A new report from threat monitoring firm Nisos has detailed a network of North Korean IT workers posing as various Asian nationals on GitHub to secure remote engineering and blockchain development positions in the United States and Japan.
Many of the fake personas are crafted with reused GitHub accounts and portfolio content, some even claiming to be employed at small companies.
According to Nisos, the tactics, techniques, and procedures (TTPs) used in this operation closely resemble previous North Korean employment fraud campaigns. The fraudulent accounts typically boast claims of impressive experience across multiple programming languages, blockchain development, and application development. T
he personas also exhibit other red flags such as an absence of social media presence, digitally manipulated profile photos, and identical email addresses across multiple accounts. These characteristics suggest that these personas were created specifically to acquire remote employment, rather than for social interaction or networking.
The researchers have identified six key personas that appear to be part of this network. Two of the individuals seem to be employed, while the remaining four are actively seeking remote work opportunities in Japan and the US.
The network heavily uses digital manipulation. For example, profile photos are frequently altered to show the individuals “working” with colleagues in a professional setting. Furthermore, the email addresses used by these personas contain the same numbers, such as ‘116’, and the word “dev,” which Nisos notes is commonly seen in other North Korean IT worker operations.
The report points to two personas, Huy Diep and Naoyuki Tanaka, as key examples of the fake workers. Diep is allegedly employed as a software engineer at a Japanese consulting company, while Tanaka claims to be a full-stack blockchain engineer at a video game developer. Both individuals appear to be connected via the Telegram username ‘superbluestar,’ which was also found in the resumes of other personas linked to the network.
The research shows that the fake personas share a significant amount of content across multiple GitHub accounts, with various users editing and importing files across resumes. For instance, a GitHub account associated with Shaorun Zhang was found to share content with Kamaal Sultan, which included the same manipulated email address. The same username and email addresses were linked to several personas, further indicating the interconnectedness of the operation.
Nisos suggests that this network is likely tied to the Democratic People’s Republic of Korea (DPRK). North Korea has deployed thousands of IT workers across the globe in recent years, potentially generating tens of millions of dollars in revenue for the regime. The workers typically funnel the earnings from their remote positions back to Pyongyang.
