This report documents (3) GitHub accounts showing indicators consistent with DPRK IT worker activity. The primary accounts identified are fullstackdev0110, reo0603, and buddy0323. These accounts were observed in overlapping project environments and appear connected to a broader cluster of developer personas with similar behavioral, identity, and network patterns.
Key indicators include narrow account-creation timing, coordinated interactions, suspicious contribution histories, false or misleading identity details, synthetic naming patterns, contact-channel rotation, and overlap with additional GitHub accounts showing similar behavior. The reo0603 account appears to have used a stolen profile image under the fabricated Reo Charlie persona, while buddy0323 shows repeated changes to public contact information, including multiple email addresses and WhatsApp numbers.
The investigation also identified repeated ordered GitHub issue-reference activity across unrelated historical issues in the typescript-cheatsheets/react repository. The same accounts appeared in the same chronological order, on matching dates, and with issue-specific but repetitive commit messages. This behavior is highly unusual for normal open-source contribution and suggests a shared workflow, script, or automation process designed to generate visible GitHub activity.
The broader cluster also shows links to recruitment and proxy-interview infrastructure previously associated with suspicious DPRK IT worker activity. Taken together, the evidence suggests a coordinated GitHub persona cluster using fabricated or misrepresented developer identities to build trust, manufacture technical credibility, access projects, and support remote work fraud.
While the evidence remains behavioral and circumstantial rather than definitive attribution, the convergence of coordinated GitHub activity, identity manipulation, cross-platform inconsistencies, reused infrastructure, contact-channel rotation, and overlap with previously reported DPRK IT worker activity patterns provides a strong basis to assess the cluster as potentially connected to DPRK IT worker operations.
During recent GitHub OSINT monitoring, multiple GitHub profiles were identified exhibiting coordination patterns and behavioral indicators consistent with previously reported DPRK IT worker activity. The activity involved contributors operating across selected repositories and appearing to act in clusters rather than as isolated independent developers. These patterns included suspicious account histories, overlapping repository participation, coordinated follow relationships, fabricated or misrepresented identity elements, and other red flags associated with identity-misrepresented remote software development activity
Some accounts of interest were observed participating in the same open-source project environment, identified in this investigation as Light Heart Labs https://github.com/Light-Heart-Labs. This report focuses on the behavior, identity artifacts, and network links of those accounts, rather than on the project itself. The available evidence suggests that the accounts may have interacted with other legitimate repositories while presenting fabricated or misrepresented developer personas.
The primary accounts documented in this report include fullstackdev0110, reo0603, and buddy0323. These accounts show indicators of staged developer persona construction, including identity replacement, handle rotation, secondary account usage, suspicious contact methods, and links to other accounts with similar behavioral patterns. Taken together, the observed activity suggests a broader coordinated account network using fabricated or misrepresented developer personas to build credibility, access open-source projects, and support remote work fraud.
Three GitHub accounts fullstackdev0110, reo0603, and buddy0323 are assessed as suspicious and potentially associated with DPRK IT worker activity. This assessment is based on clustered and coordinated behavior, account creation within a narrow timeframe, use of likely fabricated or misrepresented identities, anomalous GitHub commit histories, overlapping repository activity, and additional indicators consistent with known DPRK IT worker activity.
The following sections present the identified accounts, their key internal inconsistencies, and the indicators supporting their possible association with DPRK IT worker activity
The GitHub account reo0603 presents a notable forensic anomaly: the account was created on 3 March 2025, yet its visible contribution history shows 91 contributions over the past year, including activity that appears to extend back before the account's creation date under the email address charliereo565@gmail.com.
While backdated Git commits can occur technically, the timing of the activity, combined with its presence within a broader suspicious contributor cluster, makes this a high-priority indicator. The account was also followed by buddy0323, further supporting the assessment of network coordination rather than isolated developer activity
The following image shows that the GitHub account reo0603 committed code to a repository associated with Light-Heart-Labs
DreamServer commits by reo0603: https://github.com/Light-Heart-Labs/DreamServer/commits?author=reo0603
The GitHub account reo0603 and its associated email address, charliereo565@gmail.com, were analyzed using OSINT Industries. The investigation identified a linked Microsoft account registered under the following identity:
According to the search result, this Microsoft account was created on 20 May 2025 and is in Germany (Country: DE). However, his GitHub profile indicates a Philippines location. This contradiction is a documented DPRK IT worker behavioral pattern: maintaining inconsistent geographic signals across platforms to obscure true location.
