Suspicious activity in GitHub associated with DPRK IT Workers

35 min readAug 22, 2024

Investigating the suspicious activity in GitHub associated with the DPRK IT Workers, targeting developers and companies.

This investigation is part of a series of investigations into suspicious activity on GitHub and LinkedIn involving recruiters and developers that is generally related to tactics and methods attributed to the activity of North Korean IT Workers

Key Points

The information suggests the existence of a network of GitHub accounts, where some function as nodes for collecting information, while others are used primarily to boost follower counts on targeted profiles.
In some cases, these “developers” go as far as creating their own websites to enhance their credibility and appear more convincing to potential employers.
Certain accounts seem to operate within a structured hierarchy. This is evidenced by profiles with higher activity levels also displaying a greater number of followers and followed accounts, indicating a coordinated effort.
The campaign appears to be organized with specific roles: some accounts act as nodes, others primarily follow developers, some focus on following companies, and certain accounts exclusively follow female profiles. This suggests a high level of organization and control within the campaign.
The network of fake profiles is extensive, making it increasingly difficult to distinguish between legitimate and fraudulent accounts. The blending of real and false information, coupled with frequent redirects to legitimate profiles, contributes to the deceptive nature of this network.

Context:

The first investigation we tracked an account linked to a Fake recruiter in LinkedIn, who is confirmed have approached developers sending malware and was pointed out for this. A network of fake recruiters was observerd linked to these accounts involved in this activity.

In this investigation we track the same account and others related to understand the network of accounts related to suspcious activity on GitHub. Many of the findings from this new investigation confirm the high possibility that this fraudulent activity on GitHub is related to North Korean IT Workers.

Before starting, it is important to clarify that:

It is known that there are other actors, noted for their irregular activity on GitHub. Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories.

I make this clarification because this investigation reveals some different type of activity unrelated to the (Stargazers Ghost Network) campaign, which may overlap at times, as seen in section 2.1, where I highlight the different types of phishing targeting GitHub users

It is important to highlight that our goal is to reveal suspicious activity targeting GitHub. Therefore, the aim of this investigation is solely to analyze the activity of suspicious accounts, their content, and their interactions, regardless of which actor or actors might be behind them.

Part 1: Following accounts related to Devmaster929

The first investigation revealed some accounts that were following fake fresh-new created accounts of “recruiters”.

One account highlithed from this investigation because it was well connected to other fake GitHub accounts. The account we mentioned in the first investigation which is already deleted was:

Press enter or click to view image in full size

devmaster929

Since the account got deleted there is still some information in Google:

https://giters.com/Tyjust31?tab=followers

This website host GitHub profiles and the information came is updated using the GitHub API. The website look like this:

The profile devmaster929 used to be displayed here, as one of Tyjust31 followers in GitHub, but after the first investigation the profile was deleted. However, in this profile there are some interesting accounts we are going to look.

After analyzing Tyjust31’s followers manually, there are some that caught our attention, and these are the ones that are highlighted here:

What draws our attention to these profiles is the date of creation, the volume of followers, and the inconsistent activity on their GitHub profiles

Taking this into account, the profile on which we will focus our attention will be the purple one: Warmice71

The activity of this profile allows us to reveal a network of fake profiles.

Part 2: Suspicious activity of user: Warmice71

Considering that our focus will be on Warmice71’s profile, we will start by highlighting suspicious aspects of this Github profile

Many of these details show that this is a fake account from a large network of fake profiles. Analyzing Warmice71, we will start with the information in his profile - joined in June 13, 2023:

Some information in his profile, link him to other accounts:

In this case, most of the stats in this account were taken of the profile “Seniorcoder72”. The account was suspended in december 2023 as seen here:

Press enter or click to view image in full size

https://github.com/orgs/community/discussions/48787

Another interesting aspect is a version of warmice7’s profile that was forked by the user seanpm2001 in GitHub:

https://github.com/seanpm2001/WarmIce71_WarmIce71

Please visit https://patience.onrender.com/

To comtact me. awl19950228@gmail.com

Highlights of this image, if you click on:

https://wakatime.com/@Goblin8888

if you click in any of this options, it will redirect to a profile: PrinceGoblinTech

https://github.com/PrinceGoblinTech?tab=followers

This profile seem to be a fake GitHub account used to farm and monitor different activity: https://github.com/PrinceGoblinTech

The most interesting thing about this account PrinceGoblinTec its because most of the accounts it follows are women’s fake and real accounts.

At searching @princegoblintech there are some results associated with this suspicious profiles:

https://dcmpx.remotevs.com/com/github/SL/Monter7770?tab=following

This website contains some files such as:

vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-2e8678-34feeec9c894.js
vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_clipboard-copy-element_-782ca5-54763cd55b96.js

Other websites related are:

Here are few examples of the suspicious activity related to the website https://dcmpx.remotevs.com where “princegoblintech” was mentioned:

Effective URL ||~|| ip

dcmpx.remotevs.com/com/github/SL/Monter7770?tab=following ||~|| 155.248.176.223
api.xgps.vip/ ||~|| 43.153.219.66
github.com/procyberian/emacs ||~|| 140.82.113.3
github.xylmm.one/ ||~|| 172.67.187.114
github.zjzj.xyz/ ||~|| 172.67.145.17
github.com/lukaskleinschmidt ||~|| 140.82.121.3
github.com/lgladdy ||~|| 140.82.121.3
github.com/ ||~|| 140.82.121.4
https://github.com/login/oauth/authorize?approval_prompt=force&client_id=d342498f4d51b18309c3&redirect_uri=https%3A%2F%2Foauth.prod.closetmatchr.com%2Foauth2%2Fcallback&response_type=code&scope=user%3Aemail&state=_AEra8CNJ1yprs6922Bg4q9-loBIpgqkiiqrvYrwSi0%3Ahttps%3A%2F%2Fmonitoring.prod.closetmatchr.com ||~|| 140.82.121.3
github.com/I-Am-Jakoby/x/raw/main/EvilGoose.zip ||~|| 140.82.121.4
github.com/login?return_to=%2Fpages%2Fauth%3Fnonce%3D6fc79e68-90c3-499f-8bd7-20... ||~|| 140.82.121.4
github.zran.top/ ||~|| 188.114.97.3
github.com/zipcodes ||~|| 4.237.22.38
github.com/likuilin/embreddit ||~|| 140.82.113.4
gh.houheya.us.kg/ ||~|| 2606:4700:3035::ac43
github.com/r00t-3xp10it/hacking-material-books?tab=readme-ov-file ||~|| 140.82.121.4
github.com/bahissiteleri-web/betkanyonvip ||~|| 140.82.112.3
github.com/pushkar2112 ||~|| 140.82.121.4
github.com/1904labs ||~|| 140.82.121.4
github.com/sendgrid ||~|| 4.237.22.38
github.com/Harshith-Shetty ||~|| 140.82.121.4
github.zlrwp.cn/ ||~|| 2606:4700:3031::ac43
github.com/channprj ||~|| 140.82.121.4
github.com/JavaPOSWorkingGroup/ ||~|| 140.82.112.3
github.wm.kqr2009.top/ ||~|| 2606:4700:3034::6815:3b82
github.com/AwesomeStickz ||~|| 140.82.121.4
github.proxy.wstudio.work/ ||~|| 172.67.141.26
chatgpt-public.pages.dev/ ||~|| 172.66.46.220

Throughout the investigation, we will examine more websites related to this type of suspicious activity.

Coming back to warmice71, looking at some of the content in this profile, we see that some content is found in other GitHub accounts:

https://github.com/luckyman816/trademarktoday

https://github.com/livedeveloper823/livedeveloper823

https://github.com/LouisWinkler/trademarktoday-nextjs

The website is: https://trademarktoday-nextjs.vercel.app/start

Recapitulating this information of warmice71:

There is one link: https://patience.onrender.com/ that links to a person called Au WaiLun:

This is a fake profile, which they are trying to use to access jobs. And much of the suspicious activity and the numerous mistakes in this profile with broken links, show that this is clearly a fake profile.

Part 2.1: Warmice71: Email address linked to suspicious activity

appnotficiationagent@gmail.com

This email address found in warmice71’s bio is currently linked to some suspicious activity:

An example is this Google search: appnotficiationagent@gmail.com

https://product24swiss.net/?tab=followers&_=%2FMstfakts%23KJWqMdlUlBnsIvkdRR%2BuhIT4

There is a phishing website mimicking a GitHub portal:

There are other websites linked to this email:

http://222.178.203.72:19005/whst/63/=fhsgtazbnl//Miles-Arts?tab=followers

The website look like this, which seems off:

Some results will display other websites related to this email:

These websites seem to be hosted in China

Some of the websites related to appnotficiationagent@gmail.com are also flagged with Malware and Phishing:

https://www.virustotal.com/gui/url/e42bbb457019d3a1ac8d57cc1b5c3748377c0b08a734654ad21a9cd00224bc56/detection

After analyzing some of these websites we could find other phishing websites with this same activity.

