THREAT INTELLIGENCE
Beejern - DPRK IT Worker Front Company Network
1. EXECUTIVE SUMMARY
This report documents a suspected DPRK IT worker operation centered around the company Beejern (beejern.com), an Oklahoma-registered LLC. The investigation originated from monitoring GitHub profiles linked to known DPRK IT worker activity, where the GoldenDev321 account displayed Beejern's domain in its bio.
Through OSINT cross-referencing of GitHub commits, email addresses, Telegram handles, phone numbers, website infrastructure, and corporate records, this investigation uncovered:
| # | Finding | Detail |
|---|---|---|
| 1 | GitHub identity chain | GoldenDev321 / Redsky500 / Dragonlee321 which is the same individual cycling aliases; dragonlideveloper@gmail.com and johy49@beejern.com email reported by other researchers |
| 2 | Phone cluster | +1 (480) 271-8467 shared across Beejern, SprintiQ.ai, and DreamHi.co shell company infrastructure pattern |
| 3 | DPRK network endorsement | Torre AI persona phantomdev0302 (Ryosuke Yamamoto) recommended by Nisos-confirmed DPRK actor Naoyuki Tanaka |
| 4 | Vietnam nexus | DreamHi.co and QN Software share Danang Vietnam address and phone +84 366 756 552 |
| 5 | Image fabrication | Face-transplant technique on Beejern UpWork profile and QN Software team photos — same fabrication toolkit |
| 6 | Exposed credentials | .env file links julian_bartell@Beejern.com email + dragonlideveloper MongoDB credentials in same codebase |
| 7 | Third-party profile seeding | Beejern listed on DesignRush and SelectedFirms using fabricated imagery cross-platform legitimacy campaign |
| 8 | Phone rotation | New Beejern phone (+1 410-702-3321) immediately shared with Prytania Consulting, shared number management |
| 9 | US legal entity | Beejern LLC registered as an active Oklahoma LLC (Filing #3513654459, 9905 S Pennsylvania Ave Ste A, Oklahoma City OK 73159) provides a legitimate-appearing US corporate identity to solicit clients and receive payments within the US financial system |
| 10 | David Lin / TheRavenFile cross-corroboration | Associate identifies Beejern owner as David Lin (alias: Ihor Zakarchenko, Ukrainian identity). Name possibly correlated with the same name co-worker provided: david.lin.9422@gmail.com independently documented in theravenfile.com website in their DPRK IT worker investigation |
Disclaimer
This investigation report has been shared with law enforcement agencies and UpWork's Trust & Safety team. Third-party platforms hosting Beejern's agency profiles, including DesignRush, SelectedFirms, and Clutch, have been notified of the inconsistencies identified in this report. All findings are based on open-source intelligence and represent analytical assessment.
2. ENTRY POINT — GITHUB MONITORING & GOLDENDEV321
2.1 - GoldenDev321: Initial Discovery
The account GoldenDev321 was identified via a cluster of accounts with known DPRK IT worker patterns. The user's bio contained a direct reference to beejern.com, establishing the first link.
Figure 1 – GoldenDev321 GitHub profile referencing Beejern.com in bio
Figure 2 – GitHub bio banner showing Beejern.com URL
2.2 Identity Chain: Redsky500 - Dragonlee321 - GoldenDev321
The user GoldenDev321 underwent multiple username changes on GitHub, cycling through the aliases Redsky500 and Dragonlee321. This pattern of identity cycling is a documented DPRK IT worker technique to evade detection
Evidence of the identity chain is preserved in forked repositories:
https://github.com/ProSeFraudCatcher/GoldenDev321/commit/ec014ac621a65445ad5b5552541be1989682c77f
The profile no longer exists on GitHub, but the forked repository retains the commit metadata revealing the identity transitions.
2.3 Contact Information Extracted from Repository
The following contact identifiers were extracted from GoldenDev321's repository data:
| phantomdev0302@gmail.com | |
|---|---|
| Telegram | @Ryosuke0302 |
| Discord | @Ryosuke0302#1332 |
| Telegram (alt) | @phantomdev0302 |
| Discord (alt) | @phantomdev0302#7986 |
2.4 - Commit Email: dragonlideveloper@gmail.com
Examining a specific commit from a forked repository of GoldenDev321, the commit author email resolves to dragonlideveloper@gmail.com:
https://github.com/ScorpiusDraconis83/GoldenDev321/commit/cb29367758d1777d882c50594c121b9619664a1d
Figure 3 – Commit metadata showing dragonlideveloper@gmail.com as author
However, in a different fork of the same repository, the email changes to dragonlideveloper@gmain.com (using 'gmain' — a deliberate or accidental typo variant):
Figure 4 – Fork showing dragonlideveloper@gmain.com — typo variant of the Gmail address
Two email variants of the same alias (gmail vs gmain) across different forks suggests deliberate obfuscation or copy-paste error revealing a secondary account.
