In recent years, our industry has become a prime target for nation-states like North Korea seeking to fund their regimes.
And this isn’t a conspiracy theory - it’s a real and growing threat.


Hiring skilled engineers is challenging enough. But in a global, remote-heavy industry like web3, screening for hostile operatives is now an essential check.
At Hypotenuse, we’ve seen this firsthand. We run hundreds of interviews per year, and after 20+ confirmed attack attempts so far, we’ve uncovered several patterns and red flags that may signal an undercover DPRK IT worker. Here’s what we’ve learned.
At Hypotenuse, our technical due diligence when screening candidates starts with a close review of their:
Resume
Public-facing code contributions
Communication skills
Publications
Red flags discussed here are current as of this post’s writing. But bear in mind that tactics used by operatives will evolve over time.
It’s also important to note that these flags aren’t exclusive to operatives from North Korea—we’ve seen other types of malicious candidates exhibit them as well. Remain diligent regardless.
When analyzing resumes and GitHub profiles of certain applicants, we noticed a common pattern: these profiles often appear polished and impressive at first glance:


However, a deeper look reveals inconsistencies, with inaccurate or fabricated information about their work experience and skills.
One of the tools that we use to analyze GitHubs is gh-fake-analyzer which downloads, analyzes, and monitors profile data of GitHub users or organizations for any malicious patterns.
Some things to look out for on GitHub profiles and resumes:
Multiple Unique Email Addresses: When reviewing Git commits, we’ve observed cases where several distinct email addresses are associated with a single GitHub account. This pattern suggests that multiple individuals may be collaborating on one account to artificially inflate the user’s credibility and reputation.

Unrelated GitHub Organizations and Obscure Projects: Some profiles show membership in random GitHub organizations or contributions to obscure development projects. This may seem innocent, but it can be a red flag indicating attempts to gain credibility through connections to unrelated entities.


Disproportionate Private vs. Public Contributions: An unusually high volume of private contributions, especially when combined with a low number of public commits, can be suspicious. Although private work is common in some roles, a heavy imbalance may suggest an artificially inflated output, often generated through automated scripts.

Copied Repositories Without Attribution: We’ve found instances where applicants copied entire repositories without proper attribution, repackaging others’ work as their own. Additionally, their contributions often don’t align with their claimed experience, with edits limited to superficial changes like README files.


Misaligned Work Histories: In some resumes, applicants list projects or companies that either no longer exist or never existed, with no verifiable proof of employment or references.

During our interview process, we notice discrepancies between some candidates’ online profiles and their verbal responses. When asked about their work experience or skills, these candidates often contradicted the details in their resumes or GitHub profiles.
Here are some other examples of flags we’ve seen:
Vague or evasive location information: When asked about their general geographic location, some candidates struggled to provide specific, credible details. This ambiguity raises suspicions about whether they are truly present in the physical locations they claim to.
Excessively rehearsed responses: Rehearsing answers to basic questions is common practice, but malicious candidates were much more rehearsed than what we typically see. When probed for more in-depth information or specific nuances, they struggled to provide new insights that aligned with the extensive experience claimed on their resumes.
Prolonged silences and self-interruptions: We observed unusual pauses and an overall frequent tendency to interrupt themselves, citing connectivity issues or technical difficulties. This behavior suggests they might be relying on external resources, like AI tools or third parties, rather than their own expertise.
Push for access to private GitHub repositories: Most blatantly, some candidates asked that we run code from their private GitHub repositories. We’ve seen obvious and less-obvious malware attempts from these candidates, so far all trying to steal sensitive information such as private keys.
Reviewing the social media presence of certain individuals reveals red flags suggesting inauthentic online personas.
Many profiles appear staged, complete with fake accounts that seem to be artificially boosting their engagement.
Some things to look out for:
Excessive use of irrelevant hashtags, which appears to be a deliberate strategy aimed at increasing the visibility and reach of their posts.

Aggressive retweeting of arbitrary, unrelated content.



Using popular NFT projects as their profile pictures in an attempt to increase credibility.
Falsely touting affiliation with a specific project, and even signal boosting their posts.


A beautiful aspect of our industry is how global it is. Some of the strongest, most productive project teams collaborate across time zones worldwide.
However, this means that teams need to carefully screen candidates and ensure they aren’t operatives from hostile nation-states. Infiltration incidents—like those seen at major tech and aerospace companies—can have catastrophic consequences.
To remain vigilant, here are some key practices hiring managers should adopt:
Trust but verify the authenticity of claimed work experience and projects: A polished resume or GitHub profile can be deceptive. Go beyond surface-level evaluations by verifying references, commits, organizations, and the depth of their work.
Verify the general location of the candidate in detail: Ask specific questions related to living in the city/country they claim. Authentic candidates will offer genuine details about the area, while fraudulent candidates likely won’t be able to. You may need to spread this out over multiple rounds of interviews to be effective.
Probe for depth in responses: During interviews, encourage candidates to elaborate on their experiences. Genuine expertise will hold up under deeper questioning, while memorized answers don’t.
Maintain clear security boundaries in your recruiting organization: Obviously, don’t execute candidate-provided code directly on your systems, or use un-hardened collaboration software with candidates. Ideally, use technical measures to separate these at the machine or VM level, with clear policies for destroying untrusted environments after use.
With strong filters in place, teams can secure their workforce and prevent the costly consequences of hiring bad actors.
