North Korean Fake IT Workers Leverage GitHub to Build Jobseeker Personas
Summary:
Nisos has uncovered a network of likely North Korean DPRK-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals to obtain remote engineering and blockchain developer positions in Japan and the United States. The primary objective of this network is to generate revenue to fund North Korea’s ballistic missile and nuclear weapons programs. These individuals create fraudulent personas using GitHub, where they either establish new identities or repurpose older accounts and portfolio content to enhance their credibility.
The network exhibits several indicators consistent with previously reported DPRK employment fraud tactics. These personas claim expertise in web and mobile application development, multiple programming languages, and blockchain technology. They often maintain accounts on job and freelance platforms but lack social media presence, suggesting their profiles exist solely for employment fraud. Additionally, their profile photos are digitally manipulated, with faces pasted onto stock images to create the illusion of legitimate professional activity. Many of these personas also share similar email patterns, frequently incorporating numbers like "116" and the word “dev.”
One notable example is the persona “Huy Diep,” linked to the GitHub account nickdev0118. This account is associated with another DPRK-affiliated persona, AnacondaDev0120, through co-authored commits. Huy Diep appears to be employed as a software engineer at the Japanese consulting firm Tenpct Inc., but several red flags indicate fraudulent activity, including digitally altered profile photos, a fabricated employment history, and misleading experience claims.
Security Officer Comments:
The discovery of this network aligns with recent reports of North Korean hackers leveraging stolen GitHub profiles to create fake IT worker personas. In some cases, these threat actors engage in malware campaigns, using deceptive job offers and fake websites to compromise systems and steal sensitive information. This latest scheme demonstrates DPRK’s continued evolution in employment fraud and cyber-enabled financial operations to support its regime
Suggested Corrections:
The firm provided a list of recommendations for companies to avoid falling for this type of scheme.
These include:
https://nisos.com/research/dprk-github-employment-fraud/
Nisos has uncovered a network of likely North Korean DPRK-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals to obtain remote engineering and blockchain developer positions in Japan and the United States. The primary objective of this network is to generate revenue to fund North Korea’s ballistic missile and nuclear weapons programs. These individuals create fraudulent personas using GitHub, where they either establish new identities or repurpose older accounts and portfolio content to enhance their credibility.
The network exhibits several indicators consistent with previously reported DPRK employment fraud tactics. These personas claim expertise in web and mobile application development, multiple programming languages, and blockchain technology. They often maintain accounts on job and freelance platforms but lack social media presence, suggesting their profiles exist solely for employment fraud. Additionally, their profile photos are digitally manipulated, with faces pasted onto stock images to create the illusion of legitimate professional activity. Many of these personas also share similar email patterns, frequently incorporating numbers like "116" and the word “dev.”
One notable example is the persona “Huy Diep,” linked to the GitHub account nickdev0118. This account is associated with another DPRK-affiliated persona, AnacondaDev0120, through co-authored commits. Huy Diep appears to be employed as a software engineer at the Japanese consulting firm Tenpct Inc., but several red flags indicate fraudulent activity, including digitally altered profile photos, a fabricated employment history, and misleading experience claims.
Security Officer Comments:
The discovery of this network aligns with recent reports of North Korean hackers leveraging stolen GitHub profiles to create fake IT worker personas. In some cases, these threat actors engage in malware campaigns, using deceptive job offers and fake websites to compromise systems and steal sensitive information. This latest scheme demonstrates DPRK’s continued evolution in employment fraud and cyber-enabled financial operations to support its regime
Suggested Corrections:
The firm provided a list of recommendations for companies to avoid falling for this type of scheme.
These include:
- Ensuring applicants provide identification documentation in person to enable human resource teams to better identify falsified documentation
- Conducting a detailed review of the applicant’s online presence for consistency in name, appearance, work history and education before offering employment
https://nisos.com/research/dprk-github-employment-fraud/