Assessment-of-DPRK-IT-Worker-Tradecraft.pdf (4 MB)

Nisos assessed DPRK IT worker tradecraft from 2022 through 2025, focusing on fabricated developer personas used for freelance and remote employment. The observed personas evolved from cartoon or stock images to AI-manipulated profile photos, portfolio websites built from public templates, and reused resume introductions for blockchain and Web3 roles. Nisos also found GitHub account reuse across multiple personas, including redsky500 links to Code Solution, CodeJourney, and Ryosuke Yamamoto, plus shared contact patterns such as the 0302 handle. The assessment gives recruiters and security teams practical indicators for detecting DPRK worker personas before they gain corporate access.