DPRK IT Workers in Open Source and Freelance Platforms
a year ago
- #NorthKorea
- #FreelancePlatforms
- #Cybersecurity
- Discovery of suspicious actors in a legitimate developer's repository led to uncovering North Korean IT workers on freelance platforms.
- North Korean IT workers, known as 'PR Spammers,' exploit open-source projects and freelance platforms like onlyDust to gain credibility and payments in cryptocurrencies.
- Identified actors include 0xExp-po, bestselection18, and aidenwong812/cryptogru812, who manipulated GitHub histories and identities to appear legitimate.
- Evidence includes AI-generated profile pictures, stolen commit histories, and toxic GitHub activity patterns.
- Actors received payments totaling at least $1,874 USD for contributions to projects on onlyDust, including Stellar and Starknet ecosystems.
- A video call with one actor, motokimasuo/kirbyattack, confirmed suspicions when the actor left upon being asked to introduce themselves in Japanese.
- North Korean IT workers pose risks beyond financial fraud, including potential supply chain attacks and credibility boosting for future malicious activities.
- Recommendations include rigorous vetting of remote workers, video call verifications, and awareness of identity manipulation tactics.
- Affected projects include multiple Stellar and Starknet-related repositories, with some projects receiving substantial grants.
- The article serves as a warning to platforms employing remote workers with minimal KYC, emphasizing the broader risks to the developer ecosystem.