A U.S. cybersecurity professional, Aidan Raney, spent about two months engaging suspected North Korean IT workers after a client saw signs of DPRK-linked involvement in a hiring process. The workers, using the persona “Ben,” claimed to be a Ukrainian refugee in Poland and proposed that Raney provide a U.S. identity and face for company hiring while they performed the work and kept 70 percent of the salary. The operation involved resume editing, creation of a LinkedIn profile, real-time coaching during interviews, and a verbal offer for a software developer role at a U.S. federal contractor handling GIS and data-analysis work. Raney observed multiple operators using the same identity, a supervised call-center-like environment, shifting IP subnets that appeared to move from China to Russia, and efforts to set up remote-control access, making the scheme relevant to insider risk as well as DPRK revenue generation.