{"id":60730,"date":"2025-04-21T06:25:45","date_gmt":"2025-04-21T06:25:45","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=60730"},"modified":"2025-04-21T06:25:45","modified_gmt":"2025-04-21T06:25:45","slug":"unmasking-suspicious-github-activity-the-wagemole-campaign-and-its-links-to-dprk-threat-actors","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=60730","title":{"rendered":"Unmasking Suspicious GitHub Activity: The Wagemole Campaign and Its Links to DPRK Threat Actors"},"content":{"rendered":"

image: https:\/\/x.com\/cyberwarcon<\/a><\/p>\n

Table of\u00a0Contents<\/h3>\n

Executive Summary<\/strong><\/p>\n

Contagious Interview and Wagemole Campaigns<\/strong><\/p>\n

\u201cWageMole\u201d Campaign on\u00a0GitHub<\/strong><\/p>\n

Suspicious Activity and Behavior in\u00a0GitHub<\/strong><\/p>\n

Case: Interaction with Organizations<\/strong><\/p>\n

Part 1: \u201cPlease Invite Me to the GitHub Community Organization\u201d<\/strong><\/p>\n

Part 2: Interaction of Accounts with GitHub Repositories<\/strong><\/p>\n

Part 3: Cluster of Older GitHub\u00a0Accounts<\/strong><\/p>\n

Part 4: Suspicious Interactions of These Accounts Across Different Repositories (Seeking-Job Behavior)<\/strong><\/p>\n

Part 5: Suspicious Accounts with High Incidence and Activity Related to \u201cWagemole\u201d Campaign<\/strong><\/p>\n

Case 1: Suspicious Accounts Interacting with Developer<\/strong>Case 2: Suspicious Account Participating in a\u00a0DAO<\/strong>Case 3: Threat Actors Disguised as Developers Building\u00a0TaraSwap<\/strong>Case 4: GitHub Accounts interacting with the Stellar Foundation repositories<\/strong><\/p>\n

Conclusion<\/strong><\/p>\n

IOCs<\/p>\n

Additional Resources<\/strong><\/p>\n

Executive Summary<\/h3>\n

This research seeks to shed light on the rising suspicious activity on GitHub linked to the \u201cWagemole campaign,\u201d associated with North Korean IT worker operations. It uncovers emerging behavior patterns, engagement strategies, instances of coordinated activity, and the formation of new clusters of fresh empty accounts in GitHub. Additionally, it explores interactions with Web3 projects, suspicious interview practices, and cases where these accounts have successfully operated under the\u00a0radar.<\/p>\n

Our recent investigations have revealed that these accounts not only display specific patterns in their followers and the accounts they follow but also share notable similarities in key aspects such as creation dates, declared skills, similar profile images, comparable bios, and analogous GitHub handles, among other\u00a0traits.<\/p>\n

Our previous investigations uncovered much of the activity associated with the \u201cWagemole\u201d campaigns, specifically on\u00a0GitHub:<\/p>\n

Summary of Findings on Suspicious Lazarus Group Activity on\u00a0GitHub<\/a>Reviewing the activity of GitHub accounts associated with\u00a0Lazarus<\/a>Fraud Alert: Fake recruiters on GitHub and\u00a0LinkedIn<\/a><\/p>\n

In our previous work, we focused on identifying the characteristics of these accounts through behavioral analysis, image analysis, follower and following patterns, repository similarities, and other factors that highlight shared traits among certain accounts. This investigation will build on that foundation by analyzing the activity of many of the accounts we identified in earlier research.<\/p>\n

Contagious Interview and WageMole campaigns<\/h4>\n

By late 2023, Palo Alto had outlined the distinctions between these two campaigns. The first, known as \u201cContagious Interview,\u201d involves threat actors posing as employers\u200a\u2014\u200aoften anonymously or with vague identities\u200a\u2014\u200ato trick software developers into installing malware during the interview process, enabling various forms of theft. This campaign is attributed with moderate confidence to a North Korean state-sponsored threat\u00a0actor.<\/a><\/p>\n

The second campaign, known as \u201cWagemole,\u201d involves North Korean IT workers masquerading as job seekers to secure unauthorized employment with organizations in the United States and other countries, likely for financial gain or espionage purposes<\/a>.<\/p>\n

In late 2024, Zscaler ThreatLabz reported that North Korean IT workers were using the WageMole campaign to secure remote jobs in other countries<\/a>. This campaign, closely linked to the Contagious Interview operation, relies on a combination of social engineering and technical skills to obtain legitimate remote job opportunities and generate income through development work<\/p>\n

\u201cWageMole\u201d campaign on\u00a0GitHub<\/h4>\n

In our previous investigations focused on GitHub, we observed the same shift in suspicious activities described by Zscaler ThreatLabz and Palo Alto, ranging from fake recruiters (Contagious Interview<\/a>) to job seekers (WageMole campaing<\/a>).<\/p>\n

Some of our findings regarding a LinkedIn profile, later cited by Palo Alto, suggest that the profile we identified was later analyzed by their team, which reported it was associated with the Democratic People\u2019s Republic of Korea (DPRK), and leveraging social engineering as a fake recruiter to deploy new variants of BeaverTail and InvisibleFerret malware<\/a>. By tracing this same profile on GitHub, we uncovered a large cluster of fake developer accounts linked to the previously described WageMole campaign<\/strong><\/a>.<\/strong><\/p>\n

Similarly, many of our findings on GitHub align with recent descriptions by Zscaler ThreatLabz regarding the activity of the threat actor in the WageMole campaign. Specifically, \u201cDuring the job search, WageMole threat actors aggressively utilize job-seeking platforms such as Indeed, Glassdoor, Upwork, and cryptocurrency-focused sites like degencryptojobs.com and web3.career. Throughout the job-hunting process, they target remote roles such as front-end\/back-end web developer, UX\/UI designer, full-stack engineer, and blockchain developer.\u201d<\/a><\/p>\n

Additionally, considering that our focus has been on suspicious activity within GitHub, previous investigations have revealed distinct patterns and characteristics in GitHub accounts. For instance, many of the accounts identified in this investigation share specific traits: similar profile images, statuses like \u201cworking from home,\u201d GitHub handles with recurring themes (e.g., Super, Dev, Happy, Smart, Top, Funny, King, Golden), closely aligned account creation dates, and mutual following patterns. These similarities suggest the presence of an interconnected network<\/a><\/p>\n

These previous investigations aimed to identify and analyze the presence and behavior of the threat actor on GitHub related to the WageMole<\/a> campaign. Based on these previous findings, the focus of this investigation is to examine the activities of these suspicious accounts on GitHub through specific examples and case\u00a0studies<\/p>\n

Suspicious activity and behavior in\u00a0Github:<\/strong><\/h3>\n

Over the past year, there has been a noticeable increase in suspicious activity across various social media<\/a> platforms and sites like GitHub. This phenomenon has revealed a complex network of fake accounts designed to appear as \u201cdevelopers.\u201d A significant portion of these accounts targets content and audiences within the Web3\u00a0sector.<\/p>\n

Recently, it has been identified that these fake accounts on GitHub attempt to gain trust by collaborating on projects, often highlighting the title of \u201copen source contributor\u201d in their descriptions or bios. This, along with other behaviors, reflects strategies of adaptation and stealth, enabling them to integrate more subtly (through commits) and remain unnoticed. By establishing a history of collaboration on GitHub, they seek to strengthen their presence and, in some cases, even attempt to secure employment, all while posing potential future risks to the projects they infiltrate.<\/p>\n

Case: Interaction with organizations<\/h3>\n

There are distinct behavior patterns among these \u201cfake dev\u201d accounts in how they engage and interact with organizations on GitHub. A behavior previously outlined in the research tittle: \u201cReviewing the activity of GitHub accounts associated with Lazarus<\/a>\u201d reveals that many of these accounts, which also follow each other, have joined these organizations.<\/p>\n

This behavior, aimed at generating \u201ccredibility\u201d for these GitHub accounts by joining organizations, has been observed on a broader scale. Additionally, there are patterns such as newly created accounts, with profiles specifically seeking to join these particular organizations.<\/p>\n

Below, we will present some examples of how these accounts join these organizations.<\/p>\n

While there are legitimate accounts within these organizations, there is a set of accounts associated with a network of fake developers who exploit these associations to boost their profiles. The organizations mentioned in the previous image\u00a0are:<\/p>\n

Organizations referenced:
https:\/\/github.com\/dev-protocol
https:\/\/github.com\/Design-and-Code
https:\/\/github.com\/Huniko-Team
https:\/\/github.com\/Magic-Academy
https:\/\/github.com\/App-Choreography
https:\/\/github.com\/Devs-Dungeon
https:\/\/github.com\/infraform
https:\/\/github.com\/AccessibleForAll
https:\/\/github.com\/CommunityPro
https:\/\/github.com\/Bauddhik-Geeks
https:\/\/github.com\/Your-brainstorming
https:\/\/github.com\/EddieHubCommunity
https:\/\/github.com\/Py-Contributors
https:\/\/github.com\/chesslablab<\/p>\n

While many accounts on GitHub engage in this type of activity, some are legitimate, while others are linked to the \u201cfake developers\u201d network.<\/p>\n

This particular behavior of systematically joining organizations after creating a GitHub account is a notable pattern that has recently been observed in many accounts conducting social engineering on GitHub. Their goal is to cultivate a \u201ctrustworthy\u201d image, allowing them to blend into the community more seamlessly.<\/p>\n