Most of these urls are GitHub phishing websites that look like this:

After analizing some of these websites, there are some files that can display (10k suspicious websites) different type of suspicious activity targeting GitHub:
vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-1cea0f5eff45.js

Here is an example of some of these suspicious websites:

GitHub phishing websites - associated files

URL IP AS Server
github.shabicloud.link/ 188.114.97.3 AS13335 cloudflare
github.daw.org.cn/ 2a06:98c1:3120::3 AS13335 cloudflare
k8s.daisy-docker.xyz/ 2a06:98c1:3120::3 AS13335 cloudflare
ghp.itku.org/ 172.67.218.131 AS13335 cloudflare
test-proxy.wzc3340.workers.dev/ 172.67.138.210 AS13335 cloudflare
git.phoenixcloud.workers.dev/ 188.114.96.9 AS13335 cloudflare
git.phoenixcloud.workers.dev/ 188.114.96.3 AS13335 cloudflare
github.qyzhg.work/ 172.67.134.188 AS13335 cloudflare
git.phoenixcloud.workers.dev/features/copilot 188.114.96.3 AS13335 cloudflare
github.wqj666.workers.dev/ 188.114.96.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/ 188.114.97.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/features/copilot 188.114.97.3 AS13335 cloudflare
github.congzile.top/ 188.114.96.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/resources/articles/software-development 188.114.96.3 AS13335 cloudflare
github.zjzj.xyz/ 172.67.145.17 AS13335 cloudflare
git.phoenixcloud.workers.dev/ 188.114.96.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/pricing 188.114.96.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/yyx990803 188.114.96.3 AS13335 cloudflare
github.208886.xyz/ 2606:4700:3033::6815:1726 AS13335 cloudflare
github.gebi.party/ 188.114.97.3 AS13335 cloudflare
github.020327.xyz/ 2606:4700:3034::ac43 AS13335 cloudflare
github.gebi.party/ 188.114.96.3 AS13335 cloudflare
test.zqcnrc.workers.dev/ 188.114.97.3 AS13335 cloudflare
git.phoenixcloud.workers.dev/ 188.114.96.3 AS13335 cloudflare
github.208886.xyz/ 172.67.208.204 AS13335 cloudflare
github.546946.xyz/ 188.114.96.3 AS13335 Cloudflare
k8s.ropo.top/ 2606:4700:3031::ac43:8d20 AS13335 Cloudflare
github.208886.xyz/ 2606:4700:3033::ac43 AS13335 Cloudflare
k8s.hitictoc.com/ 172.67.217.68 AS13335 Cloudflare
github.momonikki.top/ 188.114.97.3 AS13335 Cloudflare
github.517010.xyz/ 188.114.96.3 AS13335 Cloudflare
github.ian2018.club/ 188.114.96.3 AS13335 Cloudflare
hj-4gz.pages.dev/ 2606:4700:310c::ac42:2f78 AS13335 Cloudflare
github.tsingyoung.uk/ 172.67.193.246 AS13335 Cloudflare
github.ian2018.cn/ 188.114.97.3 AS13335 Cloudflare
github.czhiming.cn/ 76.76.21.98 AS16509 Vercel
mszx.847537757.workers.dev/login 172.67.217.249 AS13335 Cloudflare
github.oldtong.us.kg/ 2606:4700:3030::6815:5351 AS13335 cloudflare
github.sunjianxun.eu.org/ 172.67.171.157 AS13335 cloudflare
github-7va.pages.dev/ 188.114.97.3 AS13335 cloudflare
github.cnfaq.cn/ 39.107.52.162 AS37963 nginx/1.20.1
github.hbcraft.cn/ 172.67.193.90 AS13335 cloudflare
github.546946.xyz/ 188.114.96.3 AS13335 cloudflare
github.oasis-ddns.com/ 172.67.205.93 AS13335 cloudflare
github.tiy163.com/ 2a06:98c1:3121::3 AS13335 cloudflare
github.congzile.top/ 188.114.96.3 AS13335 cloudflare
github.yzh.ac/ 172.67.218.69 AS13335 cloudflare
four.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
iu.dou44oshge.workers.dev/ 172.67.220.221 AS13335 cloudflare
round-tooth-4.hjbyghbn.workers.dev 2606:4700:3034::ac43:8b3f AS13335 cloudflare
uv.bosfiewgsew.workers.dev/ 2606:4700:3035::6815:15fe AS13335 cloudflare
ghcr.registry.lunkr.top/ 2606:4700:3036::6815:957 AS13335 cloudflare
test.blueice233666.workers.dev/ 172.67.163.75 AS13335 cloudflare
history.freeeeesysulabs.top/ 2606:4700:3035::ac43:913d AS13335 cloudflare
github.potp.ro/ 20.27.177.113 AS8075 GitHub.com
github.czhiming.cn/ 76.76.21.241 AS16509 Vercel
ghcr.colinxu.com/ 2a06:98c1:3121::3 AS13335 (CLOUDFLARENET, US) cloudflare
github.gwentmaster.eu.org/ 172.67.166.67 AS13335 (CLOUDFLARENET, US) cloudflare
github.my-serendipity.asia/ 172.67.147.83 AS13335 (CLOUDFLARENET, US) cloudflare
k8s.sqlboy.me/ 172.67.188.112 AS13335 (CLOUDFLARENET, US) cloudflare
git.ginobi.uk/ 2606:4700:3031::6815:3d79 AS13335 (CLOUDFLARENET, US) cloudflare
ghcrproxy.wnty.us.kg/ 172.67.211.119 AS13335 (CLOUDFLARENET, US) cloudflare
k8s.iamdalao.com/ 188.114.96.3 AS13335 (CLOUDFLARENET, US) cloudflare
ghcr.iamdalao.com/ 188.114.96.3 AS13335 (CLOUDFLARENET, US) cloudflare
ghcr.iamdalao.com/ 188.114.97.3 AS13335 (CLOUDFLARENET, US) cloudflare
github.cashen.eu.org/ 2606:4700:3030::6815:5dbf AS13335 (CLOUDFLARENET, US) cloudflare
github-vercel.niliovo.top/ 76.76.21.123 AS16509 (AMAZON-02, US) Vercel
git-hub.us.kg/ 172.67.204.21 AS13335 cloudflare
pola.nehok.top/ 167.71.206.18 AS14061 Tengine
nu.dou44oshge.workers.dev/ 2606:4700:3033::ac43 AS13335 cloudflare
ning1.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
dc.aerhtt.workers.dev/ 188.114.96.3 AS13335 cloudflare
github.seenke.com/ 188.114.97.3 AS13335 cloudflare
github.initbit.eu/ 188.114.97.3 AS13335 cloudflare
hv.bosfiewgsew.workers.dev/ 172.67.201.168 AS13335 cloudflare
qi7.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
xu.dou44oshge.workers.dev/ 172.67.220.221 AS13335 cloudflare
git.dgdghub.top/ 172.67.157.118 AS13335 cloudflare
two1.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
ning.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
ten.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
uv.bosfiewgsew.workers.dev/ 172.67.201.168 AS13335 cloudflare
uu.dou44oshge.workers.dev/ 2606:4700:3033::6815:18dd AS13335 cloudflare
mv.bosfiewgsew.workers.dev/ 172.67.201.168 AS13335 cloudflare
mu.dou44oshge.workers.dev/ 172.67.220.221 AS13335 cloudflare
github.fushudi.cn/ 16.162.188.62 AS16509 nginx
ji.bosfiewgsew.workers.dev/ 172.67.201.168 AS13335 cloudflare
winter2024.lsdfjsdkfjl.workers.dev/signup?user_email=k*********@o****.co&source... 172.67.151.205 AS13335 cloudflare
vu.dou44oshge.workers.dev/ 172.67.220.221 AS13335 cloudflare
github.apicage.com/ 76.76.21.21 AS16509 Vercel
gh.whitespider.dev/login 2a06:98c1:3120::3 AS13335 cloudflare
one1.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
yv.bosfiewgsew.workers.dev/ 172.67.201.168 AS13335 cloudflare
late-sea-43aa.piper1136752612.workers.dev/ 172.67.181.86 AS13335 cloudflare
fv.bosfiewgsew.workers.dev/ 2606:4700:3030::ac43 AS13335 cloudflare
one2.245trdgfrs43.workers.dev/ 172.67.140.218 AS13335 cloudflare
hub.o-o.men/ 188.114.96.3 AS13335 cloudflare

More examples in this repository

Here is a few example of different type of suspcious activity related:

Phishing type #1: GitHub main website phishing

Effective URL: github.daw.org.cn

Phishing type #2: Redirect traffic to GitHub

Submitted URL: https://9y4yg.r.sp1-brevo.net/mk/cl/f/sh/1t6Af4OiGsE8LM4qz7HOlP4KlSuixR/qd_2_92mzeYY

Effective URL: https://github.com/transferthought/transfer-thought?utm_source=brevo&utm_campaign=Last%20Email%20-%20Walk%20Through&utm_medium=email

The url redirect to a GitHub that seems to be a company profile, also with this own website: https://www.transferthought.com/

It is highly likely that this GitHub profile and website are sites created by this actor carrying out this suspicious activity campaign.

