your official recruiting channels, naming the domains your recruiters write from and the applicant-tracking system you use, as 0G has done, so a candidate has something concrete to check against. And audit your page’s claimed employees by hand, unsatisfying as that is.
For jobseekers, the advice is uncomfortable but honest. The badge does not tell you what you think it tells you. The logo is not an endorsement. Neither is proof that the person messaging you works where they say. Verify out of band: find the company’s careers page yourself instead of following the link you were sent. And be deeply skeptical of any interview that asks you to run unfamiliar code on your own machine, which is where the companion investigation picks up, and the exact moment all of this stops being about trust signals and becomes a compromised laptop.
The room, not the door
There is a version of this story about villainy, and it is not the interesting one. LinkedIn’s data is closed on grounds that hold up. The lawsuits went after genuine fake-account farms, and the caution about handing employers a delete key shields workers who need the shield.
The room those reasonable decisions have furnished holds up less well. A company’s logo is attached to claims it never made and cannot withdraw. A verification badge earned at one employer follows a person to the next, generic and undated, buying measurable extra trust. An identity check that confirms a real human becomes, in the hands of someone wearing a rented identity, the final polish on the disguise. The employee count on a company’s own page includes strangers it cannot remove. The one requirement built to stop recruiter impersonation checks the job title, so an impersonator simply writes a different job title. The burden of correcting any of it falls on the party holding the evidence, under oath, on a fortnight’s timeline, against an objection that can halt the process outright. And most impersonators skip the entire apparatus by claiming to recruit for the company rather than to work at it, which the apparatus does not cover.
The mechanism that would fix most of this has been built, and built in a form that cannot be deployed. The verification works; the cryptography is sound. The distribution is what broke: three routes out of four sit behind a commercial relationship with the platform’s owner, which is why the badge can never be made to matter without foreclosing everyone outside that relationship. The lock was built; then the key was made proprietary; now the door cannot be locked at all, and a founder posts to his own followers that the only party who can help him is the one that hasn’t.
Most of this, not all of it. Open verification defeats the direct impersonation, the stranger wearing a company’s logo as a claimed employer, and it finally lets a company light up its real staff. It does not reach the agency claim, the dominant pattern, because a recruiter who borrows the brand without claiming the payroll makes no employment assertion for any issuer to check. That con will need different tools, disclosure requirements for third-party recruiting or friction on outreach from accounts with no verified employer. The most common attack survives the elegant fix, diminished but not dead.
None of this requires opening a single new data feed. It requires a platform to accept a credential it did not issue.
The companion investigation, North Korea Is Hiring, is the case study to this essay’s map: one attack walked end to end, from a verified recruiter’s first LinkedIn message to live command servers on sanctioned infrastructure. The operators broke nothing to get there. They moved into the room this essay describes and let its trust signals do the work.
A note on sources: The description of how LinkedIn’s verification, workplace-affiliation, and takedown systems work is drawn from LinkedIn’s own published help documentation, its product marketing, and Microsoft’s published pricing and product pages. Anne Plazas Parras’ profile details are taken from her public LinkedIn profile and its “About this member” panel, captured 12 July 2026.
The account of the impersonation targeting 0G comes from a 0G executive who spoke to me directly, from 0G’s own public warnings, and from the companion investigation published alongside this piece. Where a claim rests on the account of an impersonated company rather than on LinkedIn’s own documentation, I have said so in the text. I did not seek comment from LinkedIn; nothing here depends on it, because the design choices described are ones LinkedIn has documented itself.










