A network of North Korean fake IT workers has been creating personas on GitHub to obtain remote engineering and full-stack blockchain developer positions in the US and Japan, threat monitoring firm Nisos warns.
The GitHub personas, which are reusing matured GitHub accounts and portfolio content, claim to be in Asia, and some of them appear to be employed at small companies.
The network employs the same tactics, techniques, and procedures (TTPs) previously associated with North Korean fake IT workers, including their claims of experience, accounts on multiple employment platforms, digitally manipulated photos, and the use of the same email addresses across personas.
Analysis of the shared GitHub and contact information led to the discovery of six personas that are part of the network, including two that seem to be employed and four looking for remote employment in Japan and the US, Nisos notes in a fresh report (PDF).
Red flags associated with these personas include claims of experience in application development and blockchain technology, as well as in multiple programming languages, and the existence of accounts on employment, software, messaging and freelance platforms, but not on social media.
Among the identified personas, Nisos mentions Huy Diep (HuiGia Diep), apparently employed as a software engineer at Japanese consulting company Tenpct Inc since September 2023, and Naoyuki Tanaka, supposedly employed as a full stack and blockchain engineer at video game developer Enver Studio since November 2021.
The two are linked by the Telegram username ‘superbluestar’, which was mentioned in both resumes. The same username and the GitHub account ‘superbluestar’ were found in the resume of a third persona, Shaorun Zhang.
This persona shared a GitHub repository with another persona, Kamaal Sultan, which used an email address also linked to the GitHub account ‘superbluestar’, and which at one point was edited by a third GitHub account, ‘superredstar’.
Nisos also linked Huy Diep to a username associated with another persona, Alvaro Morales, and Naoyuki Tanaka to the Karl Chong persona, as they both listed Enver Studio work in their portfolios. Multiple GitHub users that worked on the Karl Chong persona also worked on another persona, Yoshiro Morino.
“Nisos assesses that DPRK-affiliated IT workers likely use GitHub to create new personas and to backstop them with matured content. GitHub commits revealed multiple GitHub accounts importing, editing, and creating new persona resumes,” the threat monitoring firm notes.
North Korea is believed to have dispatched thousands of IT workers in various countries worldwide. These workers likely funneled tens of millions of dollars to the Pyongyang regime.
Related: Freelance Software Developers in North Korean Malware Crosshairs
Related: North Korean Fake IT Workers More Aggressively Extorting Enterprises
Related: US Charges Five People Over North Korean IT Worker Scheme
Related: US Announces Sanctions Against North Korean Fake IT Worker Network