Threat Analysis

Saja DPRK Employment Scam Network

by | May 19, 2025 | Blog, DPRK IT Worker, Research

Executive Summary

Nisos is tracking an IT worker employment scam network posing as Polish and US nationals with the goal of obtaining employment in remote engineering and full-stack blockchain developer roles. Threat actors in this network are using GitHub accounts, portfolio websites, freelancer accounts, and a global freelance software development company, Inspiration With Digital Living (IWDL), to trick companies into hiring them for full-time remote positions and project-based freelance jobs. This network is the first indication that possibly DPRK-affiliated IT workers are setting up fake freelance software development companies with legitimate looking websites to gain freelancer work.

Several indicators suggest that the network is likely affiliated with the Democratic People’s Republic of Korea (DPRK). Nisos identified the following tactics, techniques, and procedures (TTPs) commonly attributed to DPRK employment fraud actors on the network’s GitHub accounts, portfolio websites, and IWDL’s website:

  • GitHub accounts exhibited an unusual consistency in avatars, in this case many displayed similar lion-themed pictures.
  • Personas within the network used similar email addresses, which frequently included the word “century” in their contact information.
  • Portfolio websites exhibited an unusual consistency, suggesting that they were created from the same template with identical information.
  • The same threat actor had accounts in different names attempting to gain employment.
  • Profile photos were digitally manipulated. Threat actors’ faces were often pasted on top of stock photos.
  • The same persona was reused by different threat actors.

Lion-Themed GitHub Avatars

Nisos identified a network of GitHub accounts, which contained repositories for fake portfolio websites likely used to gain employment with unwitting companies. The portfolio websites linked to freelancer and professional networking platform accounts. On these accounts, threat actors claimed to be full-stack developers and engineers located in Poland and the United States looking for employment. Four of the eight most interconnected GitHub accounts in the network have animals as their avatars, three of which were lions. Nisos identified several other GitHub accounts sharing followers with the accounts within this network that also exhibited lion-themed avatars.

GitHub accounts of interest within the network include the following:

GitHub accounts of interest within the dprk network
Additional GitHub accounts linked to the network by following multiple of the accounts above include the following:
Graphic 1: Saja GitHub network connections.

Similar “Century” Email Address

Nisos found that three GitHub accounts and two portfolio websites within the network used email addresses that included the word “century.” We assess that the threat actors used the word to possibly distinguish the network and accounts from other networks.

Identical Portfolio Websites

Nisos found five active portfolio websites on GitHub[.]io and vercel[.]app and two inactive websites. The portfolio websites are mostly designed with identical elements, which include “about” sections, portfolios, and testimonials.
The portfolio websites associated within this network include the following:

  • https://veteransoftdev.github[.]io (active)
  • https://softwarepassioner.github[.]io (active)
  • https://cleversofter.github[.]io (active)
  • https://goodwork0903.github[.]io (active)
  • https://portfolio-ideal-softer.vercel[.]app (active)
  • https://dedicatedsoftwaredev.github[.]io (inactive)
  • https://seasonedsoftdev.github[.]io (inactive)
Graphic 2: Example of a portfolio website.
Graphic 2: Example of a portfolio website. [1]

“About” Section

The “about” sections frequently included references to working 10+ years, having built an “Assistant for Freelancer,” and having completed more than 25 jobs.

Graphic 3: Jan Kowalski’s about section in his portfolio website.
Graphic 3: Jan Kowalski’s about section in his portfolio website. [2]

“Portfolio” Section

The “portfolio” sections frequently referenced having worked on a service called “Assistant For Freelancer (AFF),” which was described as a private service supporting freelancers. Many portfolios also included work on the development of an “Anti-Game-Cheat engine focusing on AI components to detect cheating.”

Graphic 4: AFF portfolio example.
Graphic 4: AFF portfolio example. [3]
Graphic 5: AFF portfolio example 2.
Graphic 5: AFF portfolio example 2. [4]
Graphic 6: “Anti-Game-Cheat” engine portfolio example.
Graphic 6: “Anti-Game-Cheat” engine portfolio example. [5]

“Testimonial” Section

The “testimonial” sections frequently contained fake testimonials from other personas included within the network and personas listed as examples in the AFF service screenshots on the portfolio websites. The personas included: Kornel Dudek, Fred Rowe, Juan Pablo Torres, and Thomas Richard.

Graphic 7: Testimonials section example.
Graphic 7: Testimonials section example. [6]
To obtain the complete research report, including endnotes, please click the button below.
DOWNLOAD PDF

About Nisos®

Nisos is the human risk management company specializing in unmasking threats before they escalate. The company is a trusted advisor, operating as an extension of security, intelligence, legal, and human resource teams to protect their people and business. Nisos’ intelligence-led solutions help enterprises make critical decisions, manage human risk, and drive real world consequences for digital threats. For more information, please visit: https://www.nisos.com.

Employment Fraud
Insider Threat Intelligence