The table shows the potential target jobs of IT workers. A seemingly daily updated table lists the assignment description (“need new React and Web3 developers”) to promote them and the companies that are located. It also links to vacancies on freelancing sites or contact information for recruiters. A “Status” column says whether they are “waiting” or “contact”.
A screenshot of a spreadsheet seen by cable appears to list the underlying real name of the IT workers themselves. Next to each name are the registers for computer-made and model they allegedly owned, as well as monitors, hard drives, and serial numbers for each device. The “Master Boss” whose name is not listed obviously uses a 34-inch monitor and two 500GB hard drives.
A “analysis” page in the data seen by security researcher Sttyk shows a list of jobs involved in a set of fraudsters: AI, blockchain, web scraping, robot development, mobile apps and web development, transactions, CMS development, CMS development, Desktop App development, and “others”. Each category has the potential budget and “Total Paid” fields listed. There are more than a dozen charts in a spreadsheet claiming to track their paid, most profitable areas, and getting payments from weekly, monthly or on a fixed amount is the most successful.
“It’s professionally run,” said Michael “Barni” Barnhart. “Everyone has to make quotas. Everything needs to be gradually reduced. Everything needs to be paid attention to,” he said. The researchers added that he maintains similar levels of record with North Korea’s mature hacker group, which has had billions of dollars in cryptocurrency and is basically separated from IT workers’ programs. Barnhart looked at the data obtained by Sttyk and said it overlaps with what he and other researchers tracked.
“I do think that data is very real,” said Evan Gordenker, senior consulting manager at the cybersecurity firm Palo Alto Networks, who also saw the data Sttyk obtained. Gordenker said the company has been tracking multiple accounts in the data, and one of the well-known GitHub accounts was previously publicly exposed by IT workers’ documents. None of the DPRK-hooked email addresses responded to Wired’s request for comment.
After Github contacted Wired, Raj Laud, the company’s head of cybersecurity and online security, canceled three developer accounts, saying they have been hung in its “spam and untrue activity” rules. “The universality of this nation-state threat activity is a challenge that we take seriously and a complex issue,” Lauder said.
Google declined to comment on specific accounts provided, citing policies around account privacy and security. “We have developed processes and policies to detect and report these operations to law enforcement,” said Mike Sinno, director of detection and response at Google. “These processes include taking actions against fraudulent activities, proactively notifying targeted organizations, and working with public and private partners to share threat intelligence, thereby enhancing defense capabilities against these movements.”
