Threat Analysis

DPRK IT Worker Tradecraft Between 2022 and 2025

by | Apr 29, 2025 | Blog, Research

Executive Summary

Since early 2023 Nisos has been investigating and monitoring North Korean (DPRK) IT workers, who use fake personas and stolen identities to fraudulently obtain remote employment from unwitting companies in the United States and abroad. DPRK IT workers pose as Japanese, Singaporean, Turkish, Finnish and US nationals with engineering and full-stack developer backgrounds to fund Pyongyang’s ballistic missile and nuclear weapons development programs. Nisos observed that DPRK IT workers have used the following tactics, techniques, and procedures (TTPs) to mask their true identities over the past three years:

  • Advanced technology, such as Artificial Intelligence (AI) for image manipulation
  • Templates for persona website creation via Github repositories
  • Reused resume content
  • Fake addresses

Nisos also observed DRPK IT workers quickly pivoting to other personas if a persona was fired by an employer or flagged and removed from GitHub or freelancer websites. DPRK IT workers quickly create new personal websites and freelancer accounts to continue the work the previous persona was doing.

Use of AI in Profile Images

Nisos observed increased sophistication related to how DPRK IT workers use AI to generate profile pictures for their personas. In 2022, DPRK IT workers did not include photos of themselves on their portfolio website or freelancer accounts and instead relied on cartoons to hide their true identities. Starting in 2023, DPRK IT workers began putting their faces on stock photo bodies, to make their accounts seem more legitimate. Since 2024, DPRK IT workers have used AI to combine their faces with stock images to make their profile photos appear more legitimate.

Cartoon Images

Nisos observed a number of instances of DPRK-affiliated personas using cartoons or other images to mask the true identity of the IT worker. Most of these personas were created in 2022.
Graphic 1: Profile Photo of likely DPRK persona Naoyuki Tanaka. [1]

Digitally Manipulated Images

Nisos observed a number of instances of digitally manipulated profile images, which combine the faces of IT workers onto stock photos. These personas were created before 2024.
Graphic 2: Profile Photo of likely DPRK persona WeiTao Wang. [2]
Graphic 3: Stock Photo of the outfit in Graphic 2.
Graphic 4: Profile Photo of likely DPRK persona Osamu Odaka. [3]
Graphic 5: Stock Photo of the outfit used in Graphic 4.

AI-Manipulated Images

Nisos observed a number of instances of AI-manipulated profile images, which combine the faces of IT workers with stock photos. These personas were all created in 2024.
Graphic 6: Profile photo of likely DPRK persona Shaorun Zhang. [4]
Graphic 7: Advertisement photo used in Graphic 6. [5]
Graphic 8: Photo of likely DPRK persona John Alexander Bird. [6]
Graphic 9: Photo of South Korean actor Lee Dong-wook. [7]

Templates For Websites

According to the US Office of Foreign Assets Control (OFAC), DPRK IT workers build “portfolio” websites, generally simple in design, in an effort to boost the credibility of their fabricated, freelance developer personas. These virtual portfolios represent the work of DPRK IT workers’ personas and are often linked to their online freelance developer accounts.[8] Nisos observed that DPRK IT workers began using templates to build portfolio websites for their personas in 2023. These included templates from websites such as bootstrapmade[.]com.

Bootstrapmade

Nisos observed that likely DPRK-affiliated GitHub account imcode65 created a portfolio website for a persona named John Alexander Bird importing a template from website bootstrapmade[.]com on 30 November 2023. Several other likely affiliated DPRK personas also used website templates that appear similar to the Bootstrapmade template, to post the portfolio websites on vercel[.]app. Vercel is a platform that provides developer tools and cloud infrastructure to individuals to personalize the website for them.[9]
Graphic 10: GitHub commit showing the use of templates for portfolio websites. [10]
Graphic 11: Bootstrapmade website template. [11]
Graphic 12: Naoyuki Tanaka website. [12]
Graphic 13: WeiTao Wang website. [13]

Reused Resume Content

Introduction Section

Nisos observed a number of DRPK-affiliated personas use the same or similar introduction section on their resumes. DPRK-affiliated personas Karl Chong and Roman Kryveha for example stated that they both are experienced developers with over seven years of experience in blockchain development.
Graphics 14 Karl Chong’s about me section. [14]
Graphics 15: Roman Kryveha’s about me section. [14]

GitHub Accounts

Nisos observed that GitHub accounts are re-used to backstop different personas. Nisos assesses that DPRK affiliated IT workers reuse the accounts in order to provide fake work history to their personas. GitHub account redsky500, which is no longer active, for example was associated with the personas Code Solution, CodeJourney, and Ryosuke Yamamoto. [15 16 17] Code Solution claims to be the user of redsky500 and claims to have 10 years of work experience. [18] Redsky500 is also associated with likely DPRK persona Ryosuke Yamamoto, who has six years of work experience and appears to be employed at WowDAO as a Web3 Full Stack Developer. [19] In addition to their association with the same GitHub account, Code Solution and Ryosuke Yamamoto share association with the number 0302. Code Solution lists their contact information as Telegram ID doom0302 while Ryosuke Yamamoto lists Telegram ID Ryosuke0302 and email address phantomdev0302@gmail[.]com. [20 21]

To obtain the complete research report, including endnotes, please click the button below.
DOWNLOAD PDF

About Nisos®

Nisos is the human risk management company specializing in unmasking threats before they escalate. We are a trusted advisor who operates as an extension of security, intelligence, legal, and human resource teams to protect their people and business. Our intelligence-led solutions help enterprises make critical decisions, manage human risk, and drive real world consequences for digital threats.
For more information, visit: https://nisos.com.

Employment Fraud
Insider Threat Intelligence