Phishing type #3: Enterprise target

Effective URL:mayamessinger-037be608e01f302ba.qaboot.net

Some variations targeting enterprises include:

https://**aminaffandi-0b142ee2e50cfd39c.ghe-test.net**/join

Phishing type #4: GitHub profile

Submitted URL: http://github.leol.me/
Effective URL: https://github.com/MrSchneemann

Other example:

Submitted URL: https://sigs.kubernetes.io/
Effective URL: https://github.com/kubernetes-sigs/

Phishing type #5: Accesing your personal information

Tracing this file also related: vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js

Submitted URL: http://github.razem.io/
Effective URL: https://github.com/login?client_id=19e341627e272dd6e61e&return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%3D19e341

https://github.com/login/oauth/authorize?client_id=19e341627e272dd6e61e&response_type=code&scope=repo+repo%3Astatus+user%3Aemail+read%3Aorg&state=dabc910c752f7f10

Other example:

Submitted URL: https://alertmanager.bbcore.co/
Effective URL: https://github.com/login?client_id=f90672ee0575dc84f7d8&return_to=%2Flogin%2Foauth%2Fauthorize%3Fapproval_prompt%3Dforce%26client_id%3Df90672ee0575dc84f7d8%26redirect_uri%3Dhttps%253A%252F%252Foauth2.bbcore.co%252Foauth2%252Fcallback%26response_type%3Dcode%26scope%3Duser%253Aemail%2Bread%253Aorg%26state%3DvEfr1DUrBXbEh7R8y8dWUUHqTSy2YxivzFbddiEwre8%253A%252Fredirect%252Falertmanager.bbcore.co%252F

Most of the files mentioned here are related to at least 10k sites with suspicious activity.

By searching the following files it is possible to see the high suspicious activity that exists pointing towards GitHub:

vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js
vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-858e043fcf76.js
vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-1cea0f5eff45.js
vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_smoothscroll-polyfill_di-75db2e-686488490524.js
vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_clipboard-copy-element_-782ca5-54763cd55b96.js
_js-1cea0f5eff45.js

For example at searching for: vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js
We could find suspicious activity redirecting to specific repos and also GitHub phishing websites:

Submitted URL       ||||||||||    Effective URL

dcbadge.limes.pink/ |||||||||| github.com/gitlimes/discord-md-badge
dcbadge.limes.pink/ |||||||||| github.com/gitlimes/discord-md-badge
github-stats.jiangmingtao.com/ |||||||||| github.com/anuraghazra/github-readme-stats
 |||||||||| k8s.vernorboy.gq
cpil-ms-service-referral-code.docs.web.ddfarming.de/ |||||||||| github.com/login
hub.anxl.dev/ |||||||||| github.com/anilmisirlioglu
alertmanager.bbcore.co/ |||||||||| github.com/login
 |||||||||| github.dreamofinfinity1.top/
xvp-essentials-qa-automation.coast.xcal.tv/ |||||||||| github.com/login
xxx.6d76fbsxdm.cc/ |||||||||| github.com/arduano
user-management-doc.dev.bosch-emobility.com/ |||||||||| github.com/login
features.k8s.io/ |||||||||| github.com/kubernetes/enhancements/issues
 |||||||||| trojan-7uj.pages.dev/
git.kubernetes.io/ |||||||||| github.com/kubernetes/
git.k8s.io/ |||||||||| github.com/kubernetes/
github.unterdrueckt.com/ |||||||||| github.com/unterdrueckt/
github.anthonywritesco.de/ |||||||||| github.com/anthonywritescode
 |||||||||| gitlab.319838.xyz/
alertmanager.khatex.com/ |||||||||| github.com/login
sigs.kubernetes.io/ |||||||||| github.com/kubernetes-sigs/
 |||||||||| github.imc.re/AmbireTech
robinzor.nl/ |||||||||| github.com/robinzor
github.leol.me/ |||||||||| github.com/MrSchneemann
 |||||||||| test.zqcnrc.workers.dev/
 |||||||||| github.wisteria.cf/
 |||||||||| github.com.n3xt.top/
 |||||||||| github.com.justnull.cn/
 |||||||||| github.mmcc.us.kg/
 |||||||||| github.sbst.us.kg/
favicon.getsona.io/ |||||||||| github.com/twentyhq/favicon/blob/main/README.md
oauth2.bbcore.co/ |||||||||| github.com/login
 |||||||||| ghcr1.739527.xyz/
kajitsy.ru/ |||||||||| github.com/Kajitsy
git.pkarr.org/ |||||||||| github.com/Pubky/pkarr
 |||||||||| github.kxpsado.workers.dev/
tracking.tldrnewsletter.com/ |||||||||| github.com/heyPuter/puter/?utm_source=tldrwebdev
 |||||||||| git.jhll.fun/
docs.testapi.exact-framework.io/ |||||||||| github.com/login
discordgophers.com/ |||||||||| github.com/discord-gophers
login.atxconsulting.com/ |||||||||| github.com/login
 |||||||||| vless-page-proxy.pages.dev/login
 |||||||||| speedgithub.pages.dev/
rust.hoelweb.com/ |||||||||| github.com/jkhoel/rust
github.imahmud |||||||||| github.com/anuraghazra/github-readme-stats

Some of these files js. mentioned above can display different type of suspcious activity

Phishing type #6: Websites of “companies”

By searching we found this website: https://dev.mw/

This website display GitHub scraped information using their API:

If you try to log in in this website it will redirect you to a GitHub profile of a “company”:

https://github.com/login/oauth/authorize?response_type=code&client_id=b243400bc0f8caee11ac&state=dyJKbZLUmhlMP8yudLgHHr9mZnTTSXSLAqQiY2yl4Dk&scope=read%3Auser+user%3Aemail

https://developers.sh/

The above demonstrates significant evidence of the high volume of fraudulent activity associated with this GitHub profile [warmice71] and particularly the email address: appnotficiationagent@gmail.com

Part 2.2: Warmice71: Suspicious website and profile

Taking into account the information in the GitHub of warmice71:

There is a url: https://patience.onrender.com/ that links to a person called Au WaiLun:

This is a confirmed fake profile, since most of the information is broken and doesnt match anything to the GitHub account.

After reviewing several profiles associated with this user, we discovered that other websites are using the same template. This has led to a mix of both fake and legitimate accounts employing the same style, which complicates distinguishing between them.

Here are a few examples:

https://ummaabhignakumarreddy.netlify.app/

Similar website with generic information

2. https://hashkov.online/

3. https://evilgon.vercel.app/

This type of websites where there is a mix of information make it harder to indetify if an user is a real person or a fake developer.

This profile have a CV added which make harder to know if someone is real, but the interactions in social networks also could describe some of his intentions. For example in his X account: https://x.com/evilgon0214

https://x.com/evilgon0214/status/1813947245328572655

4. https://elbert-ainstein.github.io/

5. www.hnascx.dev

6. https://jethroblock.com/

7. www.navansh.co

8. https://roshanpaudel.com/

9. https://attractive-portfolio-teal.vercel.app/

10. https://ramin3d.netlify.app/

Some of these websites use the same templates as those of real individuals, making it more challenging to verify their legitimacy

Related files 

css-79a7f026.png
html-92b76a73.png
hash:ac5660916025fb3045d974bcc12261328a7dcaaa8e86ab6a1f1dd97ead4e890d

Keep in mind that the templates used by the suspicious actor may resemble real profiles, leading to overlap with real accounts

I want to point out that this list includes real accounts, accounts whose legitimacy cannot be determined, and others that are clearly fake. However, this list serves as an example of websites that use a similar template, so in most cases, verification must be done manually:

List of websites 

URL ||~|| IP Address
hashkov.online/ ||~|| 2a02:4780:9:1064:0:80f:ca82:3
danielamenyenu.netlify.app/ ||~|| 2a05:d014:275:cb02::c8
nadunnissankauiux.netlify.app/ ||~|| 2a05:d014:275:cb01::c8
www.nkumar.info/ ||~|| 76.76.21.241
www.mikebuilds.xyz/ ||~|| 76.76.21.21
luiginicoletti.vercel.app/ ||~|| 76.76.21.22
itsaniket.tech/ ||~|| 3.70.101.28
www.iamdobhal.dev/ ||~|| 76.76.21.98
michaelheinhold.github.io/ ||~|| 2606:50c0:8001::153
haniii.vercel.app/ ||~|| 76.76.21.98
nft.khtain.com/ ||~|| 150.230.26.250
portfolio-sylvat160.vercel.app/ ||~|| 76.76.21.98
patience.onrender.com/ ||~|| 216.24.57.252
parthtiwari.vercel.app/ ||~|| 76.76.21.93
www.midhatahir.com/ ||~|| 76.76.21.9
seth-v2.netlify.app/ ||~|| 2a05:d014:58f:6201::64
krishnaprasad12.netlify.app/ ||~|| 2a05:d014:58f:6202::64
roshanpaudel.com/ ||~|| 3.72.140.173
ummaabhignakumarreddy.netlify.app/ ||~|| 2a05:d014:275:cb01::c8
www.guilhermebs.me/ ||~|| 76.76.21.9
krishnaprasad12.netlify.app/ ||~|| 2a05:d014:275:cb00::c8
hudhaifa-dev-portfolio.vercel.app/ ||~|| 76.76.21.123
raghavgoel.vercel.app/ ||~|| 76.76.21.9
aleksin-official.vercel.app/ ||~|| 76.76.21.142
tayler.wiki/ ||~|| 52.58.254.253
yacine.vr360.pt/ ||~|| 185.12.116.109
brolab.dev/ ||~|| 76.76.21.21
shitatmiyu.github.io/ ||~|| 2606:50c0:8001::153
buildblox.xyz/ ||~|| 52.58.254.253
www.kyleparkin.dev/ ||~|| 76.76.21.241
www.omrawat.xyz/ ||~|| 76.76.21.61
5f-creator.netlify.app/ ||~|| 2a05:d014:58f:6200::64
milosmekota.com/ ||~|| 2a02:4780:27:1572:0:30d8:8e3f:2
crazii.dev/ ||~|| 212.132.64.126
abir-dutta-porfolio.netlify.app/ ||~|| 2a05:d014:275:cb01::c8
www.kairostay.com/ ||~|| 188.114.97.3
portfolio-react-fiber.vercel.app/ ||~|| 76.76.21.241
john-lee.vercel.app/ ||~|| 76.76.21.142
sparks.orbzzy.com/ ||~|| 188.114.97.3
www.gauravpant-tech.solutions/ ||~|| 76.76.21.241
allesman.net/ ||~|| 45.153.56.227
www.rohanpatil.xyz/ ||~|| 76.76.21.61
glen-simmons.com/ ||~|| 76.76.21.164
hash-brown.dev ||~|| 2a05:d014:58f:6201::64
ilancosta.com ||~|| 2a02:4780:13:913:0:3562:5c01:3
nicholaschoi4.netlify.app ||~|| 2a05:d014:58f:6200::64
luiginicoletti.vercel.app ||~|| 76.76.21.22
cromag.pro ||~|| 52.58.254.253
elbert-ainstein.github.io ||~|| 2606:50c0:8000::153
vedanthramanathan.com ||~|| 2a05:d014:275:cb00::c8
devmody.pro ||~|| 3.70.101.28
michaelheinhold.github.io ||~|| 2606:50c0:8000::153
kaanbas.com ||~|| 162.19.142.161
nirav-patel.vercel.app ||~|| 76.76.21.142
omed-dev.de ||~|| 85.13.132.10
portfolio.kittycat.moe ||~|| 81.143.214.55
portfolio-enmanuel.vercel.app ||~|| 76.76.21.142
aftabalam.tech ||~|| 52.58.254.253
attractive-portfolio-teal.vercel.app ||~|| 76.76.21.123
prakashgowri.com ||~|| 2a02:4780:b:1105:0:2e4c:2901:2
p.kittycat.moe:25803 ||~|| 81.143.214.55
seahorse-app-2hih8.ondigitalocean.app ||~|| 2a06:98c1:58::60
portfolio-sylvat160.vercel.app ||~|| 76.76.21.61
griffinannshual.netlify.app ||~|| 2a05:d014:58f:6201::64
akshaybagai.vercel.app ||~|| 76.76.21.61
songhao-li.com ||~|| 2a02:4780:2b:1610:0:3851:dda3:2
my-folio-six.vercel.app ||~|| 76.76.21.164
evilgon.vercel.app ||~|| 76.76.21.22
ummaabhignakumarreddy.netlify.app ||~|| 2a05:d014:58f:6200::64
rudis-cordones.es ||~|| 2a02:4780:b:1104:0:68a:375f:2
james102.netlify.app ||~|| 2a05:d014:275:cb01::c8
songhao-li.com ||~|| 2a02:4780:2b:1610:0:3851:dda3:2
tayler.wiki ||~|| 3.70.101.28
mishab.online ||~|| 76.76.21.22
john-lee.netlify.app ||~|| 2a05:d014:58f:6200::64
www.dennisberg.com.br ||~|| 76.76.21.21
lucaliebenberg.com ||~|| 76.76.21.21
simonferns.com ||~|| 76.76.21.21
www.kyleparkin.dev ||~|| 76.76.21.241
agency.rccodex.co.in ||~|| 76.76.21.21
shitatmiyu.github.io ||~|| 2606:50c0:8001::153
crazii.dev ||~|| 212.132.64.126
parthtiwari.vercel.app ||~|| 76.76.21.22
kairostay.com ||~|| 52.58.254.253
stevenlexr.com ||~|| 76.76.21.241
aleksin-official.vercel.app ||~|| 76.76.21.164
armaan-singh-portfolio.netlify.app ||~|| 2a05:d014:275:cb00::c8
haniii.vercel.app ||~|| 76.76.21.22
iamdobhal.dev ||~|| 76.76.21.61
luiginicoletti.vercel.app ||~|| 76.76.21.61
roopdilawar.dev ||~|| 76.76.21.61

You could find more results here.

After analyzing some of these websites of developers with Virus total:

https://buildblox.xyz/
https://patience.onrender.com/
https://brolab.dev/
https://krishnaprasad12.netlify.app/
https://tayler.wiki/
https://raghavgoel.vercel.app/,

Some of these websites are linked to different type of suspicios activity:

Graph of websites related to suspicios activity as developers

Graph: https://www.virustotal.com/graph/embed/g565132128f03401984440c9159c822aecd702ff8ad584013b3828a80dd8aa606?theme=light

The massive creation of profiles on websites linked to GitHub was evident, seeking to give greater legitimacy and credibility to the fake profiles that are created and thus generate greater trust in potential employers.

Part 2.3: Warmice71: Suspicious activity in repositories

After analyzing much of the activity found on the GitHub profile of warmice71, there is more suspicious activity that stands out in his repositories:

https://github.com/warmice71?tab=repositories

We are going to focus in the first repository:

https://github.com/warmice71/vinci-store-product-scraping

If we check this repo is just a paid work to scrap some data of vinci and using the data in other website that sell some of the same products.

After checking inside of Project-process:

https://github.com/warmice71/vinci-store-product-scraping/tree/main/project-process

After checking inside of Project-process: there is a video Record_2024_01_19_11_56_26_32.mp4 of someone called Au WaiLun:

The following is a screen recorded video by this developer, where he receives instructions, exchanges passwords, develops the work and finally wants to receive payment by other means, which seems strange to the employer, and also shows difficulty in expressing himself in English:

Record_2024_01_19_11_56_26_32.mp4

The employer was alerted about this person’s suspicious activity and advised to change all passwords.

Likewise, at the end of the video, the person recording the screen receives a notification about 50 possible new jobs. And also express his intention to continue the conversation via Skype.

In this folder there are some images that show the high activity of this profile on portals such as Upwork

There are other repositories that continue to be analyzed in search of relevant information.

To recap and highlight something important, this is the profile that Au WaiLun used to identify himself at the beginning of the conversation:

He mentioned the profile: https://github.com/AI0228

This profile uses the same image, and the activity appears similar to warmice71:

https://github.com/AI0228 & https://github.com/warmice71

Considering that these two accounts are connected, we will analyze their followers and the accounts they follow to better understand a significant portion of the fake profile network in the part 4. The goal is to identify patterns that make it easier to distinguish between fake and legitimate accounts.

Part 3: Warmice71 GitHub status and “seniorcoder72”

In order to close on the findings about the information found in the GitHub profile. We mentioned that his status had a broken link that displayed a profile: “seniorcoder72”

In this case, most of the stats in this account were taken of the profile “Seniorcoder72”. The account was suspended in december 2023 as we alredy mentioned. However the activity of this alias “seniorcoder72” is very extensive.

Including the creation of accounts in different websites such as: GitHub, HYPE, DEV, CodeSandBox, Socket.dev, npm.io and more:

There are also some documents uploaded as seen here and other websites:

In this example he used CodeSandbox a collaborative cloud environment for devs and is using VS code:

https://codesandbox.io/p/sandbox/seniorcoder72-trademarktoday-nextjs-src-dgjdyx?file=%2Fcomponents%2FAlertContainers.tsx

Some packages uploaded:

“npm i @seniorcoder72/for-npm-publish-test”

https://socket.dev/npm/package/@seniorcoder72/for-npm-publish-test

This same package was uploaded here:

https://www.npmjs.com/package/@seniorcoder72/for-npm-publish-test?activeTab=code

It was also uploaded to npm.io

https://npm.io/package/@seniorcoder72/for-npm-publish-test

We’ve observed that this profile was once very active on GitHub but has since been suspended, with its repositories deleted. However, the focus on uploading npm packages seems quite unusual.