Part 1: \u201cPlease invite me to the GitHub Community Organization\u201d<\/h3>\n

As mentioned earlier, it is important to note that these \u201corganizations\u201d also include legitimate GitHub accounts, particularly from India and Pakistan, who use these connections to enhance their personal profiles.<\/p>\n

However, it is evident that accounts linked to this network of fake developers have also adopted this method to increase their credibility on GitHub. Below, we examine the accounts attempting to join this organization [CommunityPro]<\/a><\/p>\n

https:\/\/github.com\/CommunityPro\/support\/issues?page=1&q=is%3Aissue+is%3Aclosed<\/a><\/p>\n

On one hand, there is a significant number of legitimate accounts that use this method, sometimes excessively, by joining over 20 organizations; these cases are typically associated with real individuals. On the other hand, there is a group of accounts attempting to mimic these behaviors in order to gain greater credibility.<\/p>\n

Some examples of suspicious accounts are as\u00a0follows:<\/p>\n

Example 1:<\/h4>\n

In this case, we have an account with a person claiming 8 years of experience but with only 1 month of activity. The account features a website registered on January 4, 2025<\/a>, with all links broken, an AI-generated profile image, and recently, we\u2019ve noticed some \u201cdevelopers\u201d listing Japan as their location.<\/p>\n

https:\/\/github.com\/motokimasuo<\/a><\/p>\n

LinkedIn account<\/em><\/a><\/p>\n

After checking some repositories from this account, we came to look the people who like the repository named motokimasuo<\/a>:<\/p>\n

In this list of accounts we are going to check the activity of: ShinySyntax<\/p>\n

https:\/\/github.com\/ShinySyntax<\/a><\/p>\n

This profile, in particular, shows inconsistencies by using different identities, which are further highlighted by broken\u00a0links.<\/p>\n

https:\/\/github.com\/ShinySyntax<\/a><\/p>\n

It\u2019s interesting because the interaction and eagerness to get hired seem overly conspicuous, as seen\u00a0here:<\/p>\n

https:\/\/github.com\/search?q=ShinySyntax&type=issues<\/a><\/p>\n

On the other hand, there are inconsistencies in the profile that suggest the use of multiple identities to secure a job. This appears to be the website associated with the individual, using the name Muhammad Abdul Sammad, despite their Asian\u00a0features<\/p>\n

https:\/\/shiny-dev.com\/<\/a><\/p>\n

Similarly, within their personal information, there is a link to a Telegram\u00a0account:<\/p>\n

https:\/\/github.com\/ShinySyntax\/ShinySyntax012<\/a><\/p>\n

This Telegram handle using this profile: sasuke310\u200a\u2014\u200ahttps:\/\/t.me\/sasuke310<\/a><\/p>\n

https:\/\/t.me\/sasuke310<\/a><\/p>\n

This Telegram directs to a profile called James\u00a0Kano<\/p>\n

https:\/\/www.sasuke.dev\/<\/a><\/p>\n

The accounts associated with this website are also linked to another account on\u00a0GitHub:<\/p>\n

https:\/\/github.com\/spmoe<\/a><\/p>\n

They also use another website in addition to sasuke.dev.<\/strong> The name of this website is spomoe.xyz, and it was created on April 15,\u00a02024.<\/p>\n

https:\/\/www.spmoe.xyz\/<\/a><\/p>\n

The Telegram account use both names: spmoed and\u00a0sasuke:<\/p>\n

https:\/\/t.me\/spmoed<\/a><\/p>\n

Example 2:<\/h4>\n

Another example that highlights the existence of a network of GitHub accounts joining specific organizations and making commits across various projects to build credibility is as\u00a0follows:<\/p>\n

In this case, we will analyze the profile: https:\/\/github.com\/kallis312<\/a><\/p>\n

https:\/\/github.com\/motokimasuo\/motokimasuo\/stargazers<\/a><\/p>\n

Similarly, they join organizations similar to those mentioned earlier:<\/p>\n

https:\/\/github.com\/kallis312<\/a><\/p>\n

In the following post, we can see that they engage in the same type of interaction with these organizations, and continue to do\u00a0so:<\/p>\n

https:\/\/github.com\/EddieHubCommunity\/support\/issues\/8881<\/a><\/p>\n

Upon searching for \u201cyamataku0518\u201d on GitHub, we found several accounts that have interacted with this GitHub\u00a0handle:<\/p>\n

https:\/\/github.com\/search?q=yamataku0518&type=repositories<\/a><\/p>\n

Similarly, there is a forked version on another profile, suggesting that the GitHub handle may have\u00a0changed<\/p>\n

This account also shares commits with other accounts we have previously monitored, which exhibit certain characteristics (such as profile images, GitHub handles) and behaviors (like follower patterns).<\/p>\n

Another case linked to the \u201ckallis312\u201d<\/a> profile involves the following, where this account shared contributions in April 2024 with the following account:<\/p>\n

https:\/\/github.com\/kallis312?tab=overview&from=2024-01-01&to=2024-01-31<\/a><\/p>\n

The account mentioned is:\u00a0xtoben22<\/p>\n

https:\/\/github.com\/xtoben22<\/a><\/p>\n

Previously, this account used the GitHub handle \u201cUniversal9622,\u201d and the email associated with the account is williamduncan91413@gmail.com<\/p>\n

https:\/\/github.com\/xtoben22\/evm-trace\/commit\/58c39ad8653e1a3b12a66f75c659f6f291c2a038.patch<\/a><\/p>\n

By searching for the GitHub handle \u201cUniversal9622,\u201d we found the same handle listed on a job platform for individuals in China, which is also shared on Telegram.<\/p>\n

https:\/\/discovertelegram.com\/channel\/abetterweb3_cn<\/a><\/p>\n

In this channel, there is a user using the same name, William Duncan, and writing in\u00a0Chinese:<\/p>\n

https:\/\/t.me\/s\/abetterweb3_cn?q=universal9622<\/a><\/p>\n

Considering the scattered information, the change in the GitHub handle, and the suspicion that this may be an Asian individual using a very Latino name, this case also serves as an example of inconsistency and incoherent information in GitHub accounts attempting to collaborate on projects.<\/p>\n

Example 3:<\/h4>\n

Similar examples of an account using this \u201cinteraction\u201d to boost his profile is the user BitFancy:<\/strong><\/p>\n

https:\/\/github.com\/CommunityPro\/support\/issues\/742<\/a><\/p>\n

Likewise, his profile have 1 year of activity and some irregular activity in some repositories, broken links and LinkedIn profile with no activity.<\/em><\/p>\n

https:\/\/github.com\/BitFancy<\/a><\/p>\n

After reviewing several repositories from the user \u201cbitfancy<\/a>,\u201d one repository stood out to us: \u201cfancydeveloper.\u201d This repository caught our attention because it utilized the user\u2019s stats. However, it appears the GitHub account associated with it has since changed its\u00a0handle:<\/p>\n

https:\/\/github.com\/BitFancy\/fancydeveloper\/blob\/main\/README.md<\/a><\/p>\n

The stats in this profile was linked to the GitHub account: \u201ccharles0830\u201d<\/p>\n

The account that was using this GitHub handle\u00a0was:<\/p>\n

https:\/\/github.com\/Phoenix-Genius<\/a><\/p>\n

This type of account, with its personal description, use of images similar to those identified in previous investigations, a high number of followers and followings, and unusual methods of trying to be \u201chired,\u201d stands\u00a0out.<\/p>\n

In the following interaction, it is evident that their previous GitHub handle was \u201ccharles0830,\u201d and they were subsequently rejected:<\/p>\n

Another quite unusual interaction is the following, where they claim to be a \u201csenior full-stack developer\u201d and state that they\u2019ve been using GitHub for 13\u00a0years:<\/p>\n

https:\/\/github.com\/openAOD\/Join\/issues\/131<\/a><\/p>\n

Similarly, another incident linked to the GitHub handle \u201ccharles0830\u201d highlights evidence of coordination and organization:<\/p>\n

https:\/\/github.com\/blackbill2024<\/a><\/p>\n

This other account uses the same stats as the account that previously used the GitHub handle \u201ccharles0830.\u201d Therefore, there is a high likelihood that the activity of these accounts is linked to this network of fake developers on GitHub, which is commonly associated with the activities of DPRK IT\u00a0workers.<\/p>\n

In this case, the account stopped using the GitHub handle \u201ccharles0830\u201d and has now adopted the following under a new identity: \u201cPhoenix-Genius<\/a>\u201d<\/p>\n

https:\/\/github.com\/Phoenix-Genius<\/a><\/p>\n

We can also observe that they claim to be a \u201cSenior Software Developer\u201d and use specific images that we\u2019ve identified in numerous accounts attempting to gain credibility or secure employment by \u201ccollaborating\u201d on GitHub projects.<\/p>\n

Example 4<\/h4>\n

In this example, it occurs the same as the account wants to join certain organizations. However the information they introduce seems\u00a0fake<\/p>\n

https:\/\/github.com\/Design-and-Code\/support\/issues?q=is%3Aissue+author%3Avuedev2113<\/a><\/p>\n

In this case it is a new account and the person is stablished in\u00a0Ukraine:<\/p>\n

https:\/\/github.com\/vuedev2113<\/a><\/p>\n

Upon reviewing the website mentioned on GitHub: https:\/\/portfolio-vue-1b44e.web.app\/<\/a><\/p>\n

https:\/\/portfolio-vue-1b44e.web.app\/<\/a><\/p>\n

All the links are broken, and the information on this website appears to be\u00a0false.<\/p>\n

