A deep investigation by researchers blackbigswan and Heiner has uncovered a covert operation where North Korean (DPRK) IT workers infiltrated open-source and freelance development ecosystems—including OnlyDust and BuildOnStellar—to pose as legitimate developers, receive payments, and potentially facilitate future cyberattacks.
The operation spans across multiple identities, forged credentials, cloned repositories, and video call evasion tactics, and could have serious implications for the security of projects across Web3, DeFi, and beyond.
The investigation began in February 2025 when the researchers discovered a suspicious contributor, 0xExp-po, on a legitimate Stellar project. His activity matched the known DPRK IT worker modus operandi, including cloned repositories and manipulated commit histories dating back to 2018—despite the account being created in December 2023.
“We collected the evidence and informed the affected repository owner… At this point in the investigation, we did not yet realize how deeply connected the case was to the popular Web3 freelance platform OnlyDust.”
Following the trail from 0xExp-po led to bestselection18, a more entrenched actor, already listed in their high-confidence suspect database. His activities across OnlyDust projects were striking:
- Multiple fake GitHub personas (e.g., mymiracle0118, SweetDream, SmileS-777)
- An automation bot repository for managing fake identities
- A profile image generated by AI with glaring anomalies
- Participation in projects with combined budgets exceeding $71,000 USD
One of the more surreal moments in the investigation came when researchers conducted a video call with another account (kirbyattack/motokimasuo), suspected to be operated by bestselection18. When asked to introduce himself in Japanese:
“The candidate’s response was to remove their headset and leave the call, confirming our hypothesis that he is a DPRK IT worker.”
The investigation revealed these actors were not just farming commits—they were also pushing scam projects. In 2024, they attempted to secure $200,000 in funding from the Polkadot community for a shady DeFi platform named Asset-x, which was ultimately rejected due to “a massive amount of red flags.”
Another actor, aidenwong812, showcased more advanced tactics—rotating through multiple identities, erasing history, and returning under new names like cryptogru812. This actor successfully merged PRs in Starknet-related repositories and earned payments despite the red flags.
“aidenwong812 operates so many different identities that he often confuses his Ukrainian fake identity on LinkedIn, with his old Italian identity on GitHub only to re-emerge as a Chinese/Korean Web3 developer.”
The concern isn’t limited to a few projects. In total, the actors managed:
- $1,874+ USD in confirmed payments
- 62 PRs merged across 11 repositories
- Access to developer teams, project leads, and private codebases
The true danger lies in the credibility farming, potential backdoor injection, and intelligence gathering that these DPRK actors conduct:
“North Koreans are extremely persistent… Even if seemingly benign, the moment will come when a malicious dependency is injected into the code, a backdoor is installed…”
Key Takeaways and Recommendations
- Video verification should be mandatory for remote contributors with code access.
- KYC documents are not sufficient—many were found to be fabricated or stolen.
- Maintain internal records of contributor behaviors, sudden identity changes, and commit anomalies.
- Platforms like OnlyDust must improve vetting, alert affected users, and adopt stronger authentication procedures.
- Developers are urged to audit their codebases and treat any received files from suspicious actors as potentially malicious.
Related Posts:
About The Author