3. TORRE AI PROFILE - LINK TO CONFIRMED DPRK PERSONA
3.1 Ryosuke Yamamoto / phantomdev0302 on Torre AI
The alias phantomdev0302, previously identified in the GitHub commit history, resurfaces on Torre.ai a talent marketplace platform used by remote developers to seek employment opportunities globally
https://github.com/ScorpiusDraconis83/GoldenDev321/commit/cb29367758d1777d882c50594c121b9619664a1d
The same Telegram handle links directly to a Torre.ai profile operating under the name Ryosuke Yamamoto, confirming the alias is active across multiple professional platforms and is being used to seek employment under a Japanese identity
Figure 4b.
https://torre.ai/phantomdev0302
This profile received a recommendation from an individual already identified by Nisos Research as a confirmed DPRK IT worker persona: Naoyuki Tanaka
Figure 4c.
https://torre.ai/alexander116gm?r=OkFgNF0o
3.2 Naoyuki Tanaka - Nisos Confirmed DPRK IT Worker
Nisos Research identified Naoyuki Tanaka as a DPRK IT worker persona in their published research. Key findings from the Nisos report:
• Persona 'Naoyuki Tanaka' used to obtain remote work in the United States
• Investigated via Telegram username 'superbluestar', which appeared on both Huy Diep's and Naoyuki Tanaka's resumes
• Email address alexander116gm@gmail.com included on the Naoyuki Tanaka resume — not consistent with the name
• Still active on Torre AI at the time of this investigation
This means that a profile on Torre.ai linked to the GoldenDev321 / phantomdev0302 identity was directly flagged by a Nisos-confirmed DPRK IT worker establishing a direct connection to the known DPRK IT worker network previously mentioned
https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/dprk-github-employment-fraud.pdf
3.3 Dragonlideveloper@gmail.com in Prior DPRK Research
The initial email list was publicly shared on X by @SttyK, who posted a download link to a dataset reportedly containing nearly 1.4K email addresses used by North Korean IT workers. That dataset was later analyzed by Rakesh Krishnan in The Raven File website, where several indicators were documented as DPRK IT workers hiring red flags
https://x.com/SttyK/status/1956180410104471917
The email address dragonlideveloper@gmail.com, extracted directly from GoldenDev321's commit history, does not appear for the first time in this investigation. It was previously documented by TheRavenFile in their August 2025 research on DPRK IT worker email patterns as a known hiring red flag.
TheRavenFile's analysis, based on a leaked DPRK email list that surfaced on August 13th and 14th 2025, independently confirms dragonlideveloper@gmail.com as an established DPRK infrastructure indicator corroborating the attribution of GoldenDev321 to the broader DPRK IT worker network through a completely separate research source
4. BEEJERN DOMAIN — CONFIRMED IN MULTIPLE REPOSITORIES
4.1 Johy49@beejern.com in TheRavenFile Research
The Beejern domain is not only referenced in GoldenDev321's GitHub bio a Beejern domain email (johy49@beejern.com) was also independently documented by TheRavenFile in their DPRK IT worker research:
This independent corroboration from a separate research source significantly strengthens the attribution of Beejern as a DPRK IT worker-controlled or associated entity.
