A network of suspected North Korean (DPRK) IT workers is exploiting GitHub to create and maintain fake personas for employment fraud, according to research by cybersecurity firm Nisos.
The threat actors pose as Vietnamese, Japanese, and Singaporean nationals to secure remote engineering and blockchain development positions in Japan and the United States, with the ultimate goal of funding Pyongyang’s weapons programs.
Sophisticated Persona Creation and Maintenance
The DPRK-affiliated network employs a range of tactics to establish credible online identities.
They create accounts on professional platforms, freelance websites, and software development tools while deliberately avoiding social media presence.
The personas claim expertise in web and mobile application development, proficiency in multiple programming languages, and blockchain technology knowledge.
A key aspect of their strategy involves the manipulation of GitHub accounts.
The threat actors create new personas and repurpose mature GitHub profiles and portfolio content from older identities to provide backstopping for their latest creations.
This technique allows them to present a more established and credible online presence to potential employers.
Digital Manipulation and Employment Success
The research uncovered sophisticated digital manipulation techniques used by the hackers.
In one instance, a persona named Huy Diep/HuiGia Diep was found to have digitally altered profile photos, superimposing their face onto stock images to depict collaborative work environments.
This persona claimed employment as a software engineer at a Japanese consulting firm since September 2023.
Nisos identified two personas who appear to have successfully gained employment and four others actively seeking remote positions in Japan and the United States.
The network’s focus extends beyond Asia, indicating a global approach to their employment fraud scheme.
The cybersecurity firm’s findings align with previously observed tactics, techniques, and procedures (TTPs) associated with DPRK employment fraud actors.
These include the use of similar email addresses across personas, often incorporating specific numbers like “116” and the word “dev”.
As this sophisticated operation continues to evolve, cybersecurity experts warn companies to remain vigilant when hiring remote workers, especially for positions involving sensitive technologies or financial systems.
The case underscores the persistent threat posed by state-sponsored actors leveraging legitimate platforms like GitHub for malicious purposes, highlighting the need for enhanced due diligence in the global tech recruitment landscape.
 IT workers is exploiting GitHub to create and maintain fake personas for employment fraud.){kind=link}