IGLOO analyzed two GitHub accounts, CryptoNinja0331 and ican0220, as likely infrastructure for North Korean IT worker fake-employment activity. The repositories held resume and portfolio material, fake profile images, email and Upwork account data, project research, commit-author manipulation scripts, and references to Astrill VPN, TeamViewer, and AnyDesk. The report also found a Zoom-themed malicious file in an Upwork account folder, with a bundled loader and Ramsay malware, showing that the employment-fraud setup included developer-facing malware delivery artifacts. The activity is relevant to remote hiring controls because it combines stolen or synthetic identities, freelance platform workflows, remote access tooling, cryptocurrency payment movement, and repository manipulation.