4.2 GitHub: He-Cat-E / Peakality: Beejern Email in .env File
A separate GitHub account, He-Cat-E, is found building the backend of a project called Peakality.com. In the repository's exposed .env configuration file, the following credentials appear:
Figure 5 – He-Cat-E GitHub profile working on Peakality.com
Figure 6 – Exposed .env file: julian_bartell@Beejern.com and MongoDB user 'dragonlideveloper'
The .env file reveals two critical indicators simultaneously:
• Email: julian_bartell@Beejern.com: a Beejern domain address embedded in production code
• MongoDB username: dragonlideveloper is the same alias connected to GoldenDev321 commit emails
https://github.com/He-Cat-E/backend/blob/main/.env
4.3 Peakality.com Co-Developer: Crystal
The Peakality project has a second contributor, the account crystal-rm also building the same platform:
https://github.com/crystal-rm/peakality
https://github.com/crystal-rm/peakality/deployments
Two developers from the same suspected DPRK IT worker network collaborating on a single project
5. BEEJERN LLC - CORPORATE REGISTRATION & IMAGE MANIPULATION
5.1 Oklahoma LLC Registration
Beejern is registered as an LLC in Oklahoma under the following details:
| Company Name | BEEJERN LIMITED LIABILITY COMPANY |
|---|---|
| Filing Number | 3513654459 |
| Status | Active |
| Address | 9905 S Pennsylvania Ave Ste A, Oklahoma City, OK 73159 |
| Website | beejern.com |
| Contact Email | contact@beejern.com |
| Phone | +1 (480) 271-8467 |
Figure 7 – Beejern Website
Figure 9 – Beejern address on their website contact page
The following image displays the official business entity record retrieved from the Oklahoma Secretary of State registry, confirming Beejern LLC as an active company registered under filing number #3513654459. The record establishes Beejern's legal presence in the United States, with its registered address at 9905 S Pennsylvania Ave Ste A, Oklahoma City, OK 73159.
Figure 10 – Oklahoma LLC certificate for Beejern Limited Liability Company (Filing #3513654459)
https://beejern.com/contact-us
The existence of an active US LLC is significant as it provides the operation with a legitimate corporate identity, enabling it to solicit contracts from American clients, receive payments through US-based platforms, and operate within the US financial system under the appearance of a lawfully incorporated domestic business.
5.2 - UpWork Profile: Manipulated Team Photo
Beejern used to maintain an agency profile on UpWork. Their profile image features what appears to be a team Beejern's UpWork profile uses a photo belonging to another company, with their logo digitally inserted into the background to make it appear as their own team photo. This has been reported to UpWork's Safety team to support their internal investigation
Figure 11 – Beejern UpWork profile: team photo with 'Beejern' superimposed on background
The original image was sourced from a LinkedIn post by Walter Izaguirre Seminario about a BNI Integration meeting completely unrelated to Beejern. The background was digitally replaced to display the Beejern logo/name. Walter Izaguirre was notified that his image was being used fraudulently without his knowledge
Figure 12 – Original unaltered image: same people, no Beejern branding — background digitally replaced
https://www.upwork.com/agencies/1939111182964594402/
Following the evidence submission to UpWork's Trust & Safety team, Beejern's agency profile was taken down. The profile is no longer accessible on the platform
Figure A2.
Deleted profile of Beejer on UpWork
5.3 THIRD-PARTY DIRECTORY LISTINGS
Beejern is listed on multiple third-party agency ranking platforms using the same fabricated imagery found on the main website and UpWork profile indicating a coordinated cross-platform legitimacy campaign:
Figure A3 — Beejern listing on DesignRush using fabricated agency imagery
https://www.designrush.com/agency/profile/beejern-limited-liability-company
Figure A4 — Beejern listing on SelectedFirms propagating the same fabricated imagery
https://selectedfirms.co/agency/beejern
Beejern also maintains a profile on Clutch.co, a B2B ratings and reviews platform widely used by companies to vet software development agencies. The profile lists Beejern as founded in 2024, with 10–49 employees, and displays 18 reviews and five connections
Figure A5.
https://clutch.co/profile/beejern
The Clutch profile, combined with the DesignRush and SelectedFirms listings previously documented, shows a deliberate cross-platform legitimacy campaign seeding multiple agency directories simultaneously to create the appearance of an established, reputable company with a track record, when no verifiable business history exists.
5.4 Beejern Reviews
Beejern's Clutch profile presents 18 reviews across two pages, all scoring a perfect 5.0 across every category without a single variation. While some of the listed client companies appear to be real and verifiable businesses, including Planning Pod, A4D Inc, and WarpMe Inc, the review pattern raises serious concerns that are difficult to reconcile with legitimate business activity
Figure 10.
The most significant anomaly is the Wyrd C.a.f.e. review listing a project start date of January 2022, three years before Beejern LLC was legally incorporated in 2024. No company can have delivered services before it existed. This single data point undermines the credibility of the entire review record
Figure 10b.
Beyond that, the concentration of blockchain, NFT, and cryptocurrency projects is disproportionate for a general software development agency, and the geographic spread of clients across six countries within such a short operating window is inconsistent with organic business development
Some reviews may reflect real engagements with real people because DPRK IT workers do perform actual development work, which is precisely how they maintain the appearance of a functioning business. This distinction is important because the presence of legitimate looking client relationships does not negate the fraudulent nature of the entity delivering the services, particularly when those services are generating revenue that flows back to a sanctioned state.
