A network of fraudulent North Korean IT workers has been generating fictitious personas on GitHub to secure remote engineering and full-stack blockchain developer roles in the United States and Japan, according to a report by threat monitoring firm Nisos. These GitHub personas utilize established accounts and portfolio content, claiming to be located in Asia, with some appearing to hold positions at small companies. The network adopts the same tactics, techniques, and procedures (TTPs) historically associated with North Korean fake IT operatives, which include fabricating experience claims, creating accounts on various job platforms, digitally altered photographs, and using identical email addresses across multiple personas. Investigations into the shared GitHub and contact information uncovered six personas affiliated with this network, comprising two who seem to be currently employed and four seeking remote positions in Japan and the US, as detailed in Nisos's recent report (PDF). Indicators of suspicious activity linked to these personas include exaggerated experience in application development and blockchain technology, proficiency in numerous programming languages, and the presence of accounts on job, software, messaging, and freelance platforms, but none on social media. Among the identified personas, Nisos highlights Huy Diep (HuiGia Diep), seemingly a software engineer at the Japanese consulting firm Tenpct Inc since September 2023, and Naoyuki Tanaka, reportedly a full-stack and blockchain engineer at the video game developer Enver Studio since November 2021. These two individuals are connected by the Telegram username 'superbluestar', which appears on both their resumes. This same username, along with the GitHub account 'superbluestar', was also found in the resume of a third persona, Shaorun Zhang. Shaorun Zhang's GitHub repository was shared with another persona, Kamaal Sultan, which used an email address also linked to the 'superbluestar' account, and which was at one time modified by a third GitHub account, 'superredstar'. Nisos also associates Huy Diep with a username tied to another persona, Alvaro Morales, and Naoyuki Tanaka with the Karl Chong persona, as both listed work with Enver Studio in their portfolios. Additionally, multiple GitHub users involved with the Karl Chong persona also contributed to another persona, Yoshiro Morino. "Nisos assesses that DPRK-affiliated IT workers likely utilize GitHub to create new identities and support them with established content.

GitHub activity has shown various accounts importing, altering, and generating new persona resumes, " the threat monitoring firm states. It is believed that North Korea has dispatched thousands of IT workers across various nations globally, potentially generating tens of millions of dollars for the Pyongyang regime. Related: Freelance Software Developers in North Korean Malware Crosshairs Related: North Korean Fake IT Workers More Aggressively Extorting Enterprises Related: US Charges Five Individuals Over North Korean IT Worker Scheme