Additionally, conducting some Google searches yields specific results, revealing suspicious links and additional information that doesn\u2019t align with the details\u00a0provided<\/p>\n

Google search<\/a><\/p>\n

Example 5:<\/strong><\/h4>\n

Some of the mentioned profiles follow each other, forming a network of accounts that share common traits, such as being labeled \u201cBlockchain,\u201d \u201cFull Stack,\u201d etc. These accounts also contain multiple identities within their repositories, along with evidence of false data. Additionally, some of these accounts follow an organization called \u201cstability DAO<\/a>\u201d.<\/p>\n

Some of the mentioned profiles follow each other, forming a network of accounts that share common labels like \u201cBlockchain,\u201d \u201cFull Stack,\u201d etc. These accounts also feature multiple identities within their repositories, as well as evidence of false\u00a0data.<\/p>\n

Additionally, there are other noteworthy accounts we\u2019ve previously mentioned, such as the account \u201cOnlyForward0613\u201d<\/p>\n

The profile account is \u201cOnlyForward613\u201d\u00a0, its called\u201cDavee\u201d and according to his Bio is a \u201cSenior software Engineering\u201d.<\/p>\n

https:\/\/github.com\/OnlyForward0613<\/a><\/p>\n

Another recurring pattern is the intent to join specific groups we\u2019ve previously mentioned:<\/p>\n

https:\/\/github.com\/search?q=OnlyForward0613&type=issues<\/a><\/p>\n

This GitHub account uses two different Twitter accounts, both with similar identities<\/p>\n

https:\/\/x.com\/daveescott59<\/a>\u200a\u2014\u200ahttps:\/\/x.com\/DaveeScott22<\/a><\/p>\n

Through the Twitter account, they share their website and portfolio:<\/p>\n

https:\/\/portfolio-29-6.vercel.app\/<\/a><\/p>\n

Additionally, their LinkedIn profile does not exist; however, they share a Facebook profile, where, like the other images, the photos appear to be manipulated:<\/p>\n

https:\/\/www.facebook.com\/profile.php?id=61561446326312&mibextid=ZbWKwL<\/a><\/p>\n

A notable aspect is that three different accounts, with close connections in terms of mutual follows, use the same stats as OnlyForward0613 on their profiles. Coincidentally, these accounts align with our descriptions and are labeled as \u201cblockchain developers.\u201d One example is the account with the GitHub handle \u201cdevstar829\u201d:<\/p>\n

https:\/\/github.com\/devstar829\/devstar829<\/a><\/p>\n

Similar to this profile, there is also the account: unitop010<\/p>\n

https:\/\/github.com\/unitop010\/unitop010<\/a><\/p>\n

Lastly, this profile also uses the same stats: solidityDev05<\/p>\n

https:\/\/github.com\/solidityDev05\/realcarpark<\/a><\/p>\n

This type of inconsistent activity, interconnected between these accounts, demonstrates clear coordination and patterns in how they interact with organizations on\u00a0GitHub.<\/p>\n

Evidence shows that there is interaction between these accounts, along with patterns of engagement with organizations. Moreover, these accounts often employ fake identities and use information from other accounts in their own profiles.<\/p>\n

These accounts, with their anomalous behavior and the way they engage with organizations, exhibit collective and organized conduct with clear objectives\u200a\u2014\u200aspecifically, to secure job opportunities or collaborate on projects, thereby boosting their credibility on\u00a0GitHub.<\/p>\n

Based on the information provided earlier, several suspicious accounts have been observed commenting on the repositories of these organizations. Notably, there is a high volume of accounts interacting with these repositories, with a considerable portion of them appearing to be legitimate as\u00a0well:<\/p>\n

GitHub accounts suspicious – organizations<\/p>\n

– https:\/\/github.com\/CommunityPro\/support\/issues?page=1&q=is%3Aissue+is%3Aclosed
– https:\/\/github.com\/Py-Contributors\/support\/issues?page=1&q=is%3Aissue+is%3Aclosed
– https:\/\/github.com\/EddieHubCommunity\/support\/issues?page=1&q=is%3Aissue+is%3Aclosed
– https:\/\/github.com\/Design-and-Code\/support\/issues?q=is%3Aissue+is%3Aclosed<\/p>\n

An example of suspicious GitHub accounts interacting with these organizations is as\u00a0follows:<\/p>\n

Data set of Accounts<\/p>\n

https:\/\/github.com\/asseph
https:\/\/github.com\/thuongtruong1009
https:\/\/github.com\/Benjamin-cup
https:\/\/github.com\/Cardoso-topdev
https:\/\/github.com\/camillakathy
https:\/\/github.com\/erikerik116
https:\/\/github.com\/Kavorix
https:\/\/github.com\/Phoenix-Genius
https:\/\/github.com\/phoenix19950512
https:\/\/github.com\/smilephoenix103
https:\/\/github.com\/toptalhook
https:\/\/github.com\/uniwaydev
https:\/\/github.com\/creative2113
https:\/\/github.com\/SacredDever
https:\/\/github.com\/SacredDevKing
https:\/\/github.com\/GoldenDev176743
https:\/\/github.com\/dragonsea0927
https:\/\/github.com\/felipedev418
https:\/\/github.com\/techietrend
https:\/\/github.com\/popstar7
https:\/\/github.com\/Oyase-shinob
https:\/\/github.com\/dev0614<\/p>\n

– Bigger data set is private -Many of these accounts exhibit the same type of association, interacting similarly with organizations. Their accounts share specific patterns, such as similar bios and GitHub handles. Additionally, there are traces of these accounts using different identities. These and other characteristic aspects, such as their patterns of interaction and connections with these same accounts, provide evidence of an organized effort and objectives from this network of fake profiles on\u00a0GitHub.<\/p>\n

Part 2: Interaction of Accounts with GitHub Repositories<\/h3>\n

These suspicious GitHub accounts also exhibit collective activity across other organizations and communities by making commits in these repositories.<\/p>\n

Many of these accounts performing these commits had been previously identified. The commits made by these accounts appear to overwrite or remove the contributions made by other accounts:<\/p>\n

https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/57<\/a><\/p>\n

Many of these accounts had already been reported in this and previous investigations. It\u2019s important to highlight the accounts in this image that use these specific\u00a0images:<\/p>\n

https:\/\/github.com\/fairskyDev0201<\/a><\/p>\n

Previous investigations have already highlighted the association between accounts that tend to use similar GitHub handles and profile images, often linked to users identifying as \u201cfull stack developers\u201d seeking freelance opportunities.<\/p>\n

A similar example can be seen in the following repository, where a group of accounts with matching characteristics make these\u00a0commits.<\/p>\n

https:\/\/github.com\/mckaywrigley\/chatbot-ui\/issues\/224<\/a><\/p>\n

In the previous example, we can highlight a profile similar to the one we presented, where an account already referenced uses the same type of\u00a0image:<\/p>\n

https:\/\/github.com\/OceanDev89<\/a><\/p>\n

In this case, the profile uses the GitHub handle \u201cOceanDev89,\u201d<\/a> displaying the same image as \u201cfairskyDev0201<\/a>.\u201d<\/p>\n

Other examples of this type of activity are listed\u00a0below:<\/p>\n

Repositories with suspicious activity<\/p>\n

– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/57
– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/190
– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/167
– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/12
– https:\/\/github.com\/mckaywrigley\/chatbot-ui\/issues\/224
– https:\/\/github.com\/orgs\/community\/discussions\/69532
– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/87
– https:\/\/github.com\/typescript-cheatsheets\/react\/issues\/63
– https:\/\/github.com\/unicodeveloper\/awesome-nextjs\/issues\/179<\/p>\n

Similarly, it\u2019s worth noting that in these repositories, there are accounts that seem to be linked to this suspicious activity. (It\u2019s possible that they are trying to build history and credibility by commenting on these older\u00a0posts).<\/p>\n

Below are some accounts that are active in these repositories and which we consider suspicious:<\/p>\n

Suspicious accounts commiting in these repositories<\/p>\n

https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/peterjohnson4987
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/holyblock
https:\/\/github.com\/cedev935
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/bernssolg
https:\/\/github.com\/erinodev
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/renawolford6
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/hussammousa68
https:\/\/github.com\/zeus-soft-world
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/peterjohnson4987
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/renawolford6
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/xbucks
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/hussammousa68
https:\/\/github.com\/zeus-soft-world
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/renawolford6
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/xbucks
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/mirdavion
https:\/\/github.com\/codingzeus1218999
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/sphinxDevVic
https:\/\/github.com\/SmartDev555
https:\/\/github.com\/crypto-artisan
https:\/\/github.com\/Watcher919<\/p>\n

These accounts, which engage in this type of activity combined with joining certain organizations, share characteristics that we\u2019ve previously identified. Additionally, many of these accounts follow each other, raising further suspicion about the intentionality behind this artificial activity on these GitHub profiles, which are typically associated with developers focused on Blockchain, Full Stack, and\u00a0Web3.<\/p>\n

Part 3: Cluster of Older GitHub\u00a0Accounts<\/h3>\n

An important aspect to note regarding the accounts displaying this type of activity is that some appear to be stolen, as they retain the data and information of the previous user. Others use fake identities with accounts less than two years old, while some accounts show a much older creation\u00a0history.<\/p>\n