6. PHONE CLUSTER: +1 (480) 271-8467
The phone number +1 (480) 271-8467, listed on Beejern's website, is shared by other IT consulting and development companies creating a direct link between these companies
6.1 DreamHi.co (Defunct)
DreamHi.co no longer exists, but archived evidence confirms it shared the same phone number as Beejern and was simultaneously operating from a Vietnam office:
Figure 11 – DreamHi.co listing phone +1(480)271-8467 — same as Beejern
DreamHi.co listed a Vietnam contact number and office address, with operations based at 16 Thanh Luong 3 Street, District Cam Le, Danang City, Vietnam, reachable at +84 366 756 552.
The same US phone number appearing across both a US-registered company in Oklahoma and a Vietnam-based IT operation is not a coincidence. Vietnam is a documented host country for DPRK IT worker operations, and the shared infrastructure between Beejern and DreamHi points to a coordinated network rather than two independent businesses.
6.2 QN Software (Vietnam - Defunct)
Following the Vietnam phone number +84 366 756 552 from DreamHi led to QN Software (qnsoftware.space), another now-defunct company sharing the exact same Vietnam Danang address:
Figure 12 – QN Software sharing DreamHi's Vietnam phone number and address
QN Software's additional identifiers:
• PayPal: qnsoftware92@gmail.com
• GitHub: github.com/qnsoftware92
• YouTube: youtube.com/@QNsoftware
https://www.youtube.com/@QNsoftware
6.3 QN Software: Face-Swapped Team Photos
QN Software's team photos show evidence of the same image manipulation technique found in Beejern's UpWork profile. A team member labeled 'Dragon' is seen wearing a specific branded T-shirt:
Figure 13 – QN Software team photo: 'Dragon' wearing branded T-shirt — face appears transplanted onto original image
Figure 14 – Original T-shirt image source: an Asian face was digitally transplanted onto this stock clothing photo
The original shirt image is from an Etsy product listing. The same face-swap technique connects QN Software to Beejern's UpWork manipulation:
https://i.etsystatic.com/18983913/r/il/5da9d4/1778957854/il_fullxfull.1778957854_1wjy.jpg
https://www.behance.net/itsjackreacher07
DreamHi.co and QN Software share the same office address in Danang, Vietnam, and the same Vietnamese phone number. It is important to have in mi d that Vietnam is a documented DPRK IT worker host country
| DreamHi.co address | 16 Thanh Luong 3 St, District Cam Le, Danang, Vietnam |
|---|---|
| QN Software address | 16 Thanh Luong 3 St, District Cam Le, Danang, Vietnam |
| Shared Vietnam phone | +84 366 756 552 |
| DreamHi status | Defunct - previously shared +1 (480) 271-8467 with Beejern |
| PayPal account | qnsoftware92@gmail.com - links DreamHi to QN Software email |
Three companies in the same cluster (Beejern, DreamHi and QN Software) independently using face-swap and background-replacement image manipulation to fabricate fake team photos coordinated deception infrastructure.
6.4 SprintiQ.ai: Same Phone Number
SprintiQ.ai has since hidden its phone number from public listings, but screenshots captured prior to removal confirm it displayed +1 (480) 271-8467:
Figure 15 – Screenshot of SprintiQ.ai contact page showing +1(480)271-8467 before removal
Figure 16 – Google search results previously showing Beejern and SprintiQ.ai indexed together under the same phone
Google's search index previously returned both Beejern and SprintiQ.ai as results for the same phone number search — confirming the shared infrastructure before SprintiQ removed the number.
6.5 SprintiQ.ai: GitHub account He-Cat-E Developer Connection
The GtHub account He-Cat-E already linked to Beejern through the exposed .env file is also found with a forked SprintiQ.ai repository:
Figure 17 – He-Cat-E GitHub fork of the SprintiQ.ai project
https://github.com/He-Cat-E/sprintiq
A single developer (He-Cat-E / dragonlideveloper) working simultaneously on:
• Peakality.com: using Beejern domain email (julian_bartell@beejern.com)
• SprintiQ.ai: forking their project on GitHub
This creates a technical triangle between Beejern, DreamHi and SprintiQ.ai, all sharing the same phone number and developer identity.
The same GitHub developer identity (He-Cat-E / dragonlideveloper) building projects for both Beejern-linked and SprintiQ.ai-linked repositories confirm coordinated operations across these shell company fronts. And its also worth mentioning that the profile He-Cat-E forked both Sprintiq repositories
Figure 17b.
