Nisos Research Finds North Korean IT Workers Set Up Fake Software Company to Gain Employment

Company Shares Latest Developments in DPRK-Driven Employment Fraud Campaign, Following Disclosure of False Identities, Use of GitHub and AI Deepfakes

ARLINGTON, Va. – May 19, 2025Nisos, the human risk management company, today shared a new set of findings from its years of research into North Korean-led employment fraud efforts: that DPRK (Democratic People’s Republic of Korea)-affiliated IT workers appear to be setting up fake freelance software development companies to gain freelancer work. The findings are available in the company’s newest research report, entitled “Saja DPRK Employment Scam Network.

Nisos researchers uncovered an IT worker employment scam network where DPRK-affiliated individuals are posing as Polish and U.S. nationals, with the goal of obtaining employment in remote engineering and full-stack blockchain developer roles. Members of the network are using GitHub accounts, portfolio websites, and freelancer accounts – and have gone to the extreme of establishing a global freelance software development company, Inspiration With Digital Living (IWDL), aimed at tricking companies into hiring them for full-time remote positions and project-based freelance jobs.

“This is a natural evolution of the DPRK-connected threat actors’ efforts to gain employment as IT workers across the globe. As they escalate their tactics to fabricate strong, hard-to-question backstories and employment histories for themselves, establishing a fake freelance software development company seems like the next logical step,” said Ryan LaSalle, CEO of Nisos.

As a part of its research, Nisos identified the following tactics, techniques, and procedures (TTPs) that are commonly attributed to DPRK employment fraud actors, spread across GitHub accounts, portfolio websites, and IWDL’s website:

  • GitHub accounts exhibited an unusual consistency in avatars, in this case many displayed similar lion-themed pictures
  • Personas within the network used similar email addresses, which frequently included the word “century” in their contact information
  • Portfolio websites exhibited an unusual consistency, suggesting that they were created from the same template with identical information
  • The same threat actor had accounts in different names attempting to gain employment
  • Profile photos were digitally manipulated. Threat actors’ faces were often pasted on top of stock photos
  • The same persona was reused by different threat actors

For access to all of Nisos’ research into North Korean-led employment fraud research reports over the past two years, click here: https://nisos.com/dprk-it-worker-fraud-research/.

Additional Findings of Note
DPRK-connected IT workers go to these great lengths to gain employment for several potential reasons. They could be looking to infiltrate a company to steal information or data, or to use it as a stepping stone to reach into other companies it may be connected to. Most often, however, the goal is to simply gain employment and earn money. Many have been found to gain employment at several companies at the same time, tweaking their personas and backgrounds as they go.

In this most recent research, Nisos found that worker portfolios on websites such as GitHub often contained fake testimonials from other personas included within the network. Some of these personas included the names Kornel Dudek, Fred Rowe, Juan Pablo Torres, and Thomas Richard. Nisos also identified one threat actor who is likely the operator of four different personas aiming to obtain remote work. There were different digitally enhanced photographs of the same individual, who claimed to be four different people located in Poland and the United States at the same time.

“Organizations across the globe need to understand just how much of a threat these employment fraud efforts are,” added LaSalle. “Not only is critical company and employee information put at risk, but organizations are opening themselves up to attacks. Employing these individuals is also often in violation of government regulations and sanctions – and no company wants to be secretly funding the North Korean regime.”

Years of Insights into North Korean Employment Fraud
DPRK-connected IT workers have a long history of misrepresenting themselves using false credentials and identities to gain employment. Fake identities can be created using AI and deepfake technology, and, when combined with common tactics, can be difficult to uncover. Since 2023, Nisos has been researching the mature, recurring – and escalating – campaign of employment fraud conducted by individuals from the DPRK.

Nisos’ human risk management solutions help companies verify identities, scrutinize candidate backgrounds, and monitor employees for potential risk factors, reducing the likelihood of hiring individuals who might compromise security or act against company interests.

To download the full “Saja DPRK Employment Scam Network” report, click here. For more on how Nisos can help your organization identify DPRK-related fraud and prevent it in the future, click here.

About Nisos

Nisos is the human risk management company specializing in unmasking threats before they escalate. The company is a trusted advisor, operating as an extension of security, intelligence, legal, and human resource teams to protect their people and business. Nisos’ intelligence-led solutions help enterprises make critical decisions, manage human risk, and drive real world consequences for digital threats. For more information, please visit: https://www.nisos.com.

###

Media Contact:
Jeff Drew
Guyer Group for Nisos
(617) 233-5109
nisos@guyergroup.com