The tables detail target jobs for IT workers, including daily updates with job descriptions, the hiring companies, and locations. Links to freelance sites or contact details are provided alongside a “status” column indicating if there’s “contact” or if they are “waiting.”
Screenshots shown to WIRED list potential real-world names of the IT workers, alongside the make and model of their computer equipment, including monitors and hard drives. The “master boss” is unnamed but reportedly uses a 34-inch monitor and two 500GB hard drives.
One data “analysis” page seen by security researcher SttyK details fraud types, such as AI, blockchain, web scraping, and app development, with a budget and “total paid” field. Graphs in the spreadsheet track earnings, lucrative regions, and payment frequency effectiveness.
“It’s professionally run,” says Michael “Barni” Barnhart, a North Korean hacking and threat researcher at DTEX, noting strict quotas and meticulous records akin to North Korea’s hacking groups that have stolen cryptocurrency.
Evan Gordenker, from Palo Alto Networks’ Unit 42, confirms the data’s authenticity, having tracked related accounts and a prominent GitHub account exposing IT workers’ files. DPRK-linked emails did not respond to WIRED’s queries.
After WIRED’s contact, GitHub suspended three developer accounts for “spam and inauthentic activity,” according to Raj Laud, who emphasized the complexity of nation-state threats.
Google, citing privacy and security policies, declined specific comments on accounts but mentioned ongoing efforts to detect fraudulent operations, notify affected organizations, and share threat intelligence.