The repositories were forked from the GitHub account operating under the handle Tn0127, accessible at github.com/Tn0127, adding another node to the network of interconnected accounts associated with this cluster:
Figure 17c.
The Tn0127 GitHub profile presents itself as an AI SaaS Engineer and startup technology partner operating under the alias "True Ninja," marketing services directly to founders and early-stage companies. The commit metadata extracted from the Tn0127 account reveals the email address tn.dev.t0127@gmail.com:
Figure 17d.
The email naming convention follows the same pattern observed throughout this investigation a handle-derived address constructed to appear as a professional developer identity while obscuring any real personal information.
7. SECONDARY PHONE CLUSTER - +1 (410) 702-3321 & PRYTANIA CONSULTING
At some point after initial investigation, Beejern changed their contact phone number to +1 (410) 702-3321:
Figure 18 – Beejern website updated contact page showing new phone +1(410)702-3321
A search for this new number reveals it is also used by Prytania Consulting:
Figure 19 – Prytania Consulting LinkedIn profile sharing +1(410)702-3321 with Beejern
Beejern changed its phone number, and the new number is already in use by another company (Prytania Consulting) indicating infrastructure rotation and shared number management across multiple fronts.
https://www.linkedin.com/company/prytania-consulting/about/
https://intch.org/company/prytania-consulting
8. RACHAEL LONG - COO AT SPRINTIQ.AI & BEEJERN COMPANY LINKS
Rachael Long is publicly identified as COO at SprintiQ.ai. Her profile connects SprintiQ.ai, Prytania Consulting, and Beejern within the same operational cluster:
Figure 20 – Rachel Long profile: COO at SprintiQ.ai, linked to Prytania Consulting
https://www.linkedin.com/posts/activity-7350929472151322624-dO2X
https://medium.com/@rachaelmlong
https://www.f6s.com/rachael-long#about
https://intch.org/company/prytania-consulting
Rachel Long's profile at f6s.com and Intch directly links her to Prytania Consulting which is the same firm that shares Beejern's second phone number. This creates a verified chain:
• SprintiQ.ai (shared phone with Beejern, He-Cat-E developer, Rachel Long COO)
• Prytania Consulting (shared phone with Beejern, Rachel Long linked)
• Beejern (center node with shared phones, domain emails, UpWork profile)
8.1 Beejern & Rachael Long relation
The LinkedIn post aggregating all these companies (Beejern, SprintiQ, Prytania) shows the account is a LinkedIn Premium subscriber an unusual signal for what presents as a small startup ecosystem:
Figure 21 – LinkedIn post connecting Beejern into the SprintiQ/Prytania cluster; Premium account noted
https://www.linkedin.com/in/rachael-long/
https://www.linkedin.com/posts/activity-7350929472151322624-dO2X
Rachael Long – Agency member
The Beejern UpWork agency profile used to list Rachael Long as an agency member. Investigation reveals her LinkedIn account shows minimal activity with the most recent posts approximately 7 years old, a pattern consistent with a dormant or fabricated identity used to legitimize a front company
Figure A1 — Beejern UpWork agency profile showing completed projects and agency member listing
https://www.upwork.com/agencies/1939111182964594402/
8.2 Rachael Long: Testimony and Cross-Source Corroboration
After spoke with Rachael Long she identifies the owner as David Lin, who concealed his identity during the business relationship using the alias Ihor Zakarchenko, probably a Ukrainian nationality. The associate also identifies Robert Zhu as the individual managing Beejern's UpWork profile during the period of their collaboration
Rachael Long cut ties with David Lin and Beejern in 2025 after growing concerns about the legitimacy of the operation. When contacted, she confirmed what had already been suspected, stating directly: "Yes, Jeff and I both had a gut feeling they are scammers".
Critically, the same TheRavenFile research that documents johy49@beejern.com also independently lists the email address david.lin.9422@gmail.com as a documented DPRK IT worker indicator. This email directly matches the name David Lin provided by the associate a name they had no way of knowing was already present in published DPRK threat actor research. The convergence of an independently provided name with a matching entry in TheRavenFile constitutes significant cross-source corroboration and substantially strengthens the attribution of the individual operating as Beejern's owner to the DPRK IT worker network
The use of probably an Ukrainian ID or alias by an individual whose name appears in DPRK IT worker threat research is consistent with documented North Korean tradecraft. DPRK IT workers routinely assume Eastern European identities particularly Ukrainian to avoid scrutiny, as Ukrainian nationals are perceived as credible remote developers in Western hiring markets and are less likely to trigger OFAC sanctions screening.
