Chollima Group links the Hailong Jin and Lian Hung personas to suspected North Korean IT worker activity, including GitHub accounts tied to Unity/game development, blockchain work, and overlap with strings seen in Moonstone Sleet's DeTankZone research. Leak data for the goldsea808-linked email is reported to have originated from DPRK IP 45.126.3.252, associated with NetKey/OConnect, while Lian Hung is described as using multiple personas and accessing DPRK-owned Korean-language sites. The investigation pivots from these personas to Bells Inter Trading Limited in Dar es Salaam, Tanzania, where public work permit records identify multiple Korean-named applicants tied to Bells and related entities. Bells-linked Apple apps and connected publisher accounts are associated with VPN and mobile apps totaling more than 12 million installs, suggesting a potentially significant DPRK IT worker commercial footprint beyond commonly tracked regions.