Ddos 
Example of a portfolio website | Image: Nisos
Nisos has uncovered a sophisticated North Korea-linked employment scam network—dubbed the Saja Network—designed to infiltrate tech companies under the guise of freelance developers and software engineers. The report highlights how the network leverages fake GitHub profiles, fraudulent portfolio websites, and a fictitious software company to secure remote positions in Western organizations.
The Saja network is believed to be operated by DPRK-affiliated threat actors who pose as US and Polish nationals to land remote work in software engineering and blockchain development. Their tactics are disturbingly well-coordinated:
- Lion-themed avatars across GitHub accounts
- Fake portfolio websites with identical layouts and content
- Fabricated professional profiles using digitally altered images
- Shared email identifiers, often including the word “century” (e.g., apollo21century@gmail.com)
- Testimonials and work history reused across multiple identities
“Profile photos were digitally manipulated. Threat actors’ faces were often pasted on top of stock photos,” the report states.
Nisos identified numerous GitHub accounts tied to the network, such as websparkledev, VeteranSoftDev, and SoftwarePassioner. These accounts hosted repositories for fake portfolio sites and claimed years of experience in full-stack development.
Each GitHub persona was linked to freelance profiles or a common employer: Inspiration With Digital Living (IWDL), a seemingly professional software firm that turned out to be a shell entity with a fake address and manipulated leadership profiles.
Websites like https://softwarepassioner.github.io and https://portfolio-ideal-softer.vercel.app claimed projects involving a service called Assistant for Freelancer (AFF) and an Anti-Game-Cheat engine. These sites were nearly identical in layout, often citing over 25 projects completed and 10+ years of experience.
“The ‘about’ sections frequently included references to working 10+ years… and having built an ‘Assistant for Freelancer’ service,” the report explains.
Nisos found one individual likely operating under multiple aliases, including:
- Taylor Fuller (claimed to be based in the US)
- Damian Kowalczyk (Poland)
- Wojciech Mazur and Thomas Richard
- Jan Kowalski – used by two different people across two separate websites, one of which used a photo of Singaporean actor Glenn Yong
“The same persona was reused by different threat actors,” the report states.
Security teams and recruiters should be wary of the following signs:
- Generic or overly polished GitHub accounts with animal-themed avatars
- Portfolio sites hosted on
github.ioorvercel.appusing similar templates - Claims of identical work histories across different profiles
- Stock images or AI-generated photos used in professional bios
- Newly registered company websites with vague leadership information
“Companies looking to partner with freelance software development companies [should] conduct robust reviews of the website and company information to ensure that companies are legitimate businesses and not fronts for freelance work scams,” the report recommends.
Donate