Further OSINT analysis of reo0603 reveals a systematic identity takeover of an existing developer portfolio. The GitHub account reo0603/my_portfolio repository contains commits showing the deliberate erasure and replacement of the original developer's identity (Soumyajit Behera / soumyajit4419) with the Reo Charlie persona.
The commit 3620c67 ( in reo0603/my_portfolio shows a full identity replacement of an Indian developer's portfolio. The original README.md, which credited Soumyajit4419, was removed entirely.
https://github.com/reo0603/my_portfolio/commit/3620c67a02b5f2cf3d0e3142faba6fc5dafec96d
Across the codebase, the name "Soumyajit Behera" was replaced with "Reo Charlie," and the location was changed from "Bhubaneswar, India" to "United States." The work history was also altered, replacing the original software developer at Juspay reference with more generic descriptions.
The account also updated the portfolio's external identity markers. GitHub links were changed from soumyajit4419 to reo0603, while Twitter, LinkedIn, and Instagram links were removed. The tech stack was customized, the copyright was changed from "SB" to "RC," and a resume file named Reo_Charlie-Mobile.pdf was added, listing Reo Charlie and charliereo565@gmail.com.
The image below shows the CV used by the reo0603 person:
https://github.com/reo0603/my_portfolio/blob/master/src/Assets/Reo_Charlie.pdf
The profile photo used by reo0603 / Reo Charlie has been identified as belonging to a real person with a verified digital presence. The same photo appears at designplanet.ch/team a legitimate design agency team page
The profile photo used by reo0603 / Reo Charlie belongs to a verified real person (Simon Mast) with a legitimate LinkedIn presence and company profile. This confirms the reo0603 identity is a fabricated persona built using a stolen developer portfolio, a stolen profile photograph, a fictitious western name, and a geographic contradiction across platforms
Simon Mast was contacted directly as part of this investigation. He confirmed that the profile image used by reo0603 is not his and that he has no connection to the account, independently verifying that the persona is fabricated and his photo was stolen without his knowledge or consent. The reo0603 identity appears to be a fabricated developer persona built using potentially stolen personal information. The associated information repository was reported to GitHub.
In addition to the indicators showing fraudulent use or repurposing of another person's identity, the reo0603 / Reo Charlie persona presents further evidence of coordinated operational activity. The GitHub account reo0603 was created on 3 March 2025, while buddy0323 was created shortly afterward on 7 March 2025; both accounts were active in the same project and followed each other, suggesting deliberate network formation and relationship-building rather than random or unrelated account activity.
Conflicting location indicators, including Germany and the Philippines, further suggest multi-platform obfuscation or identity misrepresentation. Taken together, the deliberate persona construction, coordinated GitHub activity, geographic inconsistencies, and timing of account creation support the assessment that reo0603 / Reo Charlie is operating as part of DPRK IT worker activity.
Another GitHub account within the same contributor cluster, fullstackdev0110, exhibits similar behavioral indicators and contributed actively to the DreamServer repository under Light Heart Labs. The account displays anomalous commit-history patterns consistent with the broader suspicious activity cluster under review, lists the contact email dev.coin.developer@gmail.com, and previously operated under the alias mobileappdev0110
The next image demonstrates the commit activity of fullstackdev0110 to DreamServer on March 2026:
Patch commit evidence the use of the mail: dev.coin.developer@gmail.com:
https://github.com/fullstackdev0110/test/commit/c91df00c05ca96ad6f608870e4865c528be2906f.patch
The GitHub account fullstackdev0110 previously operated under the alias mobileappdev0110 before changing its username. However, expanded OSINT Industries search investigation of the email address dev.coin.developer@gmail.com linked to fullstackdev0110 reveals a broader cross-platform identity cluster
The investigation surfaces a Microsoft account registered under the name 'Jey 1219', located in Sweden (Country: SE), and a secondary GitHub account labeled 'Glassy' distinct from the fullstackdev0110 handle. The next image displays the multiple inconsistencies between platform-reported locations, account names, and behavioral timelines
Microsoft account name 'Jey 1219' a numeric last name (1219) is not a real surname. This naming pattern (first name + number) mirrors the 'Reo Charlie' and other DPRK IT worker persona construction patterns: synthetic identities assembled for platform registration, not reflecting real persons.