It has recently been observed that the use of these older accounts has expanded within this network of fake \u201cdevelopers,\u201d as they appear to generate more credibility and\u00a0trust.<\/p>\n

Upon reviewing the activity of these accounts, we found one account (https:\/\/github.com\/Sayonara01<\/a>) with 13k followers, which is particularly notable as it follows a large number of similar accounts\u200a\u2014\u200aeither empty or with little activity\u200a\u2014\u200aand its only follower is the mentioned account (Sayonara) a \u201cFull stack\u00a0Dev\u201d:<\/p>\n

https:\/\/github.com\/Sayonara01<\/a><\/p>\n

This makes the account a point of interest, as it hosts a large number of these \u201cfarmed\u201d accounts.<\/p>\n

Below are several accounts (followed by Sayonara) that indicate they are part of a network. It is important to note that these accounts have greater age, limited activity, and are relatively new to be in\u00a0use:<\/p>\n

Example of older\u00a0accounts<\/p>\n

As evidenced, the only profile following all these suspicious accounts is Sayonara01. Below is a sample of the accounts followed by Sayonara, which also meet the characteristics of having little to no activity, being quite old, and being followed by Sayonara01<\/a>:<\/p>\n

Given that Sayonara follows approximately 13k accounts, the volume of these types of accounts is quite high. Here is a small sample of these accounts that are used for various suspicious activities:<\/p>\n

e.g Accounts farmed by suspicious profile<\/p>\n

https:\/\/github.com\/operkins
https:\/\/github.com\/KimBrown
https:\/\/github.com\/JenniferYoung
https:\/\/github.com\/christian48
https:\/\/github.com\/keith16
https:\/\/github.com\/Clarkwendy
https:\/\/github.com\/sandovalandrew
https:\/\/github.com\/coreygonzales
https:\/\/github.com\/christian48
https:\/\/github.com\/kwells
https:\/\/github.com\/Brian35
https:\/\/github.com\/Gavin50
https:\/\/github.com\/jay39
https:\/\/github.com\/christiancampos
https:\/\/github.com\/JesusMorgan
https:\/\/github.com\/dnichols
https:\/\/github.com\/mirandacraig
https:\/\/github.com\/Kristen36
https:\/\/github.com\/lmorris
https:\/\/github.com\/michaelascott
https:\/\/github.com\/Annette71
https:\/\/github.com\/bonnie77
https:\/\/github.com\/Leonard48
https:\/\/github.com\/elizabethwagner
https:\/\/github.com\/samanthabailey
https:\/\/github.com\/Colleen41
https:\/\/github.com\/brian91
https:\/\/github.com\/brianroberts
https:\/\/github.com\/james10
https:\/\/github.com\/groberts
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/jessicasmall
https:\/\/github.com\/Tiffany90
https:\/\/github.com\/gabriel56
https:\/\/github.com\/NicholasWarner
https:\/\/github.com\/Christina70
https:\/\/github.com\/vanessa56
https:\/\/github.com\/hyang
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/Carl92
https:\/\/github.com\/randysnyder
https:\/\/github.com\/thomasparker
https:\/\/github.com\/ashleykelsey
https:\/\/github.com\/KaneGregory
https:\/\/github.com\/SIMONDAVID
https:\/\/github.com\/lreyes
https:\/\/github.com\/eric39
https:\/\/github.com\/vhenry
https:\/\/github.com\/Mark33<\/p>\n

Based on this list and analyzing some profiles, we have observed that they aim to build credibility and association by attempting to make commits in Web3-related projects and repositories.<\/p>\n

We have also seen that this account (sayonara) following the activity of other important GitHub accounts related to web3 projects.<\/p>\n

Part 4: Suspicious interactions of these accounts across different repositories (Seeking-job behavior)<\/h3>\n

By analyzing different account clusters, we\u2019ve identified certain accounts that are more actively attempting to collaborate or make PRs\/commits in projects, primarily within the Web3 industry.<\/p>\n

Below, we\u2019ll provide evidence of accounts that exhibit visual characteristics similar to those previously mentioned. These accounts tend to follow one another, often with just one or two intermediary connections. In many cases, they can be traced through their followers, following lists, stars, or even the commits they share across their repositories.<\/p>\n

Here are some examples of these accounts interacting with various projects, most of which are within the Web3 industry:<\/p>\n

Example 1:<\/h4>\n

In this case, the profile \u201cdev0614\u201d has certain characteristics in its GitHub handle, as well as in the description of its\u00a0bio:<\/p>\n

https:\/\/github.com\/dev0614<\/a><\/p>\n

This account attempts to make a PR in the following repository but receives a negative response from the repository owner, as the account does not belong to the\u00a0company:<\/p>\n

https:\/\/github.com\/mgguild\/ai-games\/issues\/79<\/a><\/p>\n

Example 2:<\/h4>\n

The account Oyase-shinobi<\/a> also exhibits similar behavior by attempting to actively participate in\u00a0projects<\/p>\n

This account shows more activity; in this case, it interacts with\u00a0LiraDAO<\/a>:<\/p>\n

https:\/\/github.com\/lira-dao\/ecosystem\/issues\/56<\/a><\/p>\n

Another example of this unusual \u201chungry-job\u201d behavior is as follows, directed towards Juno\u00a0Build<\/a><\/p>\n

https:\/\/github.com\/junobuild\/create-juno\/issues\/39<\/a><\/p>\n

Example 3:<\/h4>\n

Another example that highlights the intent of these accounts to gain access and collaborate on these projects is the activity of the account kentaurse<\/a><\/p>\n

https:\/\/github.com\/kentaurse<\/a><\/p>\n

This account attempts to interact with darwinia-network<\/a><\/p>\n

https:\/\/github.com\/darwinia-network\/home\/issues\/370<\/a>In addition, we have observed how some accounts have focused their efforts on various projects, which has led to the creation of clusters of suspicious accounts attempting to interact with certain repositories.s.<\/p>\n

Part 5: Suspicious Accounts with High Incidence and Activity related to \u201cWagMole\u201d campaign<\/h3>\n

This chapter is reserved due to requests from individuals who wish to keep their names and company details confidential. However, for research and intelligence purposes, it is important to share the modus operandi of these profiles and how they are managing to gain access to various projects.<\/p>\n

The following will present specific cases that highlight activity related to the DPRK IT Workers \u201cWagMole\u201d campaign on GitHub and how these actors are successfully infiltrating and securing roles with Web3 companies:<\/p>\n

Case 1: Suspicious accounts interacting with developer<\/h4>\n

Target: Developer\u200a\u2014\u200a<\/strong>https:\/\/www.linkedin.com\/in\/tupui\/<\/strong><\/a><\/p>\n

Upon reviewing the activity of the account mentioned in the previous case, which uses the GitHub handle \u201ckindsecret,\u201d<\/strong> we found another account interacting with it. As evidenced in this repository, the account \u201c0xexp-po\u201d attempts to merge the pull request from \u201ckindsecret\u201d<\/strong>.<\/p>\n

https:\/\/github.com\/0xExp-po\/dharmaverse-web3\/commits\/main\/<\/a><\/p>\n

This account, which attempts to merge the pull request from \u201ckindsecret,\u201d is:<\/p>\n

https:\/\/github.com\/0xexp-po<\/a><\/p>\n

This profile also displays what we have previously identified as \u201chungry job behavior,\u201d showing an overwhelming intention to work and collaborate on other projects. Some examples of this behavior are outlined\u00a0here.<\/p>\n

This profile attempts to interact with Luan Labs<\/a> by making a suggestion in the repository of this\u00a0project<\/p>\n

https:\/\/github.com\/orgs\/luanlabs\/discussions\/62<\/a><\/p>\n

Other example of this account trying to colaborate in MyneTEC<\/a> a Social Media Mining\u00a0Company<\/p>\n

https:\/\/github.com\/myneTEC\/MAR\/issues\/2<\/a><\/p>\n

Other example of this account actively trying to engage is in FOSSASIA (Open Technologies developed in Asia and Around the\u00a0Globe)<\/p>\n

https:\/\/github.com\/fossasia\/open-event-frontend\/issues\/9192<\/a><\/p>\n

Additionally, it is evident that the account \u201c0xexp-p\u201d makes several contributions to this repository called: <\/strong>soroban-versioning<\/strong><\/a><\/p>\n

https:\/\/github.com\/tupui\/soroban-versioning\/commits?author=0xExp-po&since=2024-12-01&until=2024-12-25<\/a><\/p>\n

It seems that this person was hired by tupui<\/a> to develop some of his projects, according to the interactions in these repositories:<\/p>\n

https:\/\/github.com\/tupui\/soroban-versioning\/pull\/38<\/a>This repository is owned by Pamphile Roy\u200a\u2014\u200ahttps:\/\/github.com\/tupui<\/a>https:\/\/github.com\/tupui<\/a><\/p>\n

According to their LinkedIn profile, their name is Pamphile Roy, and he is a Senior Software Engineer at\u00a0Bitpanda<\/a><\/p>\n

The full extent of the activity from this 0xexp-p<\/a> account remains unclear, but it is evident that the activity is primarily focused on Web3 projects. In this particular case, the account seems to be targeting a developer from this exchange, suggesting that they may be interested in gaining access to this individual or the get financial compansated by their\u00a0work.<\/p>\n

This interaction could potentially have long-term consequences, especially considering that their activity might remain dormant for months or years, either with financial motives or, in the worst-case scenario, aiming to gain access to these projects-companies.<\/p>\n

