Cybersecurity research firm NISOS has uncovered a network of suspected North Korean IT workers who are leveraging GitHub to create elaborate fake personas aimed at securing employment with companies in Japan and the United States.
These individuals pose as Vietnamese, Japanese, and Singaporean nationals while seeking positions in remote engineering and full-stack blockchain development.
The ultimate goal appears to be generating foreign currency to fund North Korea’s weapons programs, including ballistic missile and nuclear development.
The operation demonstrates sophisticated identity creation techniques, with the actors reusing and building upon established GitHub accounts to create believable backstories for their personas.
These workers maintain a presence on employment websites, freelance platforms, and software development tools, but notably lack authentic social media footprints.
NISOS researchers identified that at least two of the fake personas have successfully obtained employment at small companies with fewer than 50 employees.
.webp)
Several technical indicators help identify these North Korean IT workers. They typically claim expertise in three specific domains: web and mobile application development, proficiency in multiple programming languages, and blockchain technology knowledge.
Their email addresses often follow patterns, including the frequent use of the number “116” and the word “dev” in their addresses. These consistent patterns across multiple accounts enabled researchers to link the various personas to a single coordinated network.
The personas demonstrate elaborate technical deception techniques to establish credibility.
Their GitHub repositories often show manufactured contribution histories, with researchers finding instances where accounts co-authored commits with previously identified DPRK-affiliated accounts.
For example, a GitHub account “nickdev0118” was found to have co-authored code commits with another suspected North Korean account “AnacondaDev0120.”
.webp)
A Case in Focus: Huy Diep/HuiGia Diep
One primary example detailed in the report is the persona “Huy Diep” (also using the name “HuiGia Diep”), who reportedly secured employment as a software engineer at Japanese consulting company Tenpct Inc since September 2023.
This persona maintained an elaborate personal website linking to his supposed employer and showcasing his technical credentials.
Investigators found the persona claimed eight years of software engineering experience and proficiency in numerous programming languages.
A technical review of his GitHub contribution history revealed suspicious patterns consistent with other identified DPRK actors.
The report provides evidence of digital manipulation used by the persona, with multiple instances where the individual’s face was digitally superimposed onto stock photographs to create the appearance of the person working in professional environments.
.webp)
The exact same stock photos were identified with different heads inserted. This technique appears common across the network of fake personas, providing a technical indicator for identifying potential DPRK-affiliated accounts.
The research suggests this activity represents not just isolated fraud but a systematic effort by North Korea to place IT workers in legitimate companies, potentially creating security risks beyond the financial implications.
Companies are advised to enhance their hiring verification processes, particularly when considering remote technical workers with profiles matching these patterns.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