The OSINT Industries also links an active Google account, a Quillbot account, and multiple GitHub identities, including fullstackdev0110 and the secondary account "Glassy." The Microsoft account associated with the "Jey 1219" persona also shows Sweden (SE) as the outermost country identifier node, reinforcing the previously noted geographic inconsistency across the identity cluster.
In conclusion, the fullstackdev0110 / Jey 1219 identity cluster presents multiple indicators consistent with deliberate persona construction and operational segmentation. The combination of conflicting geographic signals between Philippines and Sweden (SE), GitHub handle rotation from mobileappdev0110 to fullstackdev0110, a secondary GitHub identity under Glassy, staged account creation between Microsoft and GitHub, and linked Quillbot usage suggests a managed developer persona rather than a normal individual account history. When viewed together, these inconsistencies strengthen the assessment that this identity cluster warrants further scrutiny within the broader DPRK IT worker investigation.
Another GitHub profile observed contributing to the project is buddy0323, available at https://github.com/buddy0323. The account is associated with the email address redspider0222@gmail.com, and was created on 7 March 2025
Using OSINT Industries on the mail: redspider0222@gmail.com, surfaces additional indicators tied to the buddy0323 identity cluster. The email appears linked to multiple platforms, including Google, Google Maps, Picsart, Trello, Quillbot, Wix, Adobe, Microsoft, and OtterAI. The Trello account is associated with the name Danylo Shuliak, which matches the name used by the GitHub persona, while the Microsoft account appears under the alias "Lucky Man" and is registered with Country: TR, indicating Turkey. This creates another cross-platform inconsistency, where the same email identity uses different names and geographic signals depending on the platform.
The platform mix is relevant because Trello suggests project coordination, Quillbot suggests possible AI-assisted writing, OtterAI may indicate meeting transcription or call support, and Adobe, Picsart, and Wix could be used to create or modify profile material, resumes, portfolios, or other persona assets. The use of "Lucky Man" as a Microsoft identity is also notable because it follows the same generic word-based naming style seen elsewhere in the cluster, including terms like happy, star, bright, red, spider, and numeric identifiers. Taken together, this supports the assessment that this behavior is not coming from a regular account, but rather from a broader cross-platform developer persona built for operational use as seen in the image
Similarly, the following image shows that the GitHub account buddy0323 committed code to a repository associated with the same project. This activity further links buddy0323 to the broader contributor cluster already observed around the project
An additional observation is that buddy0323 previously used a Minion-style avatar as its GitHub profile image. This is notable because similar cartoon or generic profile images have been observed in prior investigations involving suspected DPRK IT worker accounts on GitHub. The account later changed the profile image to an AI-generated style avatar, which is also consistent with the broader pattern of low-effort or synthetic persona presentation observed across this cluster
We could see the account changed the profile image from the "minion" image to an AI image:
Buddy0323 was also found to have forked a repository belonging to bright0220, another GitHub account displaying similar behavioral and naming patterns
The account bright0220 appears to be part of the same suspected operational cluster and follows a similar email and naming pattern observed across related identities. The naming convention includes recurring terms and numeric elements such as "bright," "happy," "star," "dev," "red," "spider," "dragon," "lucky," "man," "buddy," "0220," "0323," and "601." These repeated lexical and numeric patterns suggest deliberate persona construction rather than unrelated account naming
The bright0220 account is associated with the email address happysuperstar601@gmail.com, as shown in the referenced image. This email structure aligns with the broader naming patterns observed in the cluster, combining positive or generic English-language terms with numeric identifiers to create plausible but low-friction developer personas.
