Full Report
Nisos has found six personas leveraging new and existing GitHub accounts to get developer jobs in Japan and the US
Analysis Summary
# Threat Actor: North Korean State-Sponsored Actors (Utilizing Fake IT Worker Scheme)
## Attribution & Identity
Attributed to North Korea based on established TTPs aligning with previously reported campaigns by North Korean actors.
**Aliases/Associated Groups:** Part of the global "North Korean fake IT worker scheme."
## Activity Summary
The actors are actively pursuing a sophisticated scheme involving the creation of deceptive professional personas (fake IT workers) to gain employment, specifically in remote engineering and full-stack blockchain developer roles. The goal appears to be funding Pyongyang’s nuclear programs. Nisos tracked six identified personas: two appear to have successfully obtained employment, and four were actively seeking remote positions in Japan and the US as of the report date (March 4, 2025).
## Tactics, Techniques & Procedures
- **Persona Development:** Creating or reusing GitHub accounts to build detailed, convincing professional personas.
- **Skill Overlap:** Personas consistently claim expertise in specific high-demand areas: developing web/mobile applications, proficiency in multiple programming languages, and knowledge of blockchain technology.
- **Nationhood Deception:** Posing as nationals from countries such as Vietnam, Japan, and Singapore.
- **Platform Use:** Heavy reliance on GitHub for portfolio and persona development/backstopping.
## Targeting
- **Sectors:** Information Technology (specifically targeting remote software engineering and full-stack blockchain developer roles).
- **Geography:** Primarily targeting job markets in Japan and the US.
- **Victims:** Organizations offering remote IT positions where credentials and past work history can be difficult to verify thoroughly during remote onboarding.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed in the provided text, but the activity focuses on credential/employment penetration rather than immediate malware deployment against the employer.
- **Infrastructure:** Use of **GitHub** for persona maintenance and validation.
## Implications
This activity represents a significant, ongoing, state-sponsored economic espionage and revenue generation effort (funding nuclear programs) operating under the guise of legitimate employment infiltration. Successfully placed actors pose a risk for espionage, ransomware deployment, or intellectual property theft once situated inside target organizations within critical Western and allied economies. The reliance on GitHub indicates a strategic focus on leveraging trusted development platforms for credibility.
## Mitigations
- Implement rigorous, multi-stage vetting processes for candidates applying for remote IT and blockchain development roles, especially those claiming foreign nationality.
- Scrutinize technical portfolios hosted on platforms like GitHub for signs of rapid creation, reused content across disparate profiles, or claims of expertise that do not align with observable skill progression.
- Enhance onboarding security checks concerning background verification for remote employees in sensitive engineering roles.