NOTE: This is a continuation of my previous Research Article titled “Unmasking DPRK IT Workers: Email Address Patterns as Hiring Red Flags” which you can find here.
EXECUTIVE SUMMARY
DPRK IT Workers have been extensively using Code-Sharing Platforms like GitHub to secure new remote jobs. I have uncovered various North Korean Worker Profiles along with their Resumes to shed light on their global presence. The DPRK IT Workers have also been using DeepFake to create a non-existent identity while applying for a job. This research also discusses why the DPRK is a constant threat to the world and the Geo-Political angle of Russia, China, and North Korea.
INTRODUCTION
In our previous post, we saw the type of Email Address Combinations used by North Korean IT Workers (Jasper Sleet).
In this article, we shall explore various GitHub Profiles and other Code sharing platforms, along with Resumes of DPRK IT Workers, to assess a greater picture of the Remote Job Market in North Korea via Fake Identities.
GITHUB ACCOUNTS OF DPRK IT WORKERS AKA JASPER SLEET
During Investigation, we can see a total of about 50 GitHub Profiles with high activity, excluding 7 Github profiles that are deactivated now.
One of the sample GitHub Profile of DPRK IT Worker is:-
You may find the complete list here:-
https://github.com/alchemist0803
https://github.com/SkyCaptainess
https://github.com/apollo000104
https://github.com/branchdev98
https://github.com/BlackSpider8391
https://github.com/rider0211
https://github.com/AringoldX
https://github.com/CrazyPassion218
https://github.com/devmad119 : suspected
https://github.com/director2010s
https://github.com/Dreamfullstacker
https://github.com/miroshar-success : susp
https://github.com/SuperButterfly
https://github.com/fongjengchang
https://github.com/PainStaker0331
https://github.com/DevGambles
https://github.com/james888
https://github.com/jayevans-star
https://github.com/kanbei0605
https://github.com/KeepGrowingHere
https://gist.github.com/kevin921115
https://github.com/naruhitokaide
https://github.com/lprfacial247
https://github.com/melodyxpot
https://github.com/mikoalas0414
https://github.com/miracleweb9000
https://github.com/Code852
https://github.com/paramountsky9990
https://github.com/peppapig13132
https://github.com/prettyblueberry
https://github.com/renning100
https://rising-star92.github.io/
https://github.com/seniordev1008
https://github.com/ShareHappy0126
https://github.com/sharplip0518
https://github.com/risingdeveloper1982
https://github.com/webtalent0125
https://github.com/everest-dev0323
https://github.com/GithubRealFan
https://github.com/Rango22
https://github.com/TryEverything920609
https://github.com/univan0928
https://github.com/whitecrow0109
https://github.com/yasmoto1995
https://github.com/yellowflash2041
https://github.com/yeshealer
https://github.com/tedzchow: suspected
https://github.com/super124devThe above-listed GitHub accounts are active (ATTOW) and pose high activity.
Here is a list of DPRK GitHub accounts that are no more available:-
https://github.com/agronkercishta
https://github.com/agronkercishta
https://github.com/athenaweb629
https://github.com/best-lucky1030
https://github.com/christiaan93210
https://github.com/DevBeast3800
https://github.com/devking877NOTE: It is important to note that NOT all North Korean IT Workers maintain a GitHub Account. They don’t only present
FINDING DPRK IT WORKERS BEYOND GITHUB
Apart from GitHub, it is notable that the North Korean workers maintain their profile on platforms such as CodeSandbox, Zoom Forum, Freelancer, YHype, Medium, RemoteHub, CrowdWorks JP, WorkSpace RU, Dev Forum, Dfinity Forum etc to gain more eyeballs to their profile with various interests.
The area of interest spans across Matlab, WebRTC, Google Firebase, AWS, Digital Ocean, Jekyll, Docker, React JS, Node JS, Android Apps, etc.
Hereby sharing some of the pitches made by DPRK Workers for better bidding:-
Apart from showing interest to take up Remote Jobs, we can also see North Korean IT Workers have been querying their doubts on public platforms like Github to get a resolution from the community members.
Here are some of the cases:-
Hereby sharing the list of URLs aggregated to DPRK IT Worker Profiles on Different Platforms. It encompasses profiles from LinkedIN, YHype, Medium, Code Sandbox, RemoteHub, various forums, and personalized websites.
https://www.linkedin.com/in/jay-software-lead/
https://www.linkedin.com/in/andrew-christopher/
https://medium.com/@apollo000104
https://medium.com/@applekevin10141106
https://codesandbox.io/u/apple.star0072
https://yhype.me/github/@branchdev98
https://repos.ecosyste.ms/hosts/GitHub/owners/athenaweb629
https://codesandbox.io/u/benbarker0311
https://www.remotehub.com/alexwang1030
https://yhype.me/github/@BlackSpider8391
https://yhype.me/github/@happydev0126
https://www.idcrawl.com/aleksandar-brankovic
https://discourse.threejs.org/u/breadheaddev313/summary
https://crater-reports.s3.amazonaws.com/beta-1.82-1/full.html
https://www.idcrawl.com/u/codechef730
https://himalayas.app/@codegenerator1994
https://dennis-blockchain.vercel.app/
https://yhype.me/github/@devmaster929
https://www.idcrawl.com/u/ericchi9421
https://x.com/_traploop : susp
https://yhype.me/github/@golddev53
https://yhype.me/github/@GoldenDragon0710
https://yhype.me/github/@happyman0417
https://crowdworks.jp/public/employees/6132734/
https://t.me/s/unity_jobs?before=669 : Found helemonar2023 for remote work
https://codesandbox.io/u/hfish7789
https://codesandbox.io/u/intrepid.arctic.scavenger
https://www.npmjs.com/package/@joinerdavid0213/polkadot-connect
https://forum.dfinity.org/u/kakashie1004/summary
https://sketchfab.com/kennydavis120
https://remoteok.com/@kodakdominus
https://community.openai.com/u/korvalev234234/summary
https://dev.to/korvalev234234
https://dev.to/phoenixdevguru
https://workspace.ru/id/maksim-shevchenko-2/
https://discourse.threejs.org/u/leonohlin0123/summary
https://crowdworks-jp.translate.goog/public/employees/4982495?_x_tr_sl=ja&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc
https://codesandbox.io/u/mateomuhannad
https://dev.to/melodydev0521
https://www.melodyxpot.com/
https://yhype.me/github/@paramountsky9990
https://codesandbox.io/u/paul.krumme14163
https://harufuji.vercel.app/
https://socket.dev/npm/user/prettyblueberry
https://github.com/paulrsilva-dev/whats-app-bot-chrome-extension
https://yhype.me/github/@starking0408
https://thecrazydev-454b7.web.app/
https://faun.dev/@tekmickey0118/
https://devpost.com/tenochbush
https://codesandbox.io/u/tiggon112
https://yhype.me/github/@topbrightdev
https://yhype.me/github/@topstardev0127
https://yhype.me/github/@toptal126
https://pubhtml5.com/azwe/rvxz/basic/
https://kiyoshi-araki-v2.vercel.app/
https://codesandbox.io/u/workbee49
https://coffee-code.netlify.app
https://code.grida.co/
https://cosmichive.com/blog/fullstack-nextjs-ecommerce-2/
https://joiner-for.vercel.app/
https://sakura-70c50.web.app/
https://github.com/bethereumproject/lottery/blob/master/Results.MD (Found DPRK Worker in the Winning List)
https://rentbarker.vercel.app/
https://sos-security.vercel.app/
https://treppr.vercel.app/NOTE: The above-shared profiles are not the only ones used by North Korean Actors. There may be much more. But the shared links have concrete proof pointing towards North Korea
DPRK IT WORKER RESUME ANALYSIS
While analyzing each worker’s Freelancing Workplaces, I came to know that they have adopted several nationalities: the US, Ukraine, Poland, Japan, Canada, Russia, and Spain.
NOTE: Apart from these countries, the group might also have adopted other nationalities, but not mentioning them here as there is no substantial evidence for the same.
During the Investigation, there were 12 Resumes found. From the list of Resumes, I quickly narrowed down their adopted location with Job Titles.
- US — BLOCKCHAIN DEVELOPER
- SERBIA — FRONT END DEVELOPER
- US — SENIOR LARAVEL DEVELOPER
- US — SENIOR FRONT END DEVELOPER
- COLOMBIA — SENIOR FULL STACK ENGINEER
- US — SENIOR FULL STACK WEB/MOBILE APP ENGINEER
- KAZAKHSTAN — FULL STACK DEVELOPER
- CANADA — SENIOR FULL STACK DEVELOPER
- CANADA — BLOCKCHAIN DEVELOPER
- JAPAN — FULL STACK ENGINEER
- POLAND — SENIOR WEB DEVELOPER
- US — AI ARCHITECT
Most of the Resumes are uploaded to platform such as LaborX and FlowCV which is a common place for Remote Workers to put up their Resume out in the public.
Another choice to host the Resume: is the Website developed in Vercel by North Korean Workers so that recruiters can navigate to the profile and obtain the Resume directly. This also proves another fact as: Website is completely functional, which is an indirect pitch set up by workers to maximize the chance of recruitment.
Hereby sharing the Resume URLs:-
https://uploads.laborx.com/cv/GpoG3wZdWV7NNlIAg1MtM6BcXDAyqm9z.pdf
https://w ww.scribd.com/document/846260731/Nemanja-Djordje-resume
https://uploads.laborx.com/cv/Ue6Ni4yqDm_ftJmhNn_TYnLK0-uA14SG.pdf
https://drive.google.com/file/d/1G8qavC6pyQoyS-B-k_UxbjcMQn3N5d2m/view
https://flowcv.com/resume/e61htjkb92
https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://uploads.laborx.com/cv/oRjvPbYss5Xp4zq6FVH_3qfZ_MyCdAKg.docx&ved=2ahUKEwjktp63x5-PAxU4R2wGHf_nGmgQFnoECBoQAQ&usg=AOvVaw2TlshW-p99LBQ-19lw_QQf
https://uploads.laborx.com/cv/Ls6OiOTg3MD205XWyPhVJDXfHG4qgWBY.pdf
https://drive.google.com/file/d/1R61Dvh4VR2OAZ_vdhe6GSNk3yRY07C7N/view
https://uploads.laborx.com/cv/OWBPVHsBtTHHFsICkF1fuR6XxVwMXHIG.pdf
https://drive.google.com/file/d/1VSJ0vJLDMpoIbGzVx3vGqnpwuwNNGMmG/view
https://eric-jin-portfolio.netlify.app/resume/resume.pdf
https://aiapply.co/resume/67eeb50a69f87Here is a snapshot of a DPRK Resumes:-
From this, it is evident that most of the IT Workers had opted for US Nationalities for an easy hire.
DPRK IT WORKER: DEEPFAKE USAGE
During Resume Analysis, one thing caught my attention. I found a resume on a website which is powered by Vercel to list the experience and work of the applicant.
A quick glance at the above image will be a genuine image for an untrained eyes. But as I deal with such cases on a regular basis, my curiosity kicked in.
With the help of SightEngine, an AI detector, I found the following result:-
From this, we can understand that the North Korean Workers are still actively using the same Modus Operandi while getting hired/Job Apply.
SECURITY INCIDENTS: WHY DPRK IS A CONSTANT THREAT?
There are several incidents being reported across the globe where North Koreans are being framed for popular hacktivist crimes.
According to UN Security Council:
Secret IT workers generate $250m-$600m annually for North Korea, according to a UN Security Council report published in March 2024
These IT Workers are powered by DPRK Wing: Department 53 who is a Weapons Trading Entity subordinate to the DPRK Ministry of National Defense. Department 53 generates revenue using front companies in a variety of industrial sectors, including IT and Software Development.
Hereby jotting down a few of the most sensational cases of North Korean Involvement in various Cyber Incidents.
INCIDENT 1: WANTED BY FBI
FBI had announced a Reward Program for DPRK IT Workers recently, who are involved in offensive businesses such as Money Laundering, Funding Nuclear Missile DPRK Programs etc.
INCIDENT 2: OPERATION DREAM JOB 2020
Popular North Korean APT Group Lazarus had conducted Operation Dream a cyber espionage campaign, targeting job seekers in defense, aerospace, and chemical sectors with fake job offers to deliver malware, starting in August 2020 targeting the United States, Israel, Australia, Russia, India, South Korea, UK, Netherlands, Cyprus, Sweden, Germany, Singapore, and Hong Kong.
INCIDENT 3: KNOWBE4 HIRING
In July 2024, Kevin Mitnick-backed Cybersecurity Company KNOWBE4 fell victim of hiring a DPRK IT Worker for their Principal Software Engineer. The image present in the Resume had been an AI-finished work of the IT Worker.
INCIDENT 4: CHRISTINA CHAPMAN
Christina Chapman operated a “laptop farm” from her homes in Arizona and Minnesota, hosting company-issued laptops to make it appear that North Korean IT workers were performing remote work from the U.S. She also shipped 49 laptops and other devices from her location to a city in China near the North Korean border, likely to facilitators or proxies supporting the scheme. In a time frame of 4 years (2019 to 2023), she facilitated to make $17M for North Korea, which could have been used to fund Missile Programs in Sinpung-dong Missile Operating Base.
INCIDENT 5: $1.5B BYBIT HEIST
Dubai-based Crypto-Exchange Bybit was hacked in February 2025 by the Lazarus Group, who used phishing and compromised Safe’s AWS infrastructure to inject malicious code into Bybit’s multi-signature wallet interface, allowing them to steal approximately $1.4–$1.5 billion in crypto assets during a routine cold wallet transfer.
Check out my exclusive intel about the hack in this tweet.
Here are the above-discussed incidents in a nutshell:-
| INCIDENT | TIMELINE | KEY DETAILS | IMPACT |
|---|---|---|---|
| Operation Dream Job | Aug 2020 | Lazarus Fake Job offers delivering Malware to Defense Sectors | Affected 12+ countries focusing Espionage |
| KnowBe4 Hiring | Jul 2024 | Hired DPRK engineer with AI-finished Resume | Exposed vetting gaps in Cyber Security Firms |
| Christina Chapman Laptop Farm | 2019–2023 | Hosted US laptops for remote DPRK work; shipped to China | $17M laundered: Potential missile funding |
| Bybit Heist | Feb 2025 | Phishing via Safe’s AWS: Stole $1.4–$1.5B crypto | Largest crypto theft Ties to Lazarus Group |
These are some of the notable incidents where North Korea was involved. There are countless hack incidents on various Crypto Exchanges and Espionage charges which are not covered here.
GEO-POLITICAL ANGLE: PUPPET OF RUSSIA
North Koreans have relied more on Russia since its Formation in 1948. Recently, it is also came to limelight that there is a sudden increase in the recruitment of North Korean Workers in Russia as they lacked labor force due to Ukraine Invasion. Although the UN had banned this practice of adoption of DPRK Workers in Russia (in 2019), to cut off Kim’s fund to develop Nuclear Weapons, recently, Russia superseded this ban by bringing DPRK Workers on a Student Visa to Russia.
This is NOT the first time the adoption of Russian assets in North Korea aligned.
- Kimsuky (DPRK APT GROUP) uses Russian Email Addresses for Credential Theft Attacks in 2025
- Kimsuky targeted South Korea with Russia-DPRK Partnership Research Paper in Sept 2024
- Brute Force Activity on Cryptocurrency Exchanges with Russian IPs in 2025
Hence, relying on Russian Servers or Proxy Services for North Korean IT Work is not an isolated case here. Moreover, due to the limited internet connectivity in North Korea, you can hardly see a real North Korean IP Address.
Tomorrow, if you spot any close association with China, don’t forget that China was one of the nations that supported North Korea by sending its troops in 1950 (Korean War).
HISTORY REPEATS, BUT IN OTHER WAYS!
The questionable fact here is: most of the North Korean nationals doesn’t like to get entrapped in their home country, but they are tied legally even if they go abroad.
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings!
NOTE: The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.
Leave a Reply