Inside the ecosystem of North Korea's fake developers

Back in 2024, it became known that North Korean IT specialists were getting jobs at companies worldwide (in the U.S., China, Russia, and elsewhere) under fake identities — both for cyber‑espionage and to funnel earnings back home.

A new investigation by Group‑IB shows this isn't a set of isolated actors but rather a fully developed operational ecosystem.

✍️ The same GitHub repositories, email addresses, portfolios, and résumés were reused for multiple "candidates". Such pre‑made templates let operators scale the creation and management of fake identities. ✍️ Analysts also uncovered a centralized support infrastructure for the hiring process: prewritten job‑application responses, employer reply templates, and interview guides. AI was part of the toolkit as well: ChatGPT was used to make answers in English sound more natural. ✍️ Investigators also identified connections to previous attempts to buy verified Upwork accounts (a freelance platform) in 2021. The attackers' materials also mentioned other legitimate platforms such as LinkedIn and Freelancer. Using well‑known platforms increases trust in these "candidates" and boosts their chances of being hired.

The shift to remote work — without revisiting hiring procedures — greatly contributed to the spread of this scheme. It shows that initial access to corporate infrastructure isn't always gained through exploiting vulnerabilities or phishing; it can also come via seemingly legitimate means. In this context, it's crucial to raise threat awareness not only among technical staff but also within HR teams interacting with applicants.