8.3 — David Lin: Identity Confirmed Across Platforms
The individual presenting as Beejern's owner used the alias Ihor Zakarchenko during business dealings. However, the identity of David Lin appears linked to both Beejern and SprintiQ.ai across publicly accessible professional platforms, confirming the underlying identity despite the alias.
9. OPERATIONAL PATTERN SUMMARY
The Beejern network demonstrates the following DPRK IT worker operational characteristics:
9.1 - Multi-Layer Identity Management
• GitHub aliases cycling (Redsky500 - Dragonlee321 - GoldenDev321)
• Multiple Telegram/Discord handles per individual
• Typo-variant email addresses to obscure identity (gmail vs gmain)
• Torre AI persona (Ryosuke Yamamoto) disconnected from real identity
9.2 - Company Infrastructure Reuse
• Single phone number (+1 480-271-8467) shared across at least 3 companies
• Secondary phone (+1 410-702-3321) immediately shared upon rotation
• Beejern domain emails embedded in production code and public repos
• Oklahoma LLC registration providing legitimate-seeming US corporate presence
9.3 - Image Manipulation as Social Engineering
• Beejern UpWork profile: real meeting photo with background replaced
• QN Software: stock clothing photo with face transplanted onto it
• Pattern identical across two companies — shared fabrication toolkit
9.4 - Vietnam Nexus
• DreamHi.co and QN Software both operating from Danang, Vietnam
• Vietnam phone number +84 366 756 552 shared between two defunct companies
• Vietnam is a documented DPRK IT worker host country (consistent with prior investigations)
9.5 - Known DPRK Network Confirmation
• dragonlideveloper@gmail.com in TheRavenFile DPRK threat actor list
• Ryosuke Yamamoto / phantomdev0302 recommended by Nisos-confirmed DPRK persona Naoyuki Tanaka
• johy49@beejern.com in TheRavenFile DPRK research
10. DPRK THREAT INDICATORS - RED FLAGS ASSESSMENT
GitHub bio explicitly advertising a suspected DPRK front company (Beejern) direct self-identification by the threat actor
Multiple GitHub username changes (Redsky500 - Dragonlee321 - GoldenDev321) classic identity evasion pattern across 3 aliases, with fork history preserving the full chain
dragonlideveloper@gmail.com documented in TheRavenFile DPRK IT worker threat actor repository independently corroborated external attribution
johy49@beejern.com independently listed in TheRavenFile DPRK research second Beejern domain email confirmed in the same threat actor list
Torre AI profile (phantomdev0302 / Ryosuke Yamamoto) recommended by Nisos-confirmed DPRK worker Naoyuki Tanaka direct network endorsement from a known threat actor
Exposed .env file linking julian_bartell@Beejern.com and dragonlideveloper MongoDB credentials in the same public codebase technical bridge connecting Beejern to the developer alias
Beejern owner identified by a former associate as David Lin, operating under the alias Ihor Zakarchenko (Possibly a Ukrainian identity) david.lin.9422@gmail.com independently documented in TheRavenFile DPRK IT worker list that match name shared by co-worker.