We have seen cases where the developer\u2019s environment can be compromised, so there is a high risk that an exchange of infected files can trigger several negative aspects at the security level for the company where he\u00a0works.<\/p>\n

Case 2: Suspicious account participating in a\u00a0DAO<\/h4>\n

Target: ProductShare DAO\u200a\u2014\u200a<\/strong>https:\/\/x.com\/iproductshare<\/a><\/p>\n

This case is related to two accounts that were previously mentioned in this part of the investigation. In the profile of https:\/\/github.com\/kindsecret<\/a>, there is a repository named rust-HackerRank<\/p>\n

https:\/\/github.com\/kindsecret\/rust-HackerRank<\/a><\/p>\n

In this repository, the GitHub account \u201cToptalhook\u201d contributes<\/p>\n

https:\/\/github.com\/toptalhook<\/a><\/p>\n

Similarly, we see this same account interacting with 0xexp-p\u00a0o<\/a><\/p>\n

https:\/\/github.com\/toptalhook\/crypto-scanner\/discussions\/1<\/a><\/p>\n

This profile had also been mentioned earlier due to its suspicious activity<\/p>\n

https:\/\/github.com\/0xExp-po<\/a><\/p>\n

Therefore, toptalhook interacts with https:\/\/github.com\/0xExp-po<\/a> and https:\/\/github.com\/kindsecret<\/a>. Given this connection between these accounts, we will now analyze the toptalhook<\/a> profile:<\/p>\n

https:\/\/github.com\/toptalhook<\/a><\/p>\n

In their repositories, there is a CV with the following identity:
Kai De Tan\u200a\u2014\u200atoptall.cook@gmail.com<\/p>\n

https:\/\/github.com\/toptalhook\/MyPortfolio\/blob\/d1259b1358162eee70ed93968e810fb871c95fef\/public\/KaiDe-resume.pdf<\/a><\/p>\n

Additionally, this other style of CV with the same identity is\u00a0found:<\/p>\n

https:\/\/github.com\/toptalhook\/MyPortfolio\/blob\/d1259b1358162eee70ed93968e810fb871c95fef\/public\/readme-images\/portfolio.png<\/a><\/p>\n

However, this account is also using another CV where it identifies as Julio Acin from\u00a0Spain.<\/p>\n

https:\/\/github.com\/toptalhook\/MyPortfolio\/blob\/d1259b1358162eee70ed93968e810fb871c95fef\/public\/julioacin-resume1.pdf<\/a><\/p>\n

When searching on GitHub for the email address used in this CV, noahsflood908@gmail.com, we found an account that uses this same email, as shown\u00a0here:<\/p>\n

https:\/\/github.com\/search?q=noahsflood908&type=code<\/a><\/p>\n

The account using this same email as its personal identity is called \u201cSweetdream.\u201d This account also links to a LinkedIn profile under the name Hiroto Iwaki<\/a>, located in\u00a0Japan<\/p>\n

https:\/\/github.com\/mymiracle0118<\/a><\/p>\n

This account also uses the same identity of \u201cJulio Acin\u201d in its portfolio<\/p>\n

https:\/\/github.com\/mymiracle0118\/MyPorfolio\/blob\/main\/public\/readme-images\/portfolio.png<\/a><\/p>\n

Within their GitHub profile, there is a repository named \u201cAutomation-Bot<\/a>,\u201d where multiple CVs of other identities used by this account can be\u00a0found:<\/p>\n

https:\/\/github.com\/mymiracle0118\/Automation-Bot\/tree\/c152bb25d5779ca8666078d7346592ddb75f46d3\/source\/resumes<\/a><\/p>\n

It is highly likely that the account using the name \u201cJulio Acin\u201d is being utilized on UpWork, as there are some details associated with this account found in this repository:<\/p>\n

https:\/\/github.com\/mymiracle0118\/Automation-Bot\/blob\/c152bb25d5779ca8666078d7346592ddb75f46d3\/source\/signupverify.csv<\/a><\/p>\n

An additional detail is that their LinkedIn profile, \u201cmymiracle0118<\/a>,\u201d also seems to show a strong intention of seeking employment.<\/p>\n

https:\/\/www.linkedin.com\/in\/iwakihiroto\/recent-activity\/all\/<\/a><\/p>\n

On their LinkedIn, their activity in ProductShare DAO is referenced<\/p>\n

https:\/\/www.linkedin.com\/posts\/iwakihiroto_productshare-dao-governance-council-is-activity-7272038373282734081-VqOz?utm_source=share&utm_medium=member_desktop<\/a><\/p>\n

ProductShare it is developing products in blockchain as they\u00a0stated:<\/p>\n

https:\/\/x.com\/iproductshare<\/a><\/p>\n

ProductShare DAO is composed of various people and projects, and they also play a role as stakeholders<\/p>\n

https:\/\/info.productshare.co\/productshare-dao-council-is-live?p=13aa6276405e80a38df3d10c2f8050bb&pm=s<\/a><\/p>\n

According to this DAO, there are different categories regarding who makes it\u00a0up:<\/p>\n

Considering this composition, we see that Hiroto Iwaki<\/strong> is listed as a co-creator and holds 500,000 stake\u00a0shareshttps:\/\/info.productshare.co\/productshare-dao-council-is-live<\/a><\/p>\n

The URL of his personal site, which he uses to identify himself within this DAO,\u00a0is:<\/p>\n

https:\/\/www.iwakihiroto.info\/<\/a><\/p>\n

Similarly, it is worth highlighting that other Web3 projects, such as ReFi Tulum, Hedgey Finance, and others, are also part of this DAO. These are significant initiatives where these profiles have managed to make an\u00a0impact<\/p>\n

https:\/\/info.productshare.co\/productshare-dao-council-is-live<\/a>The activity of this account clearly indicates that it is a fraudulent profile due to the number of different identities it uses. Additionally, as we\u2019ve shown, there are numerous irregularities linked to this account, suggesting the possibility that its involvement in this DAO may have been under a fraudulent identity.<\/p>\n

Further evidence of its intent to seek employment can be seen in the following case on\u00a0Fiverr:<\/p>\n

https:\/\/www.fiverr.com\/iwakihiroto\/work-as-a-blockchain-developer-and-auditor<\/a><\/p>\n

This profile is also listed on a Japanese employment website:<\/p>\n

https:\/\/sg.wantedly.com\/id\/sweetdream0118<\/a><\/p>\n

Given the numerous irregularities, there is a significant risk of long-term negative impacts on these projects if an individual with fraudulent identities becomes part of this\u00a0DAO.<\/p>\n

Case 3: Threat Actors Disguised as Developers building\u00a0TaraSwap<\/h4>\n

Target: TaraSwap\u200a\u2014\u200a<\/strong>https:\/\/www.taraswap.app\/<\/strong><\/a><\/p>\n

This case involves an individual from the Taraxa project who, along with an external team, developed TaraSwap. In this instance, we believe Threat Actors Disguised as Developers were involved in building\u00a0TaraSwap<\/p>\n

Some developers behind the TaraSwap project may be related to North Korean threat actors posing as developers<\/p>\n

Tracking this account reveals repositories [finalgoal231] that we have previously connected to DPRK threat actors\u200a\u2014\u200aIT\u00a0workers.<\/p>\n

https:\/\/github.com\/0x66eth<\/a><\/p>\n

This profile is actually in the organization we previous found to be hosted by fake profiles simulating a work-job enviroment:<\/p>\n

https:\/\/github.com\/Finalgoal231<\/a><\/p>\n

The members of this organization<\/a> are entirely fabricated and controlled by other members of this same organization<\/p>\n

We already have mentioned the presence of this account (Onder Kayabasi) in previous investigations following one account in this organization: https:\/\/github.com\/Luis96920<\/a><\/p>\n

https:\/\/github.com\/firststar19950115<\/a><\/p>\n

The profile Onder kayabasi was already reported to be related to DPRK Threat Actors, luring tech industry job seekers to install new variants of BeaverTail and InvisibleFerret Malware.<\/a><\/p>\n

The activities of this organization (finalgoal231<\/a>) and its associated profiles are part of a network of GitHub accounts that seem to be shifting focus from their previous activity of \u201chiring\u201d to seeking employment, primarily in Web3-related roles.<\/p>\n

After analyzing the activity of the profile https:\/\/github.com\/0x66eth<\/a><\/p>\n

https:\/\/github.com\/0x66eth<\/a><\/p>\n

We are aware of certain accounts within this network of fake profiles claiming to be developers<\/p>\n

The account 0x66eth is following 2 github profiles with some interesting activity regarding their commits, behavior, following, personal information, and previous intelligence we\u00a0gathered<\/p>\n

Accounts with similar\u00a0behavior<\/p>\n

Our focus will be joyfulmagician<\/a><\/p>\n

https:\/\/github.com\/joyfulmagician<\/a><\/p>\n

His activity appears somewhat inconsistent, with a clear focus on seeking employment opportunities.<\/p>\n

Repository in his account:\u00a0JobApply<\/a><\/p>\n

Key aspects to highlight include the high number of accounts following him, the accounts he follows, the extended periods of inactivity, and the fact that his only commit aligns directly with the purpose of this investigation<\/p>\n

Relation with Taraxa-Taraswap:<\/h4>\n

https:\/\/taraxa.io\/<\/a><\/p>\n

Taraxa is a purpose-built, fast & scalable Layer-1 public ledger designed to help democratize reputation by making informal data trustworthy.<\/p>\n