A notable pattern observed in DPRK IT worker activity is the tendency for related accounts to cluster around the same repositories, issues, or commits. In this case several accounts already documented in the investigation [buddy0323 - reo0603] appear together in overlapping GitHub activity and share similar naming conventions, including generic developer terms, positive or aspirational words, and numeric suffixes
A review of three unrelated historical issues in the typescript-cheatsheets/react repository identified a repeated ordered sequence of GitHub accounts adding commits that reference each issue. The same account sequence appears across issues #12, #57, #87, and #190 in the same chronological order, with issue-specific but repetitive commit messages
This pattern spans from February 2022 through April 2026 and involves approximately 47 repeated commit-reference events across each issue. This behavior is highly unlikely to represent normal independent open-source contribution, as seen in the next image:
https://github.com/typescript-cheatsheets/react/issues/57
https://github.com/typescript-cheatsheets/react/issues/87
https://github.com/typescript-cheatsheets/react/issues/12
https://github.com/typescript-cheatsheets/react/issues/190
Across three separate issues, the same accounts repeatedly generate commit-reference events in the same order. The observed sequence contains approximately 47 ordered commit-reference events, this repeated order across unrelated issues is a strong behavioral indicator of coordinated or scripted activity
The following ordered sequence appears across the reviewed issues:
These names are not proof by themselves. However, when they are combined with the repeated ordering of accounts, same date activity, overlapping issue references, and templated commit messages, they become stronger indicators of coordinated account behavior rather than normal unrelated developer activity
Likewise, the issues are technically unrelated, but each one contains repeated commits using a consistent issue specific message. This suggests that the accounts may be following the same activity pattern across different repositories or issues, reinforcing the assessment of clustered GitHub behavior:
| Issue | Issue title | Commit message pattern |
|---|---|---|
| #12 | "How to handle conditional rendering?" | add conditional rendering |
| #57 | "awesome advice from Ferdaber" | incorporate Ferdy's feedback |
| #87 | "FunctionComponent and ComponentClass are not compatible with LibraryManagedAttributes" | update React.FC and defaultProps recommendations |
| #190 | "React.FC vs React.FunctionComponent" | address React.FC and React.FunctionComponent equality |
The commit message pattern is important because these accounts are not appearing randomly. The same accounts repeatedly generate commits using the same message structure for each issue, which suggests a shared workflow, reused template, script, or automation process rather than independent developer activity
The repeated account order across unrelated issues is also a strong indicator of coordinated or automated behavior. The most likely explanation is that these accounts pushed commits in forks or branches where the commit messages referenced historical issue numbers, causing GitHub to automatically generate timeline events in the original issues. This pattern creates repeated visibility across unrelated issues and supports the assessment that the accounts are operating as part of a coordinated GitHub activity cluster
Taken together, some observed red flags about this whole behavior include:
The repeated use of similar username structures, word combinations, profile images, and bio themes across the accounts shown in the next image suggests that these profiles are unlikely to be unrelated individuals. Instead, the overlap supports the assessment that many of these accounts may belong to the same DPRK IT worker cluster or to a supporting facilitator network operating through coordinated GitHub persona
As previously noted, several accounts in this activity display recurring naming and behavioral patterns that align with the broader red flags identified in previous investigations. Additional GitHub accounts commenting in the referenced issue and exhibiting similar suspicious naming conventions or cluster indicators include: dreamcoder75, AIDevMonster, whiteghostDev, cedev935, green52199, CryptoTop1111, secretsuperstar1109, champion119, SuperAdam47, dragon360-dev, fairskyDev0201, solutionGuru0129, dreamsoft07, super-dev03, Mani2044, darkhorse00512, tanaka0722-dev, software-dev-web and the accounts recently reported: buddy0323 - reo0603
It is important to highlight that in this GitHub issue: typescript-cheatsheets/react/issues/12, the GitHub account "ghost" appears as an early commenter dating back to 2018. This is relevant because "ghost" has already been documented in connection with DPRK IT worker recruiter activity. Its presence in the same issue where similar suspicious accounts later appear supports the assessment that this activity space may have been used by accounts connected to the same broader DPRK IT worker cluster:
This account had been previously monitored due to suspicious behavioral indicators, making its appearance in the same activity set relevant to the broader cluster analysis. Its historical presence suggests that some accounts connected to this network may have longer-standing activity histories, potentially indicating account reuse, aging, or prior operational staging
The GitHub account ghost is particularly notable because it appears alongside previously identified suspicious accounts and shows interaction patterns consistent with recruitment or developer outreach
More specific this GitHub profile "ghost" was previously observed interacting with other developers on GitHub, apparently attempting to engage or recruit them for work. The following image shows examples of these interactions, which further support the assessment that ghost may have played a facilitation or recruiter role within the broader DPRK IT worker network:
. The recipient is asked to attend technical interviews under another person's identity, using the sender's name and resume. The proposed interview areas include .NET, Java, C#, Python, JavaScript, Ruby, Golang, Blockchain, and other software-development topics. The sender also states that they can assist the recipient in responding effectively during interviews
The message further claims that, if an offer is received, the sender will manage the background check process and other formalities. After employment is secured, the recipient could either perform the work directly or only attend daily standup meetings, while a separate team of five experienced developers handles the technical work. The compensation model is presented as a salary split, with the recipient allegedly earning around $3,000 per month, the sender also offers payment for referrals, suggesting an attempt to expand the recruitment network.