Robert Zhu identified by the same former associate as the individual managing Beejern's UpWork profile during their collaboration
Single US phone number (+1 480-271-8467) shared across Beejern, SprintiQ.ai, and DreamHi.co shell company phone infrastructure pattern
Beejern's phone rotated to +1 410-702-3321, immediately shared with Prytania Consulting coordinated number management across fronts
LinkedIn Premium account connecting Beejern, SprintiQ.ai, and Prytania cluster credibility-building infrastructure for recruitment targeting
Vietnam address and phone (+84 366 756 552) shared between DreamHi.co and QN Software at 16 Thanh Luong 3 Street, Danang DPRK documented host country nexus
Developer He-Cat-E building code across both Beejern-linked projects (Peakality) and SprintiQ.ai using the same credentials single actor operating across multiple fronts
Deliberate image manipulation on UpWork fabricating a team photo by stealing a real business meeting image from Walter Izaguirre Seminario and digitally replacing the background with Beejern branding
Face-swap technique confirmed on QN Software team photos and stolen team photo with manipulated background on Beejern UpWork profile and shared fabrication toolkit across two companies in the same cluster
Oklahoma LLC (Filing #3513654459) registered at a virtual suite address with no real physical presence provides legitimate-appearing US corporate identity for client acquisition and payment processing
Cross-platform profile seeding across DesignRush, SelectedFirms, and Clutch.co using fabricated imagery coordinated legitimacy campaign to manufacture the appearance of an established agency
11. INDICATORS OF COMPROMISE (IOC)
This chapter consolidates all Indicators of Compromise (IOCs) identified throughout this investigation
11.1 GitHub Accounts & Repositories
| IOC / Indicator | Context / Association |
|---|---|
| github.com/GoldenDev321 | Primary suspect — linked Beejern.com in bio |
| github.com/He-Cat-E | Backend dev for Peakality; MongoDB user dragonlideveloper |
| github.com/ScorpiusDraconis83/GoldenDev321 | Fork revealing dragonlideveloper@gmail.com email |
| github.com/ProSeFraudCatcher/GoldenDev321 | Fork revealing dragonlideveloper@gmain.com (typo variant) |
| github.com/He-Cat-E/backend/blob/main/.env | MongoDB credentials — user: dragonlideveloper; DB linked to Beejern |
| github.com/He-Cat-E/sprintiq | He-Cat-E forking SprintiQ.ai project — cross-company link |
| github.com/crystal-rm/peakality | Peakality project co-contributor alongside He-Cat-E |
| github.com/qnsoftware92 | QN Software — Vietnam-linked company, same address as DreamHi |
11.2 Email Addresses
| IOC / Indicator | Context / Association |
|---|---|
| phantomdev0302@gmail.com | GoldenDev321 identity — Telegram/Discord alias phantomdev0302 |
| dragonlideveloper@gmail.com | Commit author on GoldenDev321 forks; MongoDB username |
| dragonlideveloper@gmain.com | Variant of dragonlideveloper — using 'gmain' instead of 'gmail' |
| julian_bartell@Beejern.com | Beejern domain email found in He-Cat-E Peakality repo .env |
| johy49@beejern.com | Beejern domain email reported in TheRavenFile DPRK research |
| contact@beejern.com | Official Beejern contact email |
| alexander116gm@gmail.com | Naoyuki Tanaka persona (Nisos research) — Torre AI profile recommender |
| qnsoftware92@gmail.com | QN Software PayPal account — Vietnam-linked company |
11.3 Telegram & Discord Handles
| IOC / Indicator | Type | Context / Association |
|---|---|---|
| @phantomdev0302 | Telegram | GoldenDev321 / Ryosuke0302 — primary DPRK IT worker alias |
| @Ryosuke0302 | Telegram / Discord | Secondary alias for same individual (GoldenDev321) |
| @Ryosuke0302#1332 | Discord | GoldenDev321 Discord handle |
| @phantomdev0302#7986 | Discord | GoldenDev321 secondary Discord handle |
| @superbluestar | Telegram | Naoyuki Tanaka persona (Nisos) — used on Huy Diep's resume |
11.4 Domains & Company Profiles
| IOC / Indicator | Context / Association |
|---|---|
| beejern.com | Core suspect company — DPRK IT worker front |
| dreamhi.co | Shared phone +1(480)271-8467 with Beejern; Vietnam office |
| qnsoftware.space | Shared Vietnam address with DreamHi; image manipulation detected |
| sprintiq.ai | Shared phone +1(480)271-8467 with Beejern; He-Cat-E contributor |
| peakality.com / peaklity.com | Project built by He-Cat-E using Beejern domain email + dragonlideveloper |
| prytania-consulting (LinkedIn) | Shares phone +1(410)702-3321 with Beejern; linked to Rachel Long / SprintiQ |
