{
	"id": "36e52ddb-e829-4e81-88b6-63c4c9d5c7e9",
	"created_at": "2026-04-06T00:12:14.368419Z",
	"updated_at": "2026-04-10T03:21:44.584102Z",
	"deleted_at": null,
	"sha1_hash": "575257ce6c28c880983d1a52b1a4386d7f3a77ba",
	"title": "DPRK Employment Scam Network Targets Remote Tech Jobs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 738225,
	"plain_text": "DPRK Employment Scam Network Targets Remote Tech Jobs\r\nBy Nisos\r\nPublished: 2025-05-19 · Archived: 2026-04-05 21:20:25 UTC\r\nExecutive Summary\r\nNisos is tracking an IT worker employment scam network posing as Polish and US nationals with the goal of\r\nobtaining employment in remote engineering and full-stack blockchain developer roles. Threat actors in this\r\nnetwork are using GitHub accounts, portfolio websites, freelancer accounts, and a global freelance software\r\ndevelopment company, Inspiration With Digital Living (IWDL), to trick companies into hiring them for full-time\r\nremote positions and project-based freelance jobs. This network is the first indication that possibly DPRK-affiliated IT workers are setting up fake freelance software development companies with legitimate looking\r\nwebsites to gain freelancer work.\r\nSeveral indicators suggest that the network is likely affiliated with the Democratic People’s Republic of Korea\r\n(DPRK). Nisos identified the following tactics, techniques, and procedures (TTPs) commonly attributed to DPRK\r\nemployment fraud actors on the network’s GitHub accounts, portfolio websites, and IWDL’s website:\r\nGitHub accounts exhibited an unusual consistency in avatars, in this case many displayed similar lion-themed pictures.\r\nPersonas within the network used similar email addresses, which frequently included the word “century” in\r\ntheir contact information.\r\nPortfolio websites exhibited an unusual consistency, suggesting that they were created from the same\r\ntemplate with identical information.\r\nThe same threat actor had accounts in different names attempting to gain employment.\r\nProfile photos were digitally manipulated. Threat actors’ faces were often pasted on top of stock photos.\r\nThe same persona was reused by different threat actors.\r\nLion-Themed GitHub Avatars\r\nNisos identified a network of GitHub accounts, which contained repositories for fake portfolio websites likely\r\nused to gain employment with unwitting companies. The portfolio websites linked to freelancer and professional\r\nnetworking platform accounts. On these accounts, threat actors claimed to be full-stack developers and engineers\r\nlocated in Poland and the United States looking for employment. Four of the eight most interconnected GitHub\r\naccounts in the network have animals as their avatars, three of which were lions. Nisos identified several other\r\nGitHub accounts sharing followers with the accounts within this network that also exhibited lion-themed avatars.\r\nGitHub accounts of interest within the network include the following:\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 1 of 7\n\nAdditional GitHub accounts linked to the network by following multiple of the accounts above include the\r\nfollowing:\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 2 of 7\n\nGraphic 1: Saja GitHub network connections.\r\nSimilar “Century” Email Address\r\nNisos found that three GitHub accounts and two portfolio websites within the network used email addresses that\r\nincluded the word “century.” We assess that the threat actors used the word to possibly distinguish the network\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 3 of 7\n\nand accounts from other networks.\r\nIdentical Portfolio Websites\r\nNisos found five active portfolio websites on GitHub[.]io and vercel[.]app and two inactive websites. The\r\nportfolio websites are mostly designed with identical elements, which include “about” sections, portfolios, and\r\ntestimonials.\r\nThe portfolio websites associated within this network include the following:\r\nhttps://veteransoftdev.github[.]io (active)\r\nhttps://softwarepassioner.github[.]io (active)\r\nhttps://cleversofter.github[.]io (active)\r\nhttps://goodwork0903.github[.]io (active)\r\nhttps://portfolio-ideal-softer.vercel[.]app (active)\r\nhttps://dedicatedsoftwaredev.github[.]io (inactive)\r\nhttps://seasonedsoftdev.github[.]io (inactive)\r\nGraphic 2: Example of a portfolio website. [1]\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 4 of 7\n\n“About” Section\r\nThe “about” sections frequently included references to working 10+ years, having built an “Assistant for\r\nFreelancer,” and having completed more than 25 jobs.\r\nGraphic 3: Jan Kowalski’s about section in his portfolio website. [2]\r\n“Portfolio” Section\r\nThe “portfolio” sections frequently referenced having worked on a service called “Assistant For Freelancer\r\n(AFF),” which was described as a private service supporting freelancers. Many portfolios also included work on\r\nthe development of an “Anti-Game-Cheat engine focusing on AI components to detect cheating.”\r\nGraphic 4: AFF portfolio example. [3]\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 5 of 7\n\nGraphic 5: AFF portfolio example 2. [4]\r\nGraphic 6: “Anti-Game-Cheat” engine portfolio example. [5]\r\n“Testimonial” Section\r\nThe “testimonial” sections frequently contained fake testimonials from other personas included within the network\r\nand personas listed as examples in the AFF service screenshots on the portfolio websites. The personas included:\r\nKornel Dudek, Fred Rowe, Juan Pablo Torres, and Thomas Richard.\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 6 of 7\n\nGraphic 7: Testimonials section example. [6]\r\nTo obtain the complete research report, including endnotes, please click the button below.\r\nAbout Nisos®\r\nNisos is the human risk management company specializing in unmasking threats before they escalate. The\r\ncompany is a trusted advisor, operating as an extension of security, intelligence, legal, and human resource teams\r\nto protect their people and business. Nisos’ intelligence-led solutions help enterprises make critical decisions,\r\nmanage human risk, and drive real world consequences for digital threats. For more information, please visit:\r\nhttps://www.nisos.com.\r\nSource: https://nisos.com/research/saja-dprk-employment-scam/\r\nhttps://nisos.com/research/saja-dprk-employment-scam/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://nisos.com/research/saja-dprk-employment-scam/"
	],
	"report_names": [
		"saja-dprk-employment-scam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/575257ce6c28c880983d1a52b1a4386d7f3a77ba.pdf",
		"text": "https://archive.orkl.eu/575257ce6c28c880983d1a52b1a4386d7f3a77ba.txt",
		"img": "https://archive.orkl.eu/575257ce6c28c880983d1a52b1a4386d7f3a77ba.jpg"
	}
}