A network of North Korean IT workers has reportedly been creating fake personas on GitHub in an effort to secure remote engineering and blockchain development positions in the United States and Japan, according to findings from the threat intelligence firm Nisos. These individuals have been reusing established GitHub accounts and portfolio content, presenting themselves as professionals based in Asia. Some of these personas appear to be linked to small companies, giving them an added layer of legitimacy.
Investigations suggest that the network has been employing known tactics, techniques, and procedures (TTPs) previously associated with fraudulent North Korean IT operatives. These include fabricated professional experience, the use of multiple employment platforms, manipulated profile pictures, and the repetition of email addresses across different identities.
Discovery of Fake Identities and Shared Connections
An analysis of the GitHub activity and contact information led to the identification of six personas believed to be part of this fraudulent network. Among them, two appear to be currently employed, while four are still seeking remote job opportunities in Japan and the US. The report from Nisos highlights certain red flags associated with these profiles, including claims of expertise in application development, blockchain technology, and multiple programming languages. Additionally, the personas have accounts on various job search, software development, and messaging platforms but lack social media presence, which raises further suspicion.
Two of the identified personas, Huy Diep and Naoyuki Tanaka, appear to have secured employment as software engineers. Huy Diep is allegedly working at a Japanese consulting firm, Tenpct Inc, since September 2023, while Naoyuki Tanaka is listed as a full-stack and blockchain engineer at video game development company Enver Studio since November 2021. Both profiles were linked through the Telegram username ‘superbluestar,’ which was included in their resumes. This username was also associated with another persona, Shaorun Zhang, who shared a GitHub repository with a separate identity, Kamaal Sultan. The latter used an email address connected to the ‘superbluestar’ GitHub account, which had also been edited by another account named ‘superredstar.’
Further connections were established when Huy Diep’s profile was linked to another persona, Alvaro Morales, while Naoyuki Tanaka’s profile had ties to Karl Chong. Both Tanaka and Chong listed work experience at Enver Studio, strengthening the likelihood that their profiles were artificially created. Additionally, multiple GitHub users contributing to the Karl Chong persona had also been involved in developing the profile of Yoshiro Morino.
Exploiting GitHub for Persona Development
According to Nisos, North Korean-affiliated IT workers are suspected of using GitHub not only to create new fake personas but also to reinforce them with authentic-looking content. Analysis of GitHub activity revealed multiple accounts importing, editing, and developing fabricated resumes. These activities suggest a coordinated effort to establish credibility and secure high-paying positions in foreign tech firms.
Reports indicate that North Korea has deployed thousands of IT workers across various countries, generating substantial revenue for the regime in Pyongyang. The earnings from these activities are believed to contribute tens of millions of dollars to North Korea’s government, further fueling concerns about cyber-enabled financial operations originating from the country. Cybersecurity experts warn that such operations pose significant risks to companies inadvertently hiring these fraudulent professionals, as they could facilitate espionage, financial fraud, or other cyber threats.