11.5 Phone Numbers
| IOC / Indicator | Context / Association |
|---|---|
| +1 (480) 271-8467 | Beejern, DreamHi.co, SprintiQ.ai cluster phone |
| +1 (410) 702-3321 | Beejern (changed number), Prytania Consulting |
| +84 366 756 552 | DreamHi.co & QN Software located Vietnam Danang office |
11.6 Physical Addresses
| IOC / Indicator | Context / Association |
|---|---|
| 9905 S Pennsylvania Ave Ste A, Oklahoma City, OK 73159 | Beejern LLC registered address - Oklahoma |
| 16 Thanh Luong 3 St, District Cam Le, Danang, Vietnam | DreamHi.co & QN Software shared Vietnam office |
11.7 Personas & Identity Aliases
| IOC / Indicator | Type | Context / Association |
|---|---|---|
| GoldenDev321 / Redsky500 / Dragonlee321 | GitHub Aliases | Same individual multiple GitHub identity changes |
| Ryosuke Yamamoto | ITW | Torre AI profile phantomdev0302 ID; DPRK IT worker persona |
| Naoyuki Tanaka | ITW confirmed | DPRK IT worker identified by Nisos recommended Ryosuke on Torre AI |
| dragonlideveloper | Username | MongoDB username in exposed .env; commit email prefix |
| Rachel Long | Person of Interest | Listed COO at SprintiQ.ai; linked to Prytania Consulting cluster |
11.8 Additional Fingerprints & URLs
| IOC / Indicator | Type | Context / Association |
|---|---|---|
| Beejern LLC — Filing #3513654459 | Corp Record | Active Oklahoma LLC — front company for DPRK IT workers |
| torre.ai/alexander116gm | Profile URL | Naoyuki Tanaka active profile — recommended Ryosuke Yamamoto |
| upwork.com/agencies/1939111182964594402/ | UpWork Profile | Beejern UpWork agency — manipulated team photo detected |
| behance.net/itsjackreacher07 | Profile | Stolen face image reused in QN Software team photo |
| youtube.com/@QNsoftware | YouTube Channel | QN Software channel — team photos show image manipulation |
| github-rank.cms.im/ | Tool / URL | GitHub rank checker used by GoldenDev321 |
11. - Complete IOC
| Type | Indicator | Notes |
|---|---|---|
| GitHub Handle | GoldenDev321 / Redsky500 / Dragonlee321 | Primary suspect — multiple aliases, same individual |
| GitHub Handle | He-Cat-E | Backend dev; .env credentials; SprintiQ.ai fork |
| dragonlideveloper@gmail.com | Commit author; MongoDB user; TheRavenFile DPRK list | |
| dragonlideveloper@gmain.com | Typo variant of above | |
| julian_bartell@Beejern.com | Beejern domain email in He-Cat-E .env | |
| johy49@beejern.com | Beejern domain in TheRavenFile DPRK research | |
| phantomdev0302@gmail.com | GoldenDev321 / Ryosuke Yamamoto alias | |
| alexander116gm@gmail.com | Naoyuki Tanaka (Nisos-confirmed DPRK) | |
| qnsoftware92@gmail.com | QN Software PayPal — Vietnam-linked | |
| Telegram | @phantomdev0302 | GoldenDev321 primary alias |
| Telegram | @Ryosuke0302 | Secondary alias, same individual |
| Discord | @Ryosuke0302#1332 / @phantomdev0302#7986 | GoldenDev321 Discord handles |
| Domain | beejern.com | Core suspect company — DPRK IT worker front |
| Domain | dreamhi.co | Shared phone with Beejern; Vietnam office; defunct |
| Domain | qnsoftware.space | Shared Vietnam address; image manipulation; defunct |
| Domain | sprintiq.ai | Shared phone with Beejern; He-Cat-E developer |
| Domain | peakality.com / peaklity.com | Built by He-Cat-E using Beejern email + dragonlideveloper |
| Phone | +1 (480) 271-8467 | Beejern + SprintiQ.ai + DreamHi.co — cluster phone |
| Phone | +1 (410) 702-3321 | Beejern (rotated) + Prytania Consulting |
| Phone | +84 366 756 552 | DreamHi.co + QN Software — Vietnam Danang |
| Address | 9905 S Pennsylvania Ave Ste A, OKC OK | Beejern LLC registered address |
| Address | 16 Thanh Luong 3 St, Danang, Vietnam | DreamHi + QN Software shared office |
| Profile | torre.ai/alexander116gm | Naoyuki Tanaka (Nisos DPRK confirmed) |
| Profile | upwork.com/agencies/1939111182964594402/ | Beejern UpWork — manipulated team photo |
| Profile | linkedin.com/in/rachael-long/ | Beejern agency member — 7-year-old activity |
| Directory | designrush.com/agency/profile/beejern-llc | Third-party listing with fabricated imagery |
| Directory | selectedfirms.co/agency/beejern | Third-party listing with fabricated imagery |
| Corp Record | Beejern LLC - Filing #3513654459 | Oklahoma LLC front company |
| Credential | github.com/He-Cat-E/backend/blob/main/.env | Public .env exposing Beejern email + MongoDB creds |
| Persona | Ryosuke Yamamoto | Torre AI DPRK IT worker persona |
| Persona | Naoyuki Tanaka (alexander116gm) | Nisos-confirmed DPRK IT worker |
Figure A6.