Within his ecosystem, there are several projects and upcoming launches with specific\u00a0dates:<\/p>\n

https:\/\/x.com\/taraxa_project\/status\/1851655325562044661\/photo\/1<\/a><\/p>\n

In this launch, taraSwap is our subject of analysis, taking into account certain characteristics of the project, as well as the developers and dynamics surrounding it, which raise suspicions that it may have been developed by DPRK IT\u00a0workers<\/p>\n

What is TaraSwap<\/a>?<\/h4>\n

Taraswap<\/a> is the first yield-centric DEX on\u00a0Taraxa.<\/p>\n

https:\/\/www.taraswap.app\/<\/a><\/p>\n

It also link to his GitHub repository<\/p>\n

https:\/\/github.com\/Taraswap<\/a><\/p>\n

The telegram channel of TaraSwap is https:\/\/t.me\/taraswap<\/a><\/p>\n

https:\/\/t.me\/taraswap<\/a><\/p>\n

Relation between TaraSwap and\u00a0Taraxa:<\/h4>\n

Based on the telegram conversation the taraSwap is not runned by the core\u00a0team.<\/p>\n

Later the admin of the Taraxa project in the Telegram channel confirms this information:<\/p>\n

Likewise, El\u0151d Varga seems to be in charge of this team based on the telegram chat conversations in the Taraxa\u00a0project.<\/p>\n

Thus, it was managed by Elrod as a third-party team, but it is not the core team behind the development of this project. They have mentioned this repeatedly in the Taraxa Telegram chat, which seems\u00a0unusual.He is also the admin in the TaraSwap channel<\/a> and the team behind the TaraSwap claim that El\u0151d Varga represents them<\/strong>https:\/\/t.me\/taraswap<\/a><\/p>\n

The owner of the telegram channel: 0xCore\u00a0TSWAP<\/p>\n

https:\/\/t.me\/DevZi1la<\/a><\/p>\n

The telegram handle [DevZi1a] match the GitHub account building\u00a0TaraSwap<\/p>\n

https:\/\/github.com\/DevZi1la<\/a><\/p>\n

The GitHub account responsible for building a significant part of TaraSwap was created on April 12,\u00a02024:<\/p>\n

Furthermore, there is little information available about this account beyond its involvement with the taraSwap project, which is unusual for a developer, considering the personal recognition typically associated with such\u00a0work.<\/p>\n

This behavior is abnormal, and it is also strange that the developers have a representative (El\u0151d Varga represents them) and work as a closed team. This raises further suspicions about their reasons for remaining hidden or anonymous.<\/p>\n

joyfulmagician and TaraSwap:<\/h4>\n

As mentioned earlier, the account \u201cjoyfulmagician<\/a>\u201d had previously been reported for suspicious behavior associated with this network of fake accounts posing as developers which seems to be linked with DPRK threat actors, as seen in previous investigations<\/p>\n

In this context, the account\u2019s involvement in TaraSwap is observed since july-24\u20132024:<\/p>\n

https:\/\/github.com\/Uniswap\/interface\/compare\/main…taraswap:taraswap-interface:main<\/a><\/p>\n

This means that the account https:\/\/github.com\/joyfulmagician<\/a> has made multiple commits to the taraSwap repository, establishing them as a developer of the\u00a0project.<\/p>\n

TaraSwap and El\u0151d\u00a0Varga<\/h4>\n

Many conversations on Telegram suggest that El\u0151d Varga is familiar with the development team and maintains contact with them. However, the development team remains invisible for reasons that seem\u00a0odd<\/p>\n

We noticed some GitHub accounts that we had previously investigated, which are part of a network of \u201cfake developers\u201d linked to DPRK threat\u00a0actors.<\/p>\n

https:\/\/github.com\/VargaElod23<\/a><\/p>\n

Among El\u0151d Varga\u2019s followers are accounts that have been extensively investigated for being part of a network of fake accounts used to gain access to various projects and jobs, allowing them to be compensated as developers<\/p>\n

https:\/\/github.com\/VargaElod23?tab=followers<\/a><\/p>\n

Much of the activity of these accounts [https:\/\/github.com\/AI0228<\/a>] & [https:\/\/github.com\/warmice71<\/a>] has been linked to generating engagement and following numerous accounts that exhibit specific patterns, behaviors, creation dates, activity levels, and other aspects under analysis.<\/p>\n

The connection becomes more significant when they\u2019re followed by a suspicious user, such as AI0228<\/a> or warmice71<\/a>, who doesn\u2019t rely on an autofollowback bot or similar automated tools.<\/p>\n

Similarly, it is worth highlighting a notable aspect of El\u0151d Varga\u2019s GitHub profile: some of his repositories related to \u201ctalent search.\u201d This repository contain keywords commonly used by accounts linked to North Korean threat actors to describe themselves in their GitHub\u00a0bios.<\/p>\n

https:\/\/github.com\/VargaElod23\/talent-search<\/a><\/p>\n

While these accounts massively follow others on GitHub, it has been observed that these same suspicious accounts also follow their\u00a0targets.<\/p>\n

Contacted TaraSwap\u00a0team:<\/h4>\n

After uncovering these irregularities, we decided to contact the TaraSwap team, led by El\u0151d Varga, regarding this profile. He stated, \u201cThis person was a freelancer the TaraSwap team used, but that\u2019s done\u201d.<\/em> Likewise, <\/em>El\u0151d Varga acknowledged that the team was hired through third parties and confirmed that, after a thorough review, the contributed code was\u00a0safe.<\/p>\n

Issues in TaraSwap:<\/h4>\n

Since January 10, several users have raised questions regarding the amount of tokens in circulation<\/p>\n

This suspicious activity was creating FUD, which led the team to issue a statement explaining what had happened. The statement explains that the attacker had exploited a \u2018vulnerability in our [Staker Module]\u2019:<\/p>\n

https:\/\/t.me\/taraswap<\/a><\/p>\n

This attack allowed the attacker to drain at least 4.5 TSWAP tokens and sell them, which negatively impacted the token\u2019s price. The statement also outlines the next steps following the exploit. Although the attack was on a smaller scale with minimal impact, projects like these can be easily exploited if we they don\u2019t know who is behind their development.<\/p>\n

Considering these details, we found that a significant portion of this project was built by this \u2018unknown developer,\u2019 who is linked to the accounts we monitor associated with DPRK IT workers focused on Web3 activity.<\/p>\n

In this case, while there was a \u2018small\u2019 exploit, there is a high likelihood that these developers may seek financial compensation by working for third parties. If the opportunity arises, they will likely aim for greater economic gains, potentially exploiting the projects they work on or targeting others they see as\u00a0viable.<\/p>\n

Based on the evidence presented, there are several concerns regarding the developers of this project and their possible identities. A particularly noteworthy aspect is the involvement of accounts such as \u2018AI0228\u2019 and \u2018warmice71,\u2019 which have been clearly identified as engaging in fraudulent activities on GitHub, including the use of fake profiles to pose as developers and secure work under false identities.<\/p>\n

Case 4: GitHub Accounts interacting with the Stellar Foundation repositories<\/h4>\n

Target: Stellar Foundation<\/strong><\/p>\n

An interesting aspect when analyzing the activity of several of these accounts is their expressed interest in various Stellar Foundation repositories. This can be seen in the following examples, where a series of accounts with numerous irregularities in their profiles attempt to contribute to several repositories.<\/p>\n

Example 1:<\/strong><\/p>\n

The following example highlights the intentions of this account, which we had mentioned earlier\u00a0dev0614<\/a><\/p>\n

https:\/\/github.com\/dev0614<\/a><\/p>\n

They attempt to develop this commit in the Stellar repository called \u201claboratory\u201d:<\/p>\n

https:\/\/github.com\/stellar\/laboratory\/issues\/916<\/a><\/p>\n

Similarly, this account has also attempted to contribute to other projects. The following links provide several examples:<\/p>\n

https:\/\/github.com\/lira-dao\/ecosystem\/pull\/47
https:\/\/github.com\/Taraxa-project\/bridge\/issues\/20
https:\/\/github.com\/orgs\/yfosp\/discussions\/372
https:\/\/github.com\/ethglobal\/nextjs-wagmi-viem-starter\/discussions\/2
https:\/\/github.com\/mgguild\/ai-games\/issues\/79
https:\/\/github.com\/Taraxa-project\/bridge\/issues\/20<\/p>\n

Example 2:<\/strong><\/p>\n

Another example is the account Oyase-shinobi<\/a><\/p>\n

https:\/\/github.com\/Oyase-shinobi<\/a><\/p>\n

Another example is the account, which on several occasions has attempted to contribute to Stellar Foundation projects<\/p>\n

different contributions<\/p>\n

The links where this account attempts to contribute are provided\u00a0below<\/p>\n

Issues:
stellar\/stellar-disbursement-platform-backend#348
stellar\/stellar-disbursement-platform-backend#102
stellar\/stellar-disbursement-platform-backend#410<\/p>\n

This same account also attempts to contribute to other projects.:<\/p>\n

Other projects where this account contributes
– https:\/\/github.com\/akash-network\/console\/issues\/354
– https:\/\/github.com\/lira-dao\/ecosystem\/issues\/56
– https:\/\/github.com\/junobuild\/create-juno\/issues\/39
– https:\/\/github.com\/paritytech\/polkadot-sdk\/issues\/5754
– https:\/\/github.com\/SpaceXpanse\/rod-rpc-explorer\/issues\/3 <\/p>\n

