DPRK IT Workers Impersonate Polish and US Nationals to Secure Full-Stack Developer Positions
A alarming cybersecurity report by Nisos has uncovered a sophisticated employment scam network potentially affiliated with the Democratic People’s Republic of Korea (DPRK).
This network targets remote engineering and full-stack blockchain developer roles by impersonating Polish and US nationals.
The threat actors behind this operation employ a range of deceptive tactics, including the use of GitHub accounts, meticulously crafted portfolio websites, freelancer profiles, and a fictitious freelance software development company named Inspiration With Digital Living (IWDL).
Their objective is to deceive companies into hiring them for full-time remote positions or project-based freelance gigs, marking a significant escalation as it may represent the first instance of DPRK-affiliated IT workers establishing fake companies with legitimate-looking websites to secure freelance work.
Sophisticated Employment Scam Network
Nisos has identified several tactics, techniques, and procedures (TTPs) in this scam that align closely with known DPRK employment fraud activities.
The network’s GitHub accounts frequently feature lion-themed avatars, with four of the eight most interconnected accounts displaying such imagery, including three lions.
Additionally, email addresses associated with these accounts often incorporate the word “century,” possibly as a marker to distinguish this network from others.
Portfolio websites linked to these accounts show striking similarities, likely created from identical templates with consistent content across “about,” “portfolio,” and “testimonial” sections.
For instance, the “about” sections often claim over 10 years of experience and reference completing more than 25 jobs, while “portfolio” sections highlight fictitious projects like “Assistant for Freelancer (AFF)” and an “Anti-Game-Cheat engine” with AI components.
The testimonials are equally fabricated, featuring recurring personas such as Kornel Dudek and Fred Rowe, further reinforcing the deceptive nature of these profiles.
Active portfolio websites hosted on platforms like GitHub.io and Vercel.app, including domains like veteransoftdev.github.io and cleversofter.github.io, exemplify this uniformity.
Tactics, Techniques, and Indicators of DPRK Affiliation
Beyond digital footprints, the threat actors manipulate profile photos by overlaying faces onto stock images and reuse personas across different accounts, indicating a coordinated effort to infiltrate the tech industry.
Some individuals even operate under multiple aliases to maximize their chances of securing employment.
This network’s connection to IWDL a supposed global freelance software development entity adds another layer of complexity, as it presents a veneer of legitimacy to lure unsuspecting employers.
The convergence of these indicators strongly suggests DPRK involvement, a trend previously associated with state-sponsored efforts to generate revenue through illicit means while evading international sanctions.
Such operations not only pose financial risks to companies but also threaten data security, as hired individuals could potentially access sensitive systems under false pretenses.
This discovery underscores the evolving sophistication of cyber-enabled employment fraud and the urgent need for organizations to enhance vetting processes for remote hires.
By leveraging open-source intelligence and scrutinizing digital personas for anomalies like templated content or reused imagery, companies can better safeguard against these threats.
As Nisos continues to monitor this network, the broader tech community must remain vigilant against such deceptive practices that exploit the growing demand for remote IT talent.