One standout case in the investigation is “Huy Diep” (also known as “HuiGia Diep”), who secured a software engineering role at the Japanese company Tenpct Inc. His persona included an elaborate personal website that linked to his employer and showcased extensive technical credentials. While he claimed eight years of software engineering experience, a review of his GitHub contributions revealed patterns consistent with other DPRK-linked accounts. More strikingly, investigators uncovered evidence of digital manipulation, where the persona’s face was superimposed onto stock photos to create an illusion of professional legitimacy, a tactic commonly observed among other fake identities in the network.

This operation highlights a larger systematic effort by North Korea to embed IT workers within legitimate companies, raising security concerns beyond financial fraud. The deceptive hiring practices pose potential cybersecurity risks, as these workers may gain access to critical infrastructure and sensitive data. Companies are urged to strengthen their verification processes, especially when hiring remote developers who exhibit these suspicious patterns. By improving identity verification techniques and scrutinizing employment histories, organizations can better protect themselves from such infiltration attempts.

Impact

• Credentials Theft
• Data Exfiltration
• Lateral Movement

Remediation

• Conduct thorough background checks on remote employees, including cross-referencing employment history, education credentials, and public records.
• Use identity verification tools and biometric authentication to validate job applicants.
• Review candidates’ GitHub contributions for unnatural activity, such as co-authoring commits with known suspicious accounts.
• Analyze repository creation dates, commit patterns, and sudden spikes in activity to detect inconsistencies.
• Flag email addresses that follow suspicious naming conventions (e.g., use of “116” and “dev”).
• Use domain-based filtering to detect applicants using disposable or uncommon email providers.
• Require live coding tests during the hiring process instead of relying solely on portfolio submissions.
• Cross-check claimed technical expertise with actual problem-solving skills in real-time interviews.
• Investigate candidates’ online presence beyond GitHub, including LinkedIn, Twitter, and other professional platforms.
• Be cautious of applicants who lack a digital footprint or have newly created social media accounts.
• Limit new remote hires' access to sensitive systems and data until they establish trust.
• Continuously monitor network activity for unusual patterns, such as data exfiltration or unauthorized access attempts.
• Ensure hiring practices comply with international sanctions and regulatory frameworks.
• Collaborate with government agencies and cybersecurity firms to stay updated on evolving threats.
• Train HR and IT teams to recognize signs of fraudulent applications and identity manipulation.
• Educate employees on cybersecurity best practices to prevent insider threats.
• Establish a clear protocol for reporting and investigating suspected cases of infiltration.
• Conduct forensic analysis on any identified suspicious activity and escalate findings to relevant authorities.
• Share indicators of compromise (IoCs) and findings with cybersecurity organizations and law enforcement agencies.
• Stay informed about emerging threats through intelligence-sharing platforms and industry reports.