Conclusion<\/h3>\n

Potential Link Between Suspicious GitHub Accounts and the \u201cSuperStar\u201d Naming\u00a0Pattern<\/strong><\/p>\n

A key observation in the suspicious GitHub activity is the repeated use of the nicknames \u201cSuper\u201d and \u201cStar\u201d in GitHub handles, email addresses, and even bios. Palo Alto\u2019s Indicators of Compromise (IOCs) also reveal this combination in email addresses<\/a>. Additionally, screenshots from these accounts suggest a personal connection to the term \u201cSuperStar,\u201d making it a fitting name for this cluster of accounts linked to the WageMole\u00a0campaign<\/p>\n

Suspicious Activity on GitHub Linked to Certain\u00a0Accounts<\/strong><\/p>\n

Suspicious activity on GitHub has been observed, particularly with accounts that share specific characteristics previously identified in our investigations. These characteristics include profile appearance, personal description, GitHub handles, and even profile images. These accounts exhibit certain behavioral patterns, interacting with organizations in similar ways and within the same timeframe once these accounts are created. However, it is important to note that not all suspicious accounts engage in this type of activity.<\/p>\n

Adaptive Behavior and \u201cOpen Source Contributor\u201d Profiles<\/strong><\/p>\n

One interesting aspect is how these accounts adapt based on ongoing trends. Several suspicious accounts have added \u201cOpen Source Contributor\u201d to their BIOS, which allows them to collaborate on repositories across different projects and blend in with the GitHub and Web3 communities.<\/p>\n

Patterns and Coordination Across\u00a0Accounts<\/strong><\/p>\n

Curiously, some email addresses flagged by Palo Alto are strikingly similar to the GitHub handles we\u2019ve already monitored as suspicious, linking them to this campaign. There are multiple accounts interacting with older repositories to create a fa\u00e7ade of credibility. However, the mass and coordinated nature of their commits reveals similar patterns, and the same accounts, with their distinctive profile images and GitHub handles, are repeatedly involved.<\/p>\n

Use of Older Accounts to Gain Credibility<\/strong><\/p>\n

We\u2019ve observed that some accounts have opted to use older profiles in an effort to gain more credibility and access collaboration opportunities or jobs. It appears that one account may be coordinating thousands of fake, stolen, or automatically generated profiles, as they share similarities with each other, and all are followed by just one\u00a0account.<\/p>\n

Repetitive Comments and Self-Promotion<\/strong><\/p>\n

A notable aspect is the repetitive comments these accounts make when trying to collaborate on different projects. Their interest spans a wide range of projects, showcasing various skills. A clear pattern emerges as these accounts follow one another and even star each other\u2019s repositories, reinforcing their fabricated portfolios.<\/p>\n

Examples of Fraudulent Commit\u00a0Attempts<\/strong><\/p>\n

There have been instances where accounts successfully made commits in projects. Our investigation, followed by confirmation from the project, revealed suspicious activity with these GitHub accounts.<\/p>\n

Infiltration of ProductShare DAO<\/strong><\/p>\n

The account participating in ProductShare DAO has managed to infiltrate more closed spaces within the DAO. However, this information has not been shared with the\u00a0team.<\/p>\n

TaraSwap Issues and Suspicious Developers<\/strong><\/p>\n

The individual responsible for TaraSwap has faced multiple issues in developing the project. Following the exploit, many aspects of the project ceased to function, and the community has lost trust in it. Additionally, Elod, the person in charge of TaraSwap, acknowledged not knowing this individual, who was hired by a third\u00a0party.<\/p>\n

Focus on Stellar Foundation and Other\u00a0Projects<\/strong><\/p>\n

A number of accounts appear to target Stellar Foundation, as evidenced by the multiple suspicious accounts attempting to contribute to several of its repositories. Many of these accounts, recently participating in recruitment processes or seeking collaboration in projects, list Japan as their location in their portfolios. They also face difficulties in communication and interviews, which have been highlighted in previous investigations.<\/p>\n

Cluster of Suspicious Accounts and Web3\u00a0Projects<\/strong><\/p>\n

A cluster of accounts has been attempting to contribute to other projects. Many of their PRs and commits remain open, and in some cases, these commits have been merged without verifying the identities behind them. In other projects, their contributions are ignored. Generally, these collaborations are accepted as \u201cnon-offensive,\u201d but the true intentions behind these \u201ccollaborations\u201d are unclear. Their focus on Web3 projects suggests that their ultimate goal may be financial gain.<\/p>\n

Indicators of Compromise<\/h3>\n

Email Addresses<\/h3>\n

williamduncan91413@gmail.com
forever.xfactor@gmail.com
rainstorm.exp@gmail.com
toptall.cook@gmail.com
noahsflood908@gmail.com
yamamotozunki0815@gmail.com
shimamuratakehiko44@gmail.com
takutic.tech518@gmail.com<\/p>\n

