Exposed: How a DPRK-Linked Scam Network Infiltrates Remote Tech Jobs Worldwide

Threat Analysis: DPRK-Linked IT Worker Scam Network

Nisos has uncovered a sophisticated employment scam network linked to the Democratic People’s Republic of Korea (DPRK), targeting remote tech jobs globally. These threat actors pose as nationals from Singapore, Turkey, Finland, and the US to secure positions in remote IT, engineering, and blockchain development.

Key Tactics and Techniques

• GitHub Accounts with Lion-Themed Avatars: A network of GitHub accounts, some with lion-themed avatars, hosts fake portfolio websites used to deceive companies into hiring them.
• "Century" Email Addresses: Multiple accounts within the network use email addresses containing the word "century," likely to distinguish their operations.
• Identical Portfolio Websites: Five active and two inactive portfolio websites, all strikingly similar, suggest a centralized template.
• Digital Manipulation: Profile photos are often digitally altered, with faces pasted onto stock images.
• Fake Testimonials: Portfolios include fabricated endorsements from personas within the same network.

The Freelancer Front: Inspiration With Digital Living (IWDL)

This network marks the first instance where DPRK-affiliated IT workers have established a fake freelance software development company, IWDL, complete with a legitimate-looking website to secure freelance gigs.

How to Protect Your Business

• Vet Candidates Thoroughly: Scrutinize GitHub accounts, portfolio websites, and email patterns.
• Look for Red Flags: Be wary of overly similar portfolios or testimonials from the same network.
• Verify Identities: Use video interviews to confirm the identity of remote candidates.

For a deeper dive into this threat, including detailed indicators and mitigation strategies, visit Nisos' full report.