Group-IB traced a DPRK IT worker ecosystem from a previously reported email address to GitHub accounts, portfolio sites, resume materials, freelance platform activity, and archived persona packages that supported fake remote developer identities. The activity used synthetic or repurposed personas such as Nicolas Sammaritano, Caddo Smith, Dominic Williams, Dejan Teofilovic, Mirko Djuricic, Aaron Groenke, and Atsuo Koizumi, with overlapping repositories, emails, images, and hosted portfolios indicating centralized reuse of materials. The investigation highlights a labor-enabled access model rather than a malware chain: operators build credible developer histories, acquire or seek verified freelancing accounts, prepare AI-assisted job responses, and maintain communication and payment infrastructure. The report matters because companies hiring these personas face insider, data theft, revenue-generation, and sanctions-compliance risks tied to DPRK remote worker operations.