{
	"id": "7da5df4b-102c-4cd1-9adb-3cd9a638c39d",
	"created_at": "2026-04-06T00:13:58.147086Z",
	"updated_at": "2026-04-10T03:20:53.112475Z",
	"deleted_at": null,
	"sha1_hash": "6a72c2b58d37e5579e874aa9121c6d3645b8abb6",
	"title": "DPRK IT Fraud Network Uses GitHub to Target Global Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 797964,
	"plain_text": "DPRK IT Fraud Network Uses GitHub to Target Global\r\nCompanies\r\nBy Nisos\r\nPublished: 2025-03-04 · Archived: 2026-04-05 14:15:00 UTC\r\nThreat Analysis\r\nLikely DPRK Network Backstops on GitHub, Targets Companies Globally\r\nExecutive Summary\r\nNisos is tracking a network of likely North Korean (DPRK)-affiliated IT workers posing as Vietnamese, Japanese,\r\nand Singaporean nationals with the goal of obtaining employment in remote engineering and full-stack blockchain\r\ndeveloper positions in Japan and the United States. While the personas claim to be located in Asia, the network\r\nappears to be globally focused, aiming to obtain jobs both in and outside of Asia. The network appears to be using\r\nGitHub to create new personas and is reusing matured GitHub accounts and portfolio content from older personas\r\nto backstop their new personas. Two of the personas in the network appear to be employed at companies with\r\nfewer than 50 employees, and we assess that the network’s objective is to earn cash to fund Pyongyang’s ballistic\r\nmissile and nuclear weapons development programs.\r\nSeveral indicators suggest that the network is likely DPRK-affiliated. These indicators are consistent with tactics,\r\ntechniques, and procedures (TTPs) attributed to DPRK employment fraud actors. [1]\r\nPersonas claim to have experience in three areas: developing web and mobile applications, knowledge of\r\nmultiple programming languages, and an understanding of blockchain technology.\r\nPersonas have accounts on employment and people information websites, IT industry-specific freelance\r\ncontracting platforms, software development tools and platforms, and common messaging applications, but\r\nthey typically lack social media accounts, suggesting that the personas are created solely for the purpose of\r\nacquiring employment.\r\nProfile photos are digitally manipulated. Often the DPRK-affiliated IT worker’s face is pasted on top of a\r\nstock photo to show the individual working with colleagues.\r\nPersonas within the network use similar email addresses.\r\nEmail addresses often include the same numbers, such as 116, and the word “dev”.\r\nFake Persona Network\r\nNisos identified two personas who appear to have gained employment and four personas looking to obtain remote\r\npositions in Japan and the United States. The personas were all linked via shared GitHub and contact information,\r\nwhich we identified via open sources.\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 1 of 7\n\nGraphic 1: Network map of likely DPRK-affiliated personas.\r\nFake Persona 1: Huy Diep/HuiGia Diep\r\nWe investigated the GitHub account nickdev0118 and found this account listed on a website belonging to persona\r\nHuy Diep/HuiGia Diep.[2] Nisos focused on nickdev0118 because the account co-authored commits with a\r\npreviously identified, likely DPRK IT worker persona, which used the GitHub account AnacondaDev0120.[3]\r\nHuy Diep appears to have been employed as a software engineer specializing in web and mobile app\r\nprogramming at Japanese consulting company Tenpct Inc since September 2023. Huy Diep’s personal website\r\nlinked to Tenpct Inc’s website and included several TTPs previously associated with DPRK employment schemes:\r\ndigitally manipulated photos, the persona claiming to have experience developing web and mobile applications,\r\nand knowledge of multiple programming languages.[4]\r\nGraphic 2: An example of a commit AnacondaDev0120 and nickdev0118 co-authored. [5]\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 2 of 7\n\nGraphic 3: Diep Huy’s employment history lists employment at several Japanese companies. [6]\r\nGraphic 4: Description of Huy Diep’s role at Tenpct Inc. Translation: “A software engineer specializing in web\r\nand mobile app programming. A full-stack engineer with experience working remotely for many companies, he is\r\ncurrently involved in system development as a backend engineer.” [7]\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 3 of 7\n\nGraphic 5: Alternate Name for the same persona referencing employment for Senkyaku.[8]\r\nDigital Photo Manipulation\r\nHuy Diep’s website contains two photographs of the likely DPRK IT worker, which were digitally manipulated.\r\nNisos found that the head of the individual was pasted onto stock photos of other individuals to show the persona\r\nworking. The individual also pasted his head onto a stock photo on website F6S, which helps startups hire talent.\r\nGraphic 6: Photo from Huy Diep’s website. [9]\r\nGraphic 7: Stock photo used in Graphic 6.\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 4 of 7\n\nGraphic 8: Photo from Huy Diep’s website.\r\nGraphic 9: Stock photo used in Graphic 8.\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 5 of 7\n\nGraphic 8: Photo from Huy Diep’s website.\r\nGraphic 9: Stock photo used in Graphic 8.\r\nSignificant Development Experience\r\nDPRK IT worker personas frequently claim to have experience developing web and mobile applications,\r\nknowledge of multiple programming languages, and an understanding of blockchain technology. On the persona’s\r\nwebsite, Huy Diep lists a number of programming languages and certificates. Huy Diep also claims to have eight\r\nyears of experience in software engineering working as a freelancer and team member for domestic and\r\ninternational clients, including those in Japan.\r\nGraphic 12: Listed program languages on Huy Diep’s website. [11]\r\nGraphic 13: Huy Diep’s experience description on freelancer website. [12]\r\nTo obtain the complete research report, including endnotes, please click the button below.\r\nAbout Nisos®\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 6 of 7\n\nNisos is the Managed Intelligence Company. We are a trusted digital investigations partner, specializing in\r\nunmasking threats to protect people, organizations, and their digital ecosystems in the commercial and public\r\nsectors. Our open source intelligence services help security, intelligence, legal, and trust and safety teams make\r\ncritical decisions, impose real world consequences, and increase adversary costs. For more information, visit:\r\nhttps://nisos.com.\r\nSource: https://nisos.com/research/dprk-github-employment-fraud/\r\nhttps://nisos.com/research/dprk-github-employment-fraud/\r\nPage 7 of 7\n\ndigitally manipulated and knowledge photos, the of multiple programming persona claiming languages.[4] to have experience developing web and mobile applications,\nGraphic 2: An example of a commit AnacondaDev0120 and nickdev0118 co-authored. [5]\n   Page 2 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://nisos.com/research/dprk-github-employment-fraud/"
	],
	"report_names": [
		"dprk-github-employment-fraud"
	],
	"threat_actors": [],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775791253,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a72c2b58d37e5579e874aa9121c6d3645b8abb6.pdf",
		"text": "https://archive.orkl.eu/6a72c2b58d37e5579e874aa9121c6d3645b8abb6.txt",
		"img": "https://archive.orkl.eu/6a72c2b58d37e5579e874aa9121c6d3645b8abb6.jpg"
	}
}