At the end of the recruitment proposal, the GitHub account ghost signs the message as "Neyma Diaz." A separate GitHub account, NeymaFullStack, was later observed sending an almost identical message and also signing as "Neyma Diaz."
This creates a direct linkage between the two accounts through the same alias, the same recruitment language, and the same operational proposal. Both messages describe a U.S.-based job-hunting business, ask the recipient to attend technical interviews using another person's name and resume, offer coaching during interviews, and claim that the sender will manage the background check process and other hiring formalities
The second message from NeymaFullStack reinforces the assessment that this is not an isolated interaction, but part of a repeatable recruitment workflow. The notable difference is that this second message includes a Calendly scheduling link: https://calendly.com/7codewizard/30min - instructing the recipient to schedule a meeting
The Calendly link used in the NeymaFullStack message https://calendly.com/7codewizard/30min was previously reported by us in the ANY.RUN investigation "Smile, You're on Camera: A Live Stream from Inside Lazarus Group's IT Workers Scheme." In that report, ANY.RUN documents DPRK / Famous Chollima IT worker recruitment activity involving GitHub spam, proxy-interview offers, identity misuse, salary splitting, and recruiter-controlled scheduling workflows
External reporting directly corroborates the suspicious behavior observed in this GitHub cluster. The accounts ghost, reo0603, and buddy0323 appear linked through activity in the same GitHub issue, supporting the assessment that these accounts were acting in a clustered or coordinated manner rather than as unrelated individual users.
This linkage is significant because GitHub account "ghost" has already been reported in connection with DPRK IT worker recruitment activity. The appearance of ghost alongside accounts such as reo0603 and buddy0323 strengthens the hypothesis that these GitHub identities are connected to DPRK IT worker activity and may be part of the same broader operational network.
The evidence shows that fullstackdev0110, reo0603, and buddy0323 are part of a wider suspicious GitHub cluster showing indicators consistent with DPRK IT worker activity. The accounts share coordinated timing, overlapping project activity, suspicious follow relationships, fabricated or misrepresented identities, cross-platform inconsistencies, and links to other accounts with similar naming and behavioral patterns.
This assessment is further supported by the repeated ordered sequence of commit-reference activity observed across three unrelated historical issues in the typescript-cheatsheets/react repository. The same account sequence appears across issues #12, #57, 190, and #87, with the chronological order preserved, the same accounts appearing on the same dates across multiple issues, and issue-specific commit messages following a repetitive template. This behavior is not consistent with normal independent open-source contribution and strongly suggests a coordinated workflow, script, or automation process
The activity is particularly suspicious because the commits reference old closed issues and appear to generate visibility through GitHub timeline events rather than contributing directly to the original issues. The repeated pattern spans multiple years, suggesting a persistent campaign or reusable automation process. Several account names also appear generic, synthetic, or reputation-building oriented, including AIDevMonster, whiteghostDev, CryptoTop1111, secretsuperstar1109, SuperAdam47, dragon360-dev, fast-codi-expert, and software-dev-web.
The strongest case is observed with reo0603, where the account shows portfolio identity replacement, stolen profile imagery, use of the fabricated Reo Charlie persona, contradictory geographic signals, and direct connection to buddy0323. The fullstackdev0110 identity cluster adds further evidence through handle rotation, secondary GitHub account usage, Swedish Microsoft registration, Quillbot linkage, and staged persona development.
The appearance of the account "ghost", a previously reported DPRK IT worker recruiter account, in overlapping GitHub activity strengthens the hypothesis that these accounts are connected to DPRK IT worker operations. The reuse of the 7codewizard Calendly infrastructure provides external corroboration and connects the observed GitHub activity to known recruitment and proxy-interview workflows.
Taken together, these findings support the conclusion that the documented accounts might be part of a broader DPRK IT worker operation using fabricated developer personas to build trust, access projects, manufacture GitHub credibility, and support remote work fraud. While the available evidence remains behavioral and circumstantial rather than definitive attribution, the convergence of coordinated GitHub activity, identity manipulation, reused infrastructure, synthetic account patterns, and links to previously reported DPRK IT worker activity that provides a strong basis to assess this cluster as suspicious and potentially connected to a broader DPRK IT worker ecosystem.
This chapter consolidates all Indicators of Compromise identified throughout this investigation for use in threat hunting, AML watchlisting, platform abuse reporting, and law enforcement referrals. The following indicators should be treated as investigative IOCs linked to the suspected DPRK IT worker GitHub cluster documented in this report