GitHub accounts:<\/h3>\n

https:\/\/github.com\/asseph
https:\/\/github.com\/thuongtruong1009
https:\/\/github.com\/Benjamin-cup
https:\/\/github.com\/Cardoso-topdev
https:\/\/github.com\/camillakathy
https:\/\/github.com\/erikerik116
https:\/\/github.com\/Kavorix
https:\/\/github.com\/Phoenix-Genius
https:\/\/github.com\/phoenix19950512
https:\/\/github.com\/smilephoenix103
https:\/\/github.com\/toptalhook
https:\/\/github.com\/uniwaydev
https:\/\/github.com\/creative2113
https:\/\/github.com\/SacredDever
https:\/\/github.com\/SacredDevKing
https:\/\/github.com\/GoldenDev176743
https:\/\/github.com\/dragonsea0927
https:\/\/github.com\/felipedev418
https:\/\/github.com\/techietrend
https:\/\/github.com\/popstar7
https:\/\/github.com\/Oyase-shinob
https:\/\/github.com\/dev0614
https:\/\/github.com\/shinevue
https:\/\/github.com\/fairsky0201
https:\/\/github.com\/Tru3Bliss
https:\/\/github.com\/talentDA0218
https:\/\/github.com\/BitFancy
https:\/\/github.com\/duskodev
https:\/\/github.com\/Chain-Reactor
https:\/\/github.com\/motokimasuo
https:\/\/github.com\/vuedev2113
https:\/\/github.com\/devstar829
https:\/\/github.com\/BlackStar816
https:\/\/github.com\/0xp3p3x0
https:\/\/github.com\/thinkingdev9
https:\/\/github.com\/Benjamin-cup
https:\/\/github.com\/LuckyBear0302
https:\/\/github.com\/happysmile007
https:\/\/github.com\/superdev947
https:\/\/github.com\/ITstar726
https:\/\/github.com\/MegaDev007
https:\/\/github.com\/GoldenDragon0830
https:\/\/github.com\/super622
https:\/\/github.com\/dragonsea0927
https:\/\/github.com\/honey0130
https:\/\/github.com\/popstar7
https:\/\/github.com\/forward012
https:\/\/github.com\/futurestar425
https:\/\/github.com\/SacredDever
https:\/\/github.com\/super9157
https:\/\/github.com\/dynamic612
https:\/\/github.com\/Luis96920
https:\/\/github.com\/CodeMaster1025
https:\/\/github.com\/bluedream74
https:\/\/github.com\/shinevue
https:\/\/github.com\/montedev0516
https:\/\/github.com\/felipedev418
https:\/\/github.com\/billy9821
https:\/\/github.com\/Lucky9596
https:\/\/github.com\/smartdev5050
https:\/\/github.com\/rainbowdev1359
https:\/\/github.com\/techietrend
https:\/\/github.com\/fairsky0201
https:\/\/github.com\/aybanda
https:\/\/github.com\/livedeveloper823
https:\/\/github.com\/Oyase-shinobi
https:\/\/github.com\/lucaslee129
https:\/\/github.com\/BTC415
https:\/\/github.com\/tothetop430
https:\/\/github.com\/daniellowe1027
https:\/\/github.com\/golden-lucky-monkey
https:\/\/github.com\/RealDiligentDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/ptc-bink
https:\/\/github.com\/dev7tech
https:\/\/github.com\/zhen1007
https:\/\/github.com\/agiledev0115
https:\/\/github.com\/smartdev914
https:\/\/github.com\/silver-coding-blockchain
https:\/\/github.com\/ironcg20
https:\/\/github.com\/Elite314Dev
https:\/\/github.com\/OnlyForward0613
https:\/\/github.com\/hi-tech-AI
https:\/\/github.com\/wizard0918
https:\/\/github.com\/DreamBoy65
https:\/\/github.com\/talentDev10
https:\/\/github.com\/toptalhook
https:\/\/github.com\/mymiracle0118
https:\/\/github.com\/enthusiastdev121
https:\/\/github.com\/cedev935
https:\/\/github.com\/shiny0110
https:\/\/github.com\/supersenior017
https:\/\/github.com\/sagadev2015
https:\/\/github.com\/SuperDev314
https:\/\/github.com\/smartman0307
https:\/\/github.com\/coolidev
https:\/\/github.com\/dev-captain
https:\/\/github.com\/superdev0826
https:\/\/github.com\/ToptenDev
https:\/\/github.com\/SuperHeroDev
https:\/\/github.com\/wizasol
https:\/\/github.com\/tp1845
https:\/\/github.com\/super101217
https:\/\/github.com\/ProspDev
https:\/\/github.com\/Tyrese-FullStackGenius
https:\/\/github.com\/dev0614
https:\/\/github.com\/lucky0612
https:\/\/github.com\/beaubeas
https:\/\/github.com\/futurestar425
https:\/\/github.com\/cryptovecom
https:\/\/github.com\/profreelancer222
https:\/\/github.com\/phoenix19950512
https:\/\/github.com\/SeniorDev0830
https:\/\/github.com\/livedeveloper823
https:\/\/github.com\/superman0052
https:\/\/github.com\/smartdev5050
https:\/\/github.com\/rainbowdev1359
https:\/\/github.com\/RandomSummer
https:\/\/github.com\/happydev0126
https:\/\/github.com\/MasterDev333
https:\/\/github.com\/CryptoNinja0331
https:\/\/github.com\/devincredible
https:\/\/github.com\/warmice71
https:\/\/github.com\/kallis312
https:\/\/github.com\/ninjadevtrack
https:\/\/github.com\/wizard0918
https:\/\/github.com\/luckwings
https:\/\/github.com\/top-web-talent
https:\/\/github.com\/talentDA0218
https:\/\/github.com\/SmartCodiDev
https:\/\/github.com\/deepakcode21
https:\/\/github.com\/fireman03151
https:\/\/github.com\/thinkingdev9
https:\/\/github.com\/LuckyBear0302
https:\/\/github.com\/rustsol114
https:\/\/github.com\/super622
https:\/\/github.com\/Gentlemen726
https:\/\/github.com\/CodeMaster1025
https:\/\/github.com\/lucaslee129
https:\/\/github.com\/DreamBoy65
https:\/\/github.com\/0xbear9999
https:\/\/github.com\/top-web-talent
https:\/\/github.com\/ProspDev
https:\/\/github.com\/codemaster05330
https:\/\/github.com\/sagadev2015
https:\/\/github.com\/smartman0307
https:\/\/github.com\/luckyboy125
https:\/\/github.com\/Devstar1818
https:\/\/github.com\/supercomet329
https:\/\/github.com\/golden-hero
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/peterjohnson4987
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/holyblock
https:\/\/github.com\/cedev935
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201 [Superstar]
https:\/\/github.com\/bernssolg
https:\/\/github.com\/erinodev
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/renawolford6
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/hussammousa68
https:\/\/github.com\/zeus-soft-world
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/peterjohnson4987
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/renawolford6
https:\/\/github.com\/coopfeathy
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/xbucks
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/hussammousa68
https:\/\/github.com\/zeus-soft-world
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/erinodev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/ericbrown2716
https:\/\/github.com\/renawolford6
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/xbucks
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/EugeneYoona
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/Linda423
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/genie4viz
https:\/\/github.com\/chivalrousdev
https:\/\/github.com\/petardev101
https:\/\/github.com\/supercrytoking
https:\/\/github.com\/kevindavies8
https:\/\/github.com\/johnfrench3
https:\/\/github.com\/renawolford6
https:\/\/github.com\/Yoshidayoshi23
https:\/\/github.com\/dreamcoder75
https:\/\/github.com\/holyblock
https:\/\/github.com\/AIDevMonster
https:\/\/github.com\/whiteghostDev
https:\/\/github.com\/cedev935
https:\/\/github.com\/aleksandaralek
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/KonohaBrain125
https:\/\/github.com\/TOP-10-DEV
https:\/\/github.com\/secretsuperstar1109
https:\/\/github.com\/champion119
https:\/\/github.com\/aidev-Jesse
https:\/\/github.com\/fairskyDev0201
https:\/\/github.com\/TechSolutionNinja
https:\/\/github.com\/alisenola
https:\/\/github.com\/LegendaryDev320
https:\/\/github.com\/kaleb0402
https:\/\/github.com\/tosky19941209
https:\/\/github.com\/touchsky941209
https:\/\/github.com\/mirdavion
https:\/\/github.com\/codingzeus1218999
https:\/\/github.com\/joyfulmagician
https:\/\/github.com\/sphinxDevVic
https:\/\/github.com\/SmartDev555
https:\/\/github.com\/crypto-artisan
https:\/\/github.com\/Watcher919
https:\/\/github.com\/operkins
https:\/\/github.com\/KimBrown
https:\/\/github.com\/JenniferYoung
https:\/\/github.com\/christian48
https:\/\/github.com\/keith16
https:\/\/github.com\/Clarkwendy
https:\/\/github.com\/sandovalandrew
https:\/\/github.com\/coreygonzales
https:\/\/github.com\/christian48
https:\/\/github.com\/kwells
https:\/\/github.com\/Brian35
https:\/\/github.com\/Gavin50
https:\/\/github.com\/jay39
https:\/\/github.com\/christiancampos
https:\/\/github.com\/JesusMorgan
https:\/\/github.com\/dnichols
https:\/\/github.com\/mirandacraig
https:\/\/github.com\/Kristen36
https:\/\/github.com\/lmorris
https:\/\/github.com\/michaelascott
https:\/\/github.com\/Annette71
https:\/\/github.com\/bonnie77
https:\/\/github.com\/Leonard48
https:\/\/github.com\/elizabethwagner
https:\/\/github.com\/samanthabailey
https:\/\/github.com\/Colleen41
https:\/\/github.com\/brian91
https:\/\/github.com\/brianroberts
https:\/\/github.com\/james10
https:\/\/github.com\/groberts
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/jessicasmall
https:\/\/github.com\/Tiffany90
https:\/\/github.com\/gabriel56
https:\/\/github.com\/NicholasWarner
https:\/\/github.com\/Christina70
https:\/\/github.com\/vanessa56
https:\/\/github.com\/hyang
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/Carl92
https:\/\/github.com\/randysnyder
https:\/\/github.com\/thomasparker
https:\/\/github.com\/ashleykelsey
https:\/\/github.com\/KaneGregory
https:\/\/github.com\/SIMONDAVID
https:\/\/github.com\/lreyes
https:\/\/github.com\/eric39
https:\/\/github.com\/vhenry
https:\/\/github.com\/Mark33
https:\/\/github.com\/realhardworkingdeveloper
https:\/\/github.com\/kallis312<\/p>\n

Farmed GitHub accounts:<\/h3>\n

e.g Accounts following suspicious profile: https:\/\/github.com\/Sayonara01<\/p>\n

https:\/\/github.com\/operkins
https:\/\/github.com\/KimBrown
https:\/\/github.com\/JenniferYoung
https:\/\/github.com\/christian48
https:\/\/github.com\/keith16
https:\/\/github.com\/Clarkwendy
https:\/\/github.com\/sandovalandrew
https:\/\/github.com\/coreygonzales
https:\/\/github.com\/christian48
https:\/\/github.com\/kwells
https:\/\/github.com\/Brian35
https:\/\/github.com\/Gavin50
https:\/\/github.com\/jay39
https:\/\/github.com\/christiancampos
https:\/\/github.com\/JesusMorgan
https:\/\/github.com\/dnichols
https:\/\/github.com\/mirandacraig
https:\/\/github.com\/Kristen36
https:\/\/github.com\/lmorris
https:\/\/github.com\/michaelascott
https:\/\/github.com\/Annette71
https:\/\/github.com\/bonnie77
https:\/\/github.com\/Leonard48
https:\/\/github.com\/elizabethwagner
https:\/\/github.com\/samanthabailey
https:\/\/github.com\/Colleen41
https:\/\/github.com\/brian91
https:\/\/github.com\/brianroberts
https:\/\/github.com\/james10
https:\/\/github.com\/groberts
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/jessicasmall
https:\/\/github.com\/Tiffany90
https:\/\/github.com\/gabriel56
https:\/\/github.com\/NicholasWarner
https:\/\/github.com\/Christina70
https:\/\/github.com\/vanessa56
https:\/\/github.com\/hyang
https:\/\/github.com\/jordanmorales
https:\/\/github.com\/jacksonwilliam
https:\/\/github.com\/anna26
https:\/\/github.com\/Carl92
https:\/\/github.com\/randysnyder
https:\/\/github.com\/thomasparker
https:\/\/github.com\/ashleykelsey
https:\/\/github.com\/KaneGregory
https:\/\/github.com\/SIMONDAVID
https:\/\/github.com\/lreyes
https:\/\/github.com\/eric39
https:\/\/github.com\/vhenry
https:\/\/github.com\/Mark33<\/p>\n

Additional Resources:<\/h3>\n

Summary of Findings on Suspicious Lazarus Group Activity on GitHub<\/a>Reviewing the activity of GitHub accounts associated with Lazarus<\/a>Fraud Alert: Fake recruiters on GitHub and LinkedIn<\/a>Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors<\/a>Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack<\/a>From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West<\/a>Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware<\/a>Summary of Findings on Suspicious Lazarus Group Activity on GitHub<\/a>North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks<\/a><\/p>\n

Unmasking Suspicious GitHub Activity: The Wagemole Campaign and Its Links to DPRK Threat Actors<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"

image: https:\/\/x.com\/cyberwarcon Table of\u00a0Contents Executive Summary Contagious Interview and Wagemole Campaigns \u201cWageMole\u201d Campaign on\u00a0GitHub Suspicious Activity and Behavior in\u00a0GitHub Case: Interaction with Organizations Part 1: \u201cPlease Invite Me to the GitHub Community Organization\u201d Part 2: Interaction of Accounts with GitHub Repositories Part 3: Cluster of Older GitHub\u00a0Accounts Part 4: Suspicious Interactions of These Accounts Across […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-60730","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/60730"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60730"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/60730\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}