Part 4: Warmice71 & AI0228 - Analyzing followers and who they follow:

Considering that there is a relationship between these two accounts that was found in the screen recording:

https://github.com/AI0228 & https://github.com/warmice71

We will analyze some of their followers of both accounts, and we need to recapitulate to the very first beginning:

The next account that will be our focus is:

AI0228 is also following champion10873:

https://github.com/champion10873?page=52&tab=followers

When we check the account: https://github.com/champion10873

His website looks like this: https://erwinhofmann.onrender.com/

If we analyze the image of Erwin Hoffman, this is an stock image using other people face:

https://kr.pinterest.com/pin/591660469787048241/

Taking into account that this profile is also fake and is associated with Warmice71 as well as AI0228, then we will analyze the followers of https://github.com/champion10873.

There are some accounts which have warmice71 and AI0228 in common. Likewise, other profiles tend to be repeated among followers, and other accounts have certain characteristics that allow them to be identified.

Here are some suspicious followers and also suspended accounts who follow champion10873:

Suspicious accounts following champion10873:

https://github.com/codewizard0803
https://github.com/ArtemPchela
https://github.com/HegeKen
https://github.com/swdreams
https://github.com/SMILES00714
https://github.com/codestar3524
https://github.com/Forest410
https://github.com/smart-fullstack-iot
https://github.com/LuckyGangStar
https://github.com/undyingkevin007
https://github.com/devlancer0328
https://github.com/Arturs1123
https://github.com/ironcg20
https://github.com/blockchainstar1112
https://github.com/kingp08
https://github.com/enzifiri
https://github.com/mrmajid007
https://github.com/DevStar1016
https://github.com/decoderwhoami
https://github.com/alexjung1128
https://github.com/wittyCodeX
https://github.com/WhiteRabbit130
https://github.com/Yuanmeng-Shi
https://github.com/dev0614
https://github.com/teamchong
https://github.com/livedeveloper823
https://github.com/champion10873

Suspended accounts:

https://github.com/olehrab
https://github.com/awesomedev08
https://github.com/eugene254-ship-it
https://github.com/zoro9519

There is also a lot of suspicious activity behind this id @champion10873: And the websites we found are also related to some of the traffic we alredy analyzed above.

For example the activity behind this website related to Champion10873:

https://meilu.sanwago.com/url-68747470733a2f2f6769746875622e636f6d/MafujShikder?tab=followers

More examples include:

Is also related to some of the files they use in these phishing websites such as:

global-fe6db6dfddd1.css
primer-primitives-8500c2c7ce5f.css
app_assets_modules_github_onfocus_ts-ui_packages_trusted-types-policies_policy_ts-ui_packages-6fe316-9d50d6f10c3d.js
vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-56729c905fe2.js
arctic-code-vault-contributor-default-df8d74122a06.png

Several of these files have been observed on most of the websites used in this campaign targeting GitHub. However, this does not necessarily imply that any site naming one of its files this way is phishing. Nevertheless, this is a method that allows us to monitor this campaign, as a significant portion of these websites use the same associated content.

There is some specific suspicious activity linked to GitHub, where some websites redirect to GitHub profiles that seems to be fake and others that are hard to identifty, here are some examples:

Submitted URL | IP  | Effective URL

meilu.sanwago.com/url-6874747073a2f2f6769746875622e636f6d/MafujShikder?tab=fol... | 8.217.217.28 | meilu.sanwago.com/url-6874747073a2f2f6769746875622e636f6d/MafujShikder?tab=fol...
sidereal.ca/ | 140.82.114.3 | github.com/stuwil
campanagerald.dev/ | 140.82.121.4 | github.com/coyksdev
campanagerald.dev/ | 140.82.121.3 | github.com/coyksdev
github.josefjantzen.de/ | 140.82.121.4 | github.com/JosefJantzen/
secure2.gustav.dev/ | 140.82.121.3 | github.com/gbrodman
github.bassadin.de/ | 140.82.121.4 | github.com/bassadin
github.matiasbaldanza.dev/ | 140.82.113.4 | github.com/matiasbaldanza
bz.uber.space/ | 140.82.121.4 | github.com/bezoerb
github.quentin.paris/ | 140.82.121.3 | github.com/qparis
github.thrasymache.com/ | 140.82.121.3 | github.com/thrasymache
matthewbill.com/ | 140.82.121.4 | github.com/matthewbill
github.leece.im/ | 140.82.121.3 | github.com/AshLeece
booking.gustav.dev/ | 140.82.112.4 | github.com/gbrodman
www.campanagerald.dev/ | 140.82.113.4 | github.com/coyksdev
 | 2606:50c0:8003::153 | github.yafb.net/
github.kartikpatel.in/ | 140.82.121.3 | github.com/kkpatel1/
www.github.dilloid.dev/ | 140.82.121.4 | github.com/Dilloid
github.dilloid.dev/ | 140.82.121.3 | github.com/Dilloid
dea42.dev/ | 140.82.121.4 | github.com/avatar42
mfauth.net/ | 140.82.113.4 | github.com/MauricioFauth
github.thomas-miller.com/ | 140.82.121.3 | github.com/TomRobo237/
cloudflare-pages-url-shortener-1fv.pages.dev/ | 140.82.121.3 | github.com/tadhglewis
github.nixon.dev/ | 140.82.121.3 | github.com/anthonynixon/
www.github.pash.city/ | 140.82.121.4 | github.com/pashpashpash
github.pash.city/ | 140.82.121.4 | github.com/pashpashpash
github.pash.city/ | 140.82.121.4 | github.com/pashpashpash
github.louiscad.com/ | 140.82.121.3 | github.com/LouisCAD
github.gparrello.com/ | 140.82.112.4 | github.com/gparrello
github.josephamcdonald.com/ | 140.82.121.3 | github.com/josephamcdonald
github.surj.dev/ | 140.82.112.4 | github.com/surjikal
 | 43.153.219.66 | api.xgps.vip/prophen
www.github.thomas-miller.com/ | 140.82.121.4 | github.com/TomRobo237/
www.securitykernel.io/ | 140.82.121.4 | github.com/securitykernel
designrknight.com/ | 140.82.121.3 | github.com/DesignrKnight
 | 43.153.219.66 | api.xgps.vip/yyx990803
steamraven.xyz/ | 140.82.121.3 | github.com/steamraven
github.mhummel.com/ | 140.82.121.3 | github.com/hummelm10/
 | 43.153.219.66 | api.xgps.vip/kazupon
github.suhasbacchu.com/ | 140.82.114.3 | github.com/sbacchu
github.jtgis.ca/ | 140.82.112.4 | github.com/jtgis
github.jtgis.ca/ | 140.82.112.4 | github.com/jtgis
github.thejus.dev/ | 140.82.121.4 | github.com/Thejus-Paul
github.thejus.dev/ | 140.82.121.3 | github.com/Thejus-Paul
afonsosantos.me/ | 140.82.121.4 | github.com/afonsosantos

Find more of the list here: https://github.com/BlockOSINT/GitHub-phishing/blob/main/Suspicious%20accounts%20linked

Here are some examples of some websites already flagged by CrowdStrike Falcon Sandbox related to the above mentioned:

Submitted URL: http://github.quentin.paris/
Effective URL: https://github.com/qparis

2. Submitted URL: http://github.obm.one/
Effective URL: https://github.com/Offbeatmammal

3. Submitted URL: http://github.njzjz.win/
Effective URL: https://github.com/njzjz/

4. Submitted URL: http://horstexplorer.de/
Effective URL: https://github.com/Horstexplorer

5. Submitted URL: http://github.felipeoliveira.xyz/
Effective URL: https://github.com/felipe0liveira

6. Submitted URL: http://github.jonnyl.in/
Effective URL: https://github.com/rangedsp

These examples, and the websites related to Champion’s suspicious activity, are similar to the websites and activity related to warmice71.

After analyzing more of the champion10873 activity, we found more profiles related to him:

https://www.freelancer.co.ke/u/champion10873

More profiles related to this image and id:

https://ubuntop.com/lander/ubuntop.com/?tab=packages&_=%2Fchampion10873%23FrWXv%2FmXcSq5ZaoMQrkpSzjl

As we mentioned, we see another account using the same image in yhype.me:

However, this fake profile updated his image using other picture:

But there is a profile of champion10873:

One aspect to highlight is that we have seen that a large part of these fake profiles have also created their profile on this website: https://yhype.me/

This is an analytics website for GitHub that allows you to monitor activity there. This site may be legitimate but may be being used for other purposes.

There is a strong relationship in both followers and activity between this profile Champion10873, AI0228 and warmice71. Furthermore, it was observed that the results associated with these IDs match the phishing websites created, which, in turn, share some documents with each other.

