Exposing a Fraudulent DPRK Candidate
Exposing a Fraudulent DPRK Candidate
Since early 2023, Nisos has provided our clients with critical insights and conducted OSINT (Open-Source Intelligence) pre-employment and insider risk investigations to mitigate the threat of North Korean (DPRK) IT worker employment schemes. 🚀 In June 2025, we used a combination of pre-employment OSINT due diligence and targeted interview questions to expose a suspected DPRK operative, who applied for a remote Artificial Intelligence (AI) architect role at Nisos.
The operative unsuccessfully used stolen personally identifiable information (PII), a newly created email, and an AI-created resume to pose as a Florida-based lead AI architect and senior full stack developer. Nisos subsequently identified an employment fraud network involving the IT worker, which included a laptop farm located in Florida. Our investigation of the laptop farm identified that DPRK IT workers leverage Raspberry Pi-based KVM (Keyboard-Video-Mouse) devices to remotely access desktops and mesh VPN services like Tailscale to connect multiple devices to a network they control despite being located across US residences. Nisos also identified well-known suspected operative tactics, techniques, and procedures (TTPs) during the investigation and interview, which are linked to DPRK IT workers.
The suspected DPRK operative applied to the Lead AI Architect role using the following PII: Phone: 850-308-4867, Email address: Jo***@gmail[.]com, Address: Palm Beach Gardens, FL 33410, and IPs: 167.88.61.250 and 167.88.61.117. The operative used IP addresses 167.88.61.250 and 167.88.61.117 when interacting with Nisos, which likely belong to the Astrill VPN anonymization network. Cybersecurity firms like Mandiant have published lists of IP addresses that DPRK remote workers used; many of these IP addresses are associated with the Astrill VPN service, a popular VPN in China. Additionally, Nisos found that phone number 850-308-4867 is likely a Voice over Internet Protocol (VoIP) number. Scammers regularly use VoIP numbers to choose phone numbers matching their applicant’s alleged location.
The operative likely used an AI chatbot to create his resume as the resume repeated many of the skills mentioned in the Lead AI Architect job description. DPRK IT workers have been known to include large amounts of skills and program languages in their resumes in order to make their resumes more attractive to potential employers. The suspected DPRK operative’s resume also included a summary section, which reused content from the Lead AI Architect job description.
On 24 June 2025, Nisos conducted a virtual interview with the suspected DPRK operative. During the interview, which was conducted in English, the operative frequently looked away from the camera while answering the questions. Nisos asked the operative a fake question about hurricane George, which supposedly impacted Florida within the last week. The operative started his reply with “How can I say?” while looking at another screen. The operative used the same phrase to start his answers to other questions that also required him to not read a script, suggesting he was waiting for the AI chatbot to provide him an answer before replying to the question.
The pre-employment OSINT investigation into the suspected DPRK operative also revealed three different resumes, which suggested that the operative likely set up accounts on resume platforms to gain employment as a senior full stack developer. Nisos found that the resumes listed two different universities and many different employers, suggesting that the accounts and resumes were set up at different times. Of note, all resumes appear to be linked based on the true addresses of a real individual who likely had his identity stolen.