It’s not really a secret that North Korean IT workers are using GitHub for a number of reasons. While there are several posts that cover different clusters of users as well as why they are using GitHub, there aren’t many posts on finding accounts on GitHub.

Let’s take a step back and start to look for possible accounts online that might be related to IT workers interests. https://playerpuff.com is a website that allows users to buy and sell Upwork accounts and if we filter by users that are looking to buy an account on Upwork we find a post like this

From this post we can see the user Rionel has a Telegram account athene9101

Searching athene9101 on GitHub reveals an account that looks quite active over the last year

However if we dig into this slightly we can see that the account was created in February of 2025. This is something common amongst ITW on GitHub as they try to make their profiles look older and more legitimate.

So this is looking suspicious but how can we confirm that this is a North Korean profile? There are typically several things to look for. A lot of accounts will follow each other creating a cluster, the naming conventions all look similar, and the images for the profiles are generally AI generated. Usually there are also repos for assessments, blockchain/bitcoin, and MERN stack developers.

In this case there are a number of followers that start to look similar. Now if we look at the user code-star-123 and the repo under his account with the same name we can see that the accounts that starred it are all similar to followers that we can find from our original account.

Additionally searching through the repos of these users reveals messages and resumes that can be collected for additional hunting outside of GitHub.