Part 5: AI0228-champion10873-warmice71: Analyzing followers and who they follow: cedev935

There are some accounts that catch our attention due to their recent activity and the quality of the profiles they follow, as well as those that follow them.

https://github.com/AI0228 & https://github.com/cedev935

In this case, the following account, cedev935:

Is followed by AI0228:

https://github.com/cedev935?page=3&tab=followers

also by warmice71:

https://github.com/cedev935?page=4&tab=followers

And also followed by:

And followed by 2 suspended accounts who are also linked to the GitHub accounts mentioned above:

Likewise, this account caught our attention because of its profile image, which resembles those of warmice71 and AI0228.

The account is https://github.com/Forest410

Additionally, when analyzing its followers, we see that it shares the majority of accounts already mentioned, which function as a network:

This account has also been seen following all of these profiles:

This GitHub account https://github.com/D4Fi is followed by both accounts:

https://github.com/D4Fi?page=11&tab=followers

Other account who follow D4Fi is: https://github.com/high5dev:
In hight5dev´s followers there is a profile that also uses a similar image:

https://github.com/high5dev?page=1&tab=followers

The account with similar image to AI0228 — warmice71 is:

These accounts and the way they “follow” each other on GitHub are part of an organized network of profiles, which seem to share some common themes. For instance, many of their followers are profiles of “full stack” developers with more than +5 years of experience.

Part 6: AI0228-champion10873-warmice71-forest410-cedev935-topdev0215: “full stack” developers with more than +5 years

A large portion of these profiles have followers and accounts that seem to inflate the number of followers. Additionally, these are profiles that are gradually being built up.

When analyzing several of these profiles, many share aspects like being “Full stack” developers and having (+5) certain years of experience.

In this regard, when conducting searches on GitHub, you can find some accounts that seem to be connected to this network, along with other legitimate profiles that make it difficult to distinguish between them:

ID *** Bio
https://github.com/Sheraz-arif *** I am a creative, results-oriented Software Developer with 5 years of experience in developing, deploying, full stack applications using Elixir, Ruby on Rails
https://github.com/Navineluminous *** Full Stack Developer having 5+ Years of experience with Deployment skillsets over AWS, Azure DevOps
https://github.com/nazar509 *** I’m a Senior Full Stack Web && Mobile Developer with 6 years of experience, including 1.5 years of commercial work. Sokyryany, Ukraine · 4 · 0
https://github.com/Shubham-Sharma101 *** I am a highly skilled Full Stack Developer specializing in the MERN Stack with 4.5+ years of professional experience. Throughout my career, I have successfully Hyderabad, Telangana, India · 0 · 0
https://github.com/SidraaCode *** I am a Full Stack Developer with over 5 years of experience developing web and mobile-based solutions for business ideas and needs. Karachi · 0 · 0
https://github.com/valeriikovaliuk6 *** I am a seasoned full stack developer with 5+ years of experience.
https://github.com/Himanshui4 *** I am Python Full Stack Developer with 1.5 years overall experience. Jaipur · 0 · 0
https://github.com/ishu-engg *** Full stack developer (MERN) with 2.5 years of experience
https://github.com/Rajeshw0 *** MERN Stack (Full-Stack) Developer I have 5+ years of experience in web development. Let's play with professionalism.
https://github.com/karimtoulba *** Self-taught, highly motivated, and goal-oriented full-stack web developer with 5+ years of experience developing and implementing innovative web apps.
https://github.com/erchandraprakash1999 *** I'm a full-stack software developer and I'm passionate about building high-quality and scalable solutions. 5 With years of practical experience, I have successf Lucknow · 35 · 0
https://github.com/codestar3524 *** I am a senior full-stack developer with over 5 years of experience in software development across various industries.
https://github.com/CodeMaster436 *** Passionate full-stack developer with over 5 years of experience crafting responsive, dynamic web applications.
https://github.com/edogola4 *** 👋 Hi, I'm Edwin Ogola, a Full-stack Developer from Nairobi, Kenya. I specialize in Python, JavaScript, and AI with 5+ years of experience. My expertise incl...
https://github.com/deepak-dev-fullstack *** I'm Deepak Kumar, a Full Stack Developer with over 5 years of experience in building robust and scalable web applications.
https://github.com/i5z1a *** Full stack developer with 4-5 years of experience. 😏 Website front-end design expert, professional Wordpress and WooCommerce user, and website back-end geek Saudi Arabia · 1 · 1
https://github.com/yaroshsemtom *** Passionate software developer with 5 years of experience building robust and scalable applications. Skilled in full-stack development. Canada · 0 · 0
https://github.com/Syed-Ayaz *** Hey there! I'm Syed Ayaz, a passionate Full Stack Developer with over 5 years of experience in developing web and mobile applications. My tech stack includes Re
https://github.com/viktor-hashievron *** Full stack developer with 5+ years experience building web apps, apis and mobile apps - React, Node, AWS - seeking new challenges!
https://github.com/tonyc1045dust *** Passionate software developer with 5 years of experience building robust and scalable applications. Skilled in full-stack development.

More of these seemingly suspicious profiles can be found here

It is also important to mention that there are profiles on this list that are legitimate. However, there are several profiles that are questionable and others that are clearly related, for example

Similar image to AI0228 — warmice71:

This account is following some suspicious account we already know are in this network:

This account also follows a suspended account: https://github.com/Rez4-4

https://github.com/codestar3524?page=4&tab=following

This suspended account have in the repositories, other account in comon that is in this network:

https://github.com/Rez4-4/next-tailwind-likeAmazon

The account is awesomedev08:

Accounts which is also suspended:

and there are some suspicious websites related:

https://carbody.shop/visit-github.com/thsWebstorm03?tab=followers

According to this GitHub search, for Developer with 5+ Years Experience, another profile stands out: https://github.com/web3gru

In his followers, some accounts already highlighted:

We also found another account that has a very similar image to those of AI0228 and warmice71:

This id is also in the web3 Job Portal: https://web3.career/

Analyzing some of the activity in his GitHub, we found some interesting accounts linked:

Accounts mentioned: DevHunter128, charmingdev222, zealotry1developer, SnowBlueChain

Most of these profiles have the pattern of creating the GitHub account using the word “dev” “developer” with a descriptive adjective, like “smart” “charming”. We also have seen the variatons of words that are used in the creation of these suspicios accounts.

In this case, the profile mentioned: https://github.com/charmingdev222

Is using a websites which seems to be not real, using the name Sophie Wong, but her mail adddres is: albertguerrero3478@gmail.com. Which seems pretty off:

Given that some similar profiles were evident among the images, it is important to recap which profiles appear to have similarities:

https://github.com/AI0228
https://github.com/warmice71
https://github.com/niceDeve
https://github.com/codestar3524
https://github.com/topdev0215
https://github.com/Forest410
https://github.com/enzifiri
https://github.com/sunlight0902
https://github.com/ERTWENTY

This example is a demonstration of the apparent network of GitHub profiles that seem to be related, as even the followers of these accounts also appear to follow each other.

This and other cases show that these profiles, and the majority of those who follow these accounts, are likely fake or suspicious accounts. This is mainly because these accounts lack content that would be attractive to “real people” and instead appear more like empty profiles with a high level of follower and following activity without any clear explanation.

Part 7: Zachxbt investigation of multiple DPRK IT workers

In an investigation shared on X, Zachxbt revealed over 25 crypto projects with multiple developers that have been active since June 2024

https://x.com/zachxbt/status/1824047425822310580

The next image is a cropped version of zachxbt image uploaded sharing information of DPRK IT workers:

https://x.com/zachxbt/status/1824047425822310580/photo/1

We want to focus in the profile Naoki Murano where Zach added that the user “supermutecx” wiped his GitHub:

The profile in mention was “supermutecx”:

https://x.com/zachxbt/status/1824118137668997511/photo/1

In this same post the user blackbigswan mentioned that there are some related email addresses using the name “Naoki”:

https://x.com/blackbigswan/status/1824148708415639711

He pointed that a similar name, its found in the account: 0xb10ckdev

https://x.com/blackbigswan/status/1824148708415639711/photo/2

Some results in GitHub can confirm the relation between 0xb10ckdev and Satoshi Naoki, that could lead us to think that this is Naoki Murano. At searching in GitHub there is high activity around this name:

https://github.com/search?q=satoshi+naoki&type=commits

The profile mentioned is this: 0xb10ckdev

Although the activity seems normal, some followers of this account have certain special characteristics. The are being followed by AI0228 & warmice71

In this sense, some followers of 0xb10ckdev are: @noyyyy, who is a “Full stack engineer”

If you check the followers of https://github.com/noyyyy:

Other accounts are example in the followers of 0xb10ckdev, is @eves8:

In his followers is warmice71:

And also the account follows 0xb10ckdev:

https://github.com/0xb10ckdev?tab=followers

The followers include accounts we’ve previously identified as suspicious, such as AI0228 and warmice71.

https://github.com/Depth-Hoar?tab=followers

Coming back at the account that Zachxbt reported “supermutecx”, there is some activity under this name:

npm | Profile

All-in-one solution to connect to Ethereum providers. - Completely library agnostic (use Web3.js, ethers.js, ...). …

www.npmjs.com

supermutecx - Packages - Socket

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for…

socket.dev

Kivach - supermutecx/web3-double-react | Cascading donations

Cascading donations to github repositories. Support open-source projects with donations in crypto, and they will…

kivach.org

Likewise, some content associated with 0xb10ckdev:

Since the GitHub account supermutecx was wiped by the fake developer, there is another account that can also be linked to him:

https://github.com/smartcontractkit/full-blockchain-solidity-course-js/discussions/6635

Thus, there is a high probability that this account is also used by him:

Analyzing some related profiles from the investigation by Zachxbt on DPRK IT Workers, we found that some of the profiles mentioned by him, are connected to the network of profiles mentioned in this investigation.

Part 8: Patterns and characteristics observed in GitHub accounts

Considering the accounts found in this investigation, there is a large number of accounts that share certain characteristics, such as the use of similar images, IDs with specific words, creation dates, and other aspects related to the fact that these accounts all follow each other, apparently forming a network.

When analyzing the followers and following of these accounts and some other accounts related:

https://github.com/AI0228
https://github.com/warmice71
https://github.com/niceDeve
https://github.com/codestar3524
https://github.com/topdev0215
https://github.com/Forest410
https://github.com/enzifiri
https://github.com/sunlight0902
https://github.com/ERTWENTY

We found that there are several accounts that have some interesting characteristics:

Example #1: Full stack developers and Blockchain developers using this image of a minion

Profiles of full stack developers using the image of a minion

And other full stack developers using similar type of images:

https://github.com/Ortiz2525
https://github.com/HegeKen
https://github.com/undyingkevin007
https://github.com/Yuanmeng-Shi
https://github.com/teamchong
https://github.com/undyingkevin007
https://github.com/nickdev0118
https://github.com/Ortiz2525
https://github.com/FunnyDev1228
https://github.com/javiergold112
https://github.com/PhilpGreene
https://github.com/undyingkevin007
https://github.com/teamchong
https://github.com/miniTalDev
https://github.com/kingp08
https://github.com/devlancer0328
https://github.com/DoSmile0705

Example #2: Full stack developers and Blockchain developers using similar images:


https://github.com/Seniorcoder72
https://github.com/SMILES00714
https://github.com/WhiteRabbit130
https://github.com/WebRabbit1796
https://github.com/supercoder-0923
https://github.com/hudesdev
https://github.com/bstar0406

Example #3:
Another profile of a Full Stack Developer with the same image on two accounts. Additionally, the use of a Gmail account is observed publicly:

https://github.com/goldenfinix68
https://github.com/tonny0831
https://github.com/goldenfinix68
https://github.com/seriousfuzzy
https://github.com/ironcg20
https://github.com/Arturs1123
https://github.com/ironcg20

Example #4:
Profile of Full Stack using an AI image

A large portion of the followers of this account are fake accounts that have been shown to be related to warmice71 and AI0228:

Similarly, there are several of these accounts that use “Full Stack Developer” or “Blockchain Developer” in their bios, accompanied by certain images that can be seen on other accounts among their own followers.

Other characteristic:

A notable aspect is that many of the accounts with a higher likelihood of being fake were created at the end of 2023.

Many of these accounts with suspicious activity tend to use words like “developer,” “dev,” “code,” “senior,” “golden,” mixed with terms such as smart, devil, robust, happy, goal, wizard, star, awesome, among others, in their GitHub IDs.

It has been observed that there are profiles with low activity but a large number of repositories. Similarly, there are profiles with no activity but a high volume of followers.

Other profiles appear to be under construction; they are recent but include a significant amount of personal information such as Instagram, phone numbers, and other details, which is unusual.

Similarly, analyzing the activity of repositories on GitHub is part of the detail that should be considered, including the forked projects and examining emails and IDs in this person’s repositories.

A large part of the ability to identify which profiles might be fake is based on the combination of several of these characteristics. They help to understand the context of a profile, including who follows it and why, avoiding the analysis being solely focused on “what skills you have” and “where you worked.”

Part 9: Network of suspicios accounts:

The purpose of showing these charts is to provide a general overview of the most important accounts and how they are interconnected.

Here is a visual representation based on a hierarchy, highlighting the focus on warmice71 and AI0228.

On the other hand, this chart illustrates the significance of certain nodes, with the size of the circles representing their importance based on their higher level of interconnection

The accounts mentioned in this chart are those with the highest activity and are some of the most notable GitHub accounts found in this investigation

Conclusion:

The accounts AI0228 and warmice71 are related. Even the screen recording was done using the AI0228 account as the profile, but they worked with the warmice71 account.
A significant portion of the evidenced activity can be moderately attributed to North Korean IT Workers, as there are techniques and methods that clearly differentiate their suspicious activity from others.
The warmice71 profile was also recently mentioned in connection with some profiles due to the content of their repositories, as they are suspected to be part of North Korean IT Workers operations.
Many of the followers and followed accounts of these profiles seem to be part of a network of accounts that help increase the number of followers, as well as functioning as nodes to collect legitimate information.
It seems that within this campaign there are certain tiers regarding the capabilities of these individuals. Some accounts aim to access specific types of jobs, while others focus on related activities but do not specifically target employment or directly engage in it.
It is known that there is activity by another actor (Stargazers Ghost Network), mentioned in this research. This actor’s objective is to distribute malware or malicious links via phishing repositories, using a network of multiple accounts. However, the evidence here showed a network of fake profiles that simulate being “developers,” with the purpose of accessing jobs. To achieve this, they create these profiles on various social networks such as Upwork as seen in this investigation.
The profiles mentioned in the ZachXBT investigation, when analyzed, show that among their followers are accounts they follow, which are related to this network of suspicious activity.

GitHub accounts related to this suspicious network:

It should be noted that many of these profiles were manually selected from the followers of accounts with the highest suspicious activity. Similarly, other accounts were extracted from profiles with no activity but a certain number of followers.

These are some of the accounts that frequently appear across the suspicious profiles. Additionally, most of these accounts follow each other, suggesting that they are part of a coordinated network. Notably, some of these profiles also follow accounts that have been suspended:

GITHUB ACCOUNTS - SUSPICIOUS FOLLOWING PATTERN

https://github.com/champion10873
https://github.com/warmice71
https://github.com/AI0228
https://github.com/warmice0228
https://github.com/Forest410
https://github.com/niceDeve
https://github.com/high5dev
https://github.com/bryton90
https://github.com/xaramore/
https://github.com/devlancer0328
https://github.com/livedeveloper823
https://github.com/yujiaqing999
https://github.com/DEADCOMPLEX
https://github.com/BATJOKEZ
https://github.com/ToasterTheFox
https://github.com/Tyjust31
https://github.com/mbahomaid
https://github.com/WonderfulDev0810
https://github.com/happydeveloper0305
https://github.com/undefined0000000
https://github.com/cedev935
https://github.com/nickdev0118
https://github.com/devlancer0328
https://github.com/luckyengineer053
https://github.com/RealDiligentDev
https://github.com/DevCrazer
https://github.com/code-wizard21
https://github.com/DigiTransIoT
https://github.com/kaplanh
https://github.com/DevHunter128
https://github.com/D4Fi
https://github.com/mustafacagri/
https://github.com/devconductor125
https://github.com/RealDiligentDev
https://github.com/smartDev420
https://github.com/cedev935
https://github.com/HappyCodingWizard
https://github.com/undyingkevin007
https://github.com/javiergold112
https://github.com/D4Fi
https://github.com/robustdev111
https://github.com/raghavgithub06
https://github.com/bluedone
https://github.com/Kenlock
https://github.com/devking1116
https://github.com/piordev555
https://github.com/HappyCodingWizard
https://github.com/huynhtrinh22
https://github.com/undyingkevin007
https://github.com/champion10873
https://github.com/javiergold112
https://github.com/cupidarrow0417
https://github.com/cedev935
https://github.com/robustdev111
https://github.com/bh717
https://github.com/OfficialCodeVoyage
https://github.com/decoderwhoami
https://github.com/comet-dev48
https://github.com/awesomedev08
https://github.com/FunnyDev1228
https://github.com/bstar0406
https://github.com/horizonvert1027
https://github.com/cvs0
https://github.com/its-topdev 
https://github.com/TheHackerDude1083
https://github.com/SMILES00714 
https://github.com/olehrab
https://github.com/ironcg20
https://github.com/Rez4-4/
https://github.com/GoldenDev176743
https://github.com/superdev87
https://github.com/mrmajid007
https://github.com/HappyCodingWizard
https://github.com/LegendaryDev320
https://github.com/stacksculptor
https://github.com/PromiseEverlasting
https://github.com/mycrvsh
https://github.com/3verLove
https://github.com/wonderdev007
https://github.com/cedev935
https://github.com/swdreams
https://github.com/Design-and-Code
https://github.com/dougkalash
https://github.com/omidnk02
https://github.com/Charles-Chrismann
https://github.com/paulo-magls
https://github.com/OfficialCodeVoyage
https://github.com/FreeFly0125
https://github.com/instrik
https://github.com/xaramore
https://github.com/Daynlight
https://github.com/vkl15
https://github.com/SecretDragonStar
https://github.com/ironcg20
https://github.com/LuckyGangStar
https://github.com/technestme
https://github.com/naziton
https://github.com/TaronVardanyan
https://github.com/loveagile
https://github.com/clive-goldminer
https://github.com/Shehab-Hegab
https://github.com/mwarcc
https://github.com/TheRakibHassan
https://github.com/kingp08
https://github.com/jk4freedom
https://github.com/kevinhearts
https://github.com/sajjad-salam
https://github.com/MohamedAyman22E
https://github.com/amexyegondar
https://github.com/UPVEX
https://github.com/alikargar1
https://github.com/AI0228
https://github.com/isaka-james
https://github.com/lu0415mc
https://github.com/dianahammonds
https://github.com/Arfifias
https://github.com/ProgrammeChef
https://github.com/TAYBI
https://github.com/aylarghezelbash
https://github.com/flaviopavim
https://github.com/GabiDeutner
https://github.com/karupuhhpoeg
https://github.com/standardgalactic
https://github.com/pmjakporoo
https://github.com/PuzzleTakX
https://github.com/Gizachew29
https://github.com/champion10873
https://github.com/bpieczek
https://github.com/NazmusSayad
https://github.com/fedebayer
https://github.com/alanchrissantony
https://github.com/amezyankhalid
https://github.com/lssarao
https://github.com/rahman-O
https://github.com/adrielldev
https://github.com/juliofleitas
https://github.com/stan8086
https://github.com/VaporFoxLash
https://github.com/warmice71
https://github.com/Jeanpk12
https://github.com/Shahimafiroz
https://github.com/JohnMwendwa
https://github.com/fari049
https://github.com/Webzarium
https://github.com/noakosar
https://github.com/murilosoarez
https://github.com/seo-asif
https://github.com/AbSomeone
https://github.com/Cwackz
https://github.com/tymsai
https://github.com/D-260
https://github.com/HeannaReis
https://github.com/Batoul-Shaheen
https://github.com/seregaci
https://github.com/DevStar1016
https://github.com/CharlieGreenman
https://github.com/Emakiflom
https://github.com/royzu
https://github.com/mirkowo
https://github.com/noryev
https://github.com/arsg0etia
https://github.com/slyvic
https://github.com/Nakshatra05
https://github.com/AaQ027
https://github.com/Amirzan89
https://github.com/F3lip32010
https://github.com/bstar0406
https://github.com/frankfanslc
https://github.com/Makitey
https://github.com/milad1450
https://github.com/karimihup
https://github.com/iran1371
https://github.com/aliglxe
https://github.com/gamemann
https://github.com/Kingsley-coder-prog
https://github.com/Ortiz2525
https://github.com/farellduc
https://github.com/mohisa302
https://github.com/Renato15767
https://github.com/pehcy
https://github.com/Jeffersonlima578
https://github.com/amirnobari
https://github.com/melsayedshoaib
https://github.com/sh4dowpunk
https://github.com/Konstans8
https://github.com/sahvsergio
https://github.com/codewizard0803
https://github.com/VictorMattV
https://github.com/johnolson2219
https://github.com/lemmiwinks1551
https://github.com/mehdi-mirzaie78
https://github.com/elitmor
https://github.com/saidurraahmaan
https://github.com/fab-souza
https://github.com/Jooker302
https://github.com/m7moudGadallah
https://github.com/xmrrabbitx
https://github.com/illyasen1999
https://github.com/amriddin26
https://github.com/22388o
https://github.com/CaptainBawa
https://github.com/devpro
https://github.com/MetaFomos
https://github.com/Vit0rg
https://github.com/kaxiii
https://github.com/omotomiwa26
https://github.com/srivallabha11
https://github.com/renawmontanari
https://github.com/IDouble
https://github.com/nurllhk
https://github.com/Sam666O
https://github.com/cumsoft
https://github.com/romafill
https://github.com/shahriar-rahman
https://github.com/mahseema
https://github.com/IHesamI
https://github.com/yusufbali13
https://github.com/Vincenteliezer
https://github.com/alexsantos-dev
https://github.com/Rsync25
https://github.com/Omar95-A
https://github.com/Chunnyluny
https://github.com/berserkerx
https://github.com/faizan150
https://github.com/erfanzar
https://github.com/Necoo33
https://github.com/CsarGomez
https://github.com/ngalamac
https://github.com/Prdsilva80
https://github.com/jhcode33
https://github.com/ip681
https://github.com/ShahramShakiba
https://github.com/alexbender19
https://github.com/JOSHUA-A69
https://github.com/rizvan555
https://github.com/LalithaRamanaV
https://github.com/MatinT-SA
https://github.com/enna-ai
https://github.com/Dmytro1991ua
https://github.com/DataDruide
https://github.com/aronadkins2023
https://github.com/maksymhu
https://github.com/hirokisaito912
https://github.com/cedev935
https://github.com/codewizard0803
https://github.com/ArtemPchela
https://github.com/HegeKen
https://github.com/swdreams
https://github.com/SMILES00714
https://github.com/codestar3524
https://github.com/Forest410
https://github.com/smart-fullstack-iot
https://github.com/LuckyGangStar
https://github.com/undyingkevin007
https://github.com/devlancer0328
https://github.com/Arturs1123
https://github.com/ironcg20
https://github.com/blockchainstar1112
https://github.com/kingp08
https://github.com/enzifiri
https://github.com/mrmajid007
https://github.com/DevStar1016
https://github.com/decoderwhoami
https://github.com/alexjung1128
https://github.com/wittyCodeX
https://github.com/WhiteRabbit130
https://github.com/Yuanmeng-Shi
https://github.com/dev0614
https://github.com/teamchong
https://github.com/livedeveloper823
https://github.com/champion10873
https://github.com/olehrab
https://github.com/awesomedev08
https://github.com/eugene254-ship-it
https://github.com/zoro9519
https://github.com/joyfulmagician
https://github.com/elijahgummer
https://github.com/Perfect0B0D
https://github.com/high5dev
https://github.com/Iqbolshoh
https://github.com/Godisgood84
https://github.com/webscriptmaster
https://github.com/WebRabbit1796
https://github.com/tonny0831
https://github.com/PokeyManatee4
https://github.com/montedev0516
https://github.com/supercoder-0923
https://github.com/seniorvuejsdeveloper
https://github.com/smartcoder0310
https://github.com/mltrev23
https://github.com/DoSmile0705
https://github.com/gulsahmy
https://github.com/steven-kamanga
https://github.com/po1206
https://github.com/Navachethan-Murugeppa
https://github.com/zoro9519
https://github.com/devconductor125
https://github.com/ZekkaUltra
https://github.com/happylucktoday
https://github.com/svestka7
https://github.com/Malina777
https://github.com/mycodingan
https://github.com/mongtte
https://github.com/goldenfinix68
https://github.com/robertking731
https://github.com/xaramore
https://github.com/devlancer0328
https://github.com/smart-fullstack-iot
https://github.com/seriousfuzzy
https://github.com/satokihanada
https://github.com/HappyCodingWizard
https://github.com/LuckyGangStar
https://github.com/undyingkevin007
https://github.com/jmohan57
https://github.com/ironcg20
https://github.com/kingp08
https://github.com/worldlead
https://github.com/JevKnight
https://github.com/ERTWENTY
https://github.com/liaohandel
https://github.com/mrmajid007
https://github.com/HeDesertFox
https://github.com/hudesdev
https://github.com/decoderwhoami
https://github.com/adonistoday
https://github.com/sunlight0902
https://github.com/nickdev0118
https://github.com/dev20014
https://github.com/DenV7
https://github.com/ai-to-ai
https://github.com/AzFlin7
https://github.com/NoctisAvem
https://github.com/WhiteRabbit130
https://github.com/web-dev092
https://github.com/mochafreddo
https://github.com/MildSandy
https://github.com/UMUTBAYGUT
https://github.com/GoldenDev176743
https://github.com/alakise
https://github.com/Forest410
https://github.com/devlancer0328
https://github.com/superdev87
https://github.com/Ortiz2525
https://github.com/DevPepperspray
https://github.com/awesomedev08
https://github.com/robustsolution
https://github.com/FunnyDev1228
https://github.com/nickdev0118
https://github.com/javiergold112
https://github.com/olehrab
https://github.com/kingp08
https://github.com/po1206
https://github.com/devconductor125
https://github.com/goldenfinix68
https://github.com/xaramore
https://github.com/seniorvuejsdeveloper
https://github.com/Akshen22
https://github.com/MuhamadCheaito
https://github.com/webscriptmaster
https://github.com/joyfulmagician
https://github.com/RealDiligentDev
https://github.com/xleonardov
https://github.com/psuