This post is also available in:
Among the millions of accounts on the popular freelance job platform Guru there was one featuring a photo of a striking young woman wearing red lipstick and a green top.
The account described her as a senior software engineer in Bosnia and Herzegovina with 50 completed projects to her name.
“You can contact me at any time,” it was written on the account in English. “I am available in both European and American time zones.”
The person in the photo had nothing to do with the account. Yet it was her name at the top, and an old email address of hers that was listed in the contacts.
In 2025, that email address was among 25 published in a report by the Multilateral Sanctions Monitoring Team, MSMT, a mechanism tasked with monitoring North Korean attempts to evade United Nations sanctions. Another identity used was that of a man in Serbia.
The Guru profile, it emerged, was the work of a group of North Korean hackers identified by sanctions monitors as using stolen identities to gain freelance work with US and European companies with the aim of raising revenues for North Korea.
“At least a portion” of these revenues has been used to help fund North Korean “weapons development and production, domestic infrastructure projects, and procuring consumer goods”, the MSMT reported. In 2024 alone, North Korea “likely earned around $350-800 million from its IT workers worldwide”.
The profile is no longer available on Guru. The person whose identity was stolen to create it is still trying to process what happened.
She only found out when contacted by BIRN. Speaking on condition of anonymity, she said: “What I would most like to find out perhaps is – why me?”
Landing jobs with stolen identities
A fake Guru profile identified as belonging to a woman in Bosnia but in fact created by North Korean hackers. Photo: Screenshot
Analysing the hackers’ digital footprints, BIRN discovered that the email address belonging to the woman in Bosnia had been used – without her knowledge or consent – to create accounts on several job search platforms popular among freelancers, at least one of which bears her first name, last name and photo.
The woman, who is originally from Bosnia but lives in Vienna, said she hadn’t used the email address in question for years. The address was last accessed as recently as last month.
The Guru profile listed a range of IT skills, including proficiency in programming languages Python and JavaScript, as specified an hourly rate of $30.
The profile listed the Bosnian capital, Sarajevo, as her location. The woman actually lives in Austria.
“The profile picture that was used is very, very old – so old that I’d completely forgotten I even had it,” she told BIRN.
Hackers also used the identity of a man in Serbia called Marko Zrinjanin. In this case, the email account was still active as of last month, though Zrinjanin told BIRN in a written response that it was not his address. He said the photographs of him used on the fake profiles were likely taken from an IT forum or website where he had been registered, such as HashNode or Spiceworks.
“At first, I was worried,” Zrinjanin told BIRN, “but when I realised that my name and personal details had been used solely to circumvent the sanctions imposed by Western oppressors who promote quasi-democracy and false freedoms, I felt much better.”
On Guru, Zrinjanin is listed as having been active on the platform since 2018, during which time he has earned $43,000 working for a total of nine companies. His location is listed erroneously as Louisville in the United States.
“Feel free to contact me to discuss the details of your project and how I can help you achieve your goals,” the profile states.
“I am very flexible regarding working hours and can overlap with your schedule for more than six hours a day.”
Similarly, on GoLance, a profile bearing Zrinjanin’s name and photo states he has been active since 2025, charges $35 per hour and has clocked up 200 hours of work.
Hackers from sanctioned North Korean company
The alleged hacker accused of creating the profile falsely attributed to the woman in Bosnia for North Korean cyber operations. Photo: MSMT report
In the MSMT report, the alleged hackers behind the fake Bosnia and Serbia accounts are identified as An Chol Hun and Ri Kwang Hun respectively.
According to the report, both are employed by Korea Mangyongdae Computer Technology Corporation, KMCTC, an IT corporation headquartered in the Chinese cities of Shenyang and Dandong. The latter is on the border with North Korea.
The corporation’s parent organisation is Management Office 607, the MSMT said, which falls under North Korea’s Ministry of Atomic Energy Industry.
Managing North Korea’s nuclear programme, the ministry is subject to strict international sanctions.
After publication of the MSMT report, the US Treasury Department sanctioned KMCTC. The treasury accused KMCTC IT employees of using Chinese nationals as banking intermediaries to conceal the origin of funds generated through illegal IT worker revenue-generation schemes.
One of those employees is An Chol Hun, whom MSMT accused of managing three other false identities besides the one attributed to the woman originally from Bosnia – two from the US and another from Argentina.
Returning to her old email account, the woman from Bosnia said she was relieved to not find “anything interesting”.
“They know what they’re doing and, most likely, once they were exposed, everything was deleted,” she said. “I think things could have been much worse for me. I could have had legal problems because of it… someone could have taken money… obtained someone else’s contact details, perhaps those of someone close to me…”
Choosing their victims
A diagram of the North Korean state apparatus in which hackers using false identities operate. Photo: MSMT report
Maxime Arquilliere, a cyber threat intelligence analyst with the French company Sekoia, which contributed to the MSMT report, said such hackers like to target young professionals with an established profile in the IT sector and a presence on the professional networking platform LinkedIn.
“They gather everything, and it looks like a much more genuine identity than one they could create using artificial intelligence,” Arquilliere told BIRN. “What matters to them [the hackers] is that the identity is real, clean, and appears European on paper, so as not to raise alarm.”
Often, he said, North Korean hackers use facilitators in target countries to get hold of laptops used by a Western firm and allow the circumvention of checks such as those relating to time zones or IP addresses.
Sekoia cybersecurity engineer and technical cyber threat intelligence analyst Amaury Garcon said the hackers can remain connected to such firms for months or even years via the laptops.
“So, in the end, the North Korean operator logs in from anywhere in the world, while the company sees only a legitimate connection with its employee,” Garcon said.
A 2025 analysis by the Google Threat Intelligence Group warned that such scams, traditionally targeting the US labour market, were expanding in Europe.
Payments are invariably received through cryptocurrency, TransferWise and Payoneer, another red flag.
Bojan Perkov, digital policy coordinator with Belgrade-based digital rights and security NGO SHARE Foundation, said that in the past, North Korean hackers infiltrated private companies in the West either by finding collaborators to apply for jobs that the hackers themselves would do remotely, or by applying themselves and manipulating recruiters.
Through such jobs, he said, “they gain access to sensitive information, corporate devices and networks”.
“Serbia is well known for the outsourcing of IT work, particularly for companies from Western Europe and the United States,” Perkov told BIRN. “It is assumed that this is one of the reasons why they chose to steal the identities of Serbian citizens.”
Exploiting a lack of awareness
Illustration of North Korean operations according to the MSMT report. Photo: Detektor
Jonathan Fritz, former US Deputy Assistant Secretary of State for East Asian and Pacific Affairs and who presented the MSMT report at the United Nations in New York, said North Korean hackers are highly adaptable.
“Basically, they look for places where, you know, folks are not aware of the dangers of the scams that they are really good at [carrying out],” Fritz, Senior Fellow for China Policy at the Center for American Progress, told BIRN.
The hackers, he said, use Chinese banks and, among other methods, cryptocurrency payments, which are more difficult to trace. When a country improves its defences, the hackers move on.
In Bosnia, however, Sasa Mrdovic, Professor of Computer Networks at the Faculty of Electrical Engineering of the University of Sarajevo, said that the state lacks sufficient human and institutional capacities, not to mention the legal framework, to provide the necessary protection.
“Unfortunately, our politicians have many things that they consider more important than this, so I think they are aware of it, but it is very rarely high on the list of things they feel they must address,” Mrdovic told BIRN, adding that politicians should realise that they too are not immune.
“This really can happen to any of us,” he said. “The more exposed a person is – and our politicians, like everyone else, are exposed – the more likely they are to find themselves in such a situation.”
The woman from Bosnia agreed: “I thought I was protected, yet something like this still happened to me. I’ve learned that you can never be careful enough, that all sorts of things can happen as long as we’re using the internet.”
According to the MSMT report, from 2024 onwards North Korean hackers established at least two shell companies registered in the US. They exist only on paper, with no assets or employees.
One of them is Guanghe Technology Development LLC, which the report says was used by North Korean IT workers based in China to secure business contracts with an unnamed Serbian company and to receive payments through an American bank.
According to publicly available registers, Guanghe Technology Development LLC is registered in Florida, with Chengze Li listed as the authorised representative.
Among the company’s corporate documents is one from March 2026 in which the US Office of Foreign Assets Control, OFAC, informed the Florida Department of State that Guanghe Technology Development LLC had been registered by a North Korean IT worker and that all transactions and business activities conducted by the company were for the benefit of the North Korean government.
There is no information in the official registers identifying the Serbian company with which it conducted business.
The Special Prosecutor’s Office for High-Tech Crime, based in Belgrade, said in a written response to BIRN that it was unaware of North Korean IT workers’ activities involving Serbia and that no citizens had contacted the office regarding such matters.
Both Bosnia and Serbia comply with UN sanctions on North Korea, but Serbia – not wishing to anger its big-power allies Russia and China – has not aligned itself with specific European Union sanctions on Pyongyang. North Korea, for its part, does not recognise the former southern Serbian province of Kosovo as independent.