A sophisticated employment scam network thought to be affiliated with North Korea (Democratic People’s Republic of Korea, DPRK) has been exposed, targeting companies seeking remote engineering and blockchain development talent.
Security intelligence firm Nisos has revealed that this emerging threat leverages a fake freelance software development company, Inspiration With Digital Living (IWDL), alongside a web of convincingly constructed GitHub accounts, portfolio websites, and freelancer platform profiles.
Posing as Polish and US nationals, these threat actors aim to secure both full-time remote positions and project-based freelance contracts, effectively infiltrating western tech companies for financial and strategic gain.
Network Employs Advanced Social Engineering Tactics
At the core of the operation is a coordinated use of digital assets designed to fabricate credible developer personas.
Nisos discovered telltale markers across multiple GitHub accounts, which notably employed a recurring theme of lion-based avatars.
Out of the most interconnected profiles, a striking number displayed similar animal images, particularly lions, suggesting centralized guidance likely intended to create the illusion of distinct individuals.
Further investigation revealed that these accounts were interlinked, often following each other and sharing overlapping followers, effectively amplifying their perceived legitimacy within the GitHub community.
The network’s digital footprint extended to a series of nearly identical portfolio websites hosted on GitHub.io and vercel.app domains.
These professional showcases echoed a uniform structure in terms of design, content, and testimonials further indicating that they were produced from the same template and possibly managed centrally.
Common features in their “about” sections included claims of over a decade of software development experience and references to an internally developed tool, “Assistant for Freelancer” (AFF), as well as involvement in building AI-driven anti-cheat gaming engines.
The portfolios promoted achievements and testimonials from purported collaborators, yet these endorsements were traced back to other personas within the same network, or to names previously identified as part of the scam, underscoring a systematic approach to manufacturing credibility.
Portfolio Websites and GitHub Accounts
A unique behavioral marker identified by Nisos was the repeated use of the word “century” within the contact email addresses across multiple accounts and websites.
This linguistic fingerprint, while subtle, further supported the assessment that the profiles belonged to a coordinated group rather than isolated actors.
Additionally, several profile photos were found to be digitally manipulated often featuring faces spliced onto stock images to bypass basic digital scrutiny and bolster their fake identities.
In some instances, the same persona and photograph were recycled across different account names, multiplying the threat’s perceived reach.
The IWDL entity served as a corporate front, with its website and digital assets structured to mimic those of legitimate global freelance software agencies.
This façade enables the network’s operators to approach potential employers with convincing documentation, links to fabricated portfolios, and what appear to be established professional references.
Their goal: to bypass due diligence checks and obtain high-trust, remote engineering positions that could in turn provide both income and possible access to sensitive data or intellectual property.
Nisos’ findings suggest this network represents an evolution in DPRK’s cyber-enabled financial operations, leveraging mainstream platforms such as GitHub and major freelancer websites with unprecedented sophistication.
By replicating western developer personas and employing advanced social engineering tactics, the group is able to surmount traditional employment screening processes.
The exposure of this operation serves as a critical alert to HR departments, security teams, and hiring managers to intensify scrutiny of remote candidates, particularly those presenting suspiciously consistent online presences or templates, and to remain vigilant for coordinated patterns that may indicate nation-state involvement.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
