North Korean IT Operatives Use GitHub to Secure Remote Jobs in U.S. and Japan
A sophisticated network of suspected North Korean IT workers has been uncovered using GitHub to create fake identities and land remote jobs in Japan and the United States.
These operatives pose as professionals from Vietnam, Japan, and Singapore, primarily targeting engineering and blockchain development roles. Their ultimate goal appears to be generating foreign currency to support North Korea’s ballistic missile and nuclear programs.
The operation involves repurposing and enhancing existing GitHub accounts to build a credible technical profile while deliberately avoiding social media exposure that could reveal their true identities.
At least two of these fake personas have already secured employment at small companies, raising serious concerns about the scale of this infiltration and its security risks.
Key Indicators of Fraudulent Activity
Security researchers at Rewterz identified patterns among these DPRK-affiliated workers, noting that they typically claim expertise in web and mobile app development, multiple programming languages, and blockchain technology.
Investigators discovered email addresses with recurring elements like “116” and “dev,” linking multiple fake personas to a coordinated network.
The scheme also involves sophisticated GitHub manipulation tactics, including fabricated contribution histories. Accounts co-author commits with other suspected DPRK-linked profiles to create an illusion of active development.
For instance, the GitHub account “nickdev0118” was found collaborating with “AnacondaDev0120”, another suspected North Korean profile, exposing their coordinated efforts.
One of the most compelling cases involves a fraudulent developer known as "Huy Diep" (also called “HuiGia Diep”), who managed to secure a software engineering role at Japanese company Tenpct Inc.
Analysis of his GitHub repositories revealed suspicious similarities with other DPRK-linked accounts, including identical naming patterns and synchronized commit timing.
Investigators also found evidence of digital identity manipulation, where stock photos were altered to make the persona appear legitimate.
Companies hiring remote developers are urged to implement stricter verification measures, including:
Scrutinizing GitHub histories for unnatural activity patterns.
Analyzing repository creation dates and commit behaviors.
Conducting live coding tests instead of relying solely on portfolio submissions.
As North Korean cyber operations continue to evolve, organizations must strengthen hiring processes to prevent unauthorized access and financial exploitation.
