KELA links a large North Korean remote-worker operation to fake identities used to obtain freelance and full-time roles across technology, cryptocurrency, transportation, critical infrastructure, architecture, and industrial design. The workers rely on stolen or rented identities, AI-generated headshots, fabricated portfolios, VPNs, VPSs, Western facilitators, laptop farms, and recurring email and password patterns to bypass hiring and verification controls. Infostealer logs tied to North Korean-linked email addresses exposed developer workstations in Japan, Russia, Hong Kong, and the United States, with access to job platforms, GitHub, GitLab, AWS, Slack, Stripe, Binance, and other services. KELA’s architecture and design case study found identity-management files, resumes, proposal templates, KYC material, proxy configurations, cryptocurrency wallets, and platform-specific personas used to pursue U.S.-based client work. The activity matters because the scheme expands DPRK risk from software and crypto access into hiring, contractor management, sensitive infrastructure design, sanctions evasion, espionage, and potential follow-on intrusion.