Nisos Tradecraft
How OSINT Can Help Identify Employment Fraud
Nisos identified five freelance personas probably used by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers to fraudulently obtain remote employment from unwitting companies not just in the United States, but also Europe and Asia.
- Investigators found one persona by searching for exact copies of a resume provided by a United Nations Security Council report.
- Investigators found three additional personas by searching for exact copies of work experiences identified for the first persona.
- Lastly, investigators conducted an image search for one of the profile photos of the first persona, which revealed another persona with the same image.
Investigators found that each of the five personas used the same tactics, techniques and procedures (TTPs) identified in the Nisos December 2023 research post, specifically appropriating resume content and highlighting experience in blockchain transactions. Investigators also found that three of the five personas appropriated names and profile photos from other individuals, including individuals based in the US, and in one case digitally manipulated the profile image, to create accounts on freelance websites.
Appropriated Resume Content – Experience in Blockchain
In March 2024, the United Nations Security Council circulated a panel of experts report which highlighted that DPRK nationals working overseas earn income in violation of sanctions, including in the information technology, restaurant and construction sectors. In the report, the panel highlighted the below falsified DPRK IT worker resume, which focused on the persona’s experience as a Full Stack and Blockchain developer. Investigators used the first two paragraphs of the resume to initiate an investigation in an attempt to identify other personas probably used by DPRK IT workers.
Alfred Yin
Nisos investigators identified two freelancer accounts for “Alfred Yin” that both use the same resume content as the falsified resume above. The two accounts use the same name and introduction language as the previously identified resume; however the accounts show inconsistency in location, suggesting that the accounts are probably used to appeal to potential clients in various regions. A closer inspection of the profile photo from the second Alfred Yin account also reveals indications of digital manipulation, namely that the face of the individual was likely pasted onto a stock suit and tie
Appropriated Resume Content – Website Design
Nisos investigators identified six freelancer accounts for three personas that used the same resume content as Alfred Yin’s account 2. Yin’s account 2 claims to have worked for Evernote as a Full stack developer between August 2014 and November 2017 and listed a number of experiences and achievements. Nisos investigators identified the same experiences, with slight variations, on three freelance separate freelance accounts, suggesting they are personas used by the same probable DPRK actors to appeal to different client sets.
The reporting contained herein from the Nisos research organization consists of analysis reflecting assessments of probability and levels of confidence and should not necessarily be construed as fact. All content is provided on an as-is basis and does not constitute professional advice, and its accuracy reflects the reliability, timeliness, authority, and relevancy of the sourcing underlying those analytic assessments.
About Nisos®
Nisos is the Managed Intelligence Company®. We are a trusted digital investigations partner, specializing in unmasking threats to protect people, organizations, and their digital ecosystems in the commercial and public sectors. Our open source intelligence services help security, intelligence, legal, and trust and safety teams make critical decisions, impose real world consequences, and increase adversary costs. For more information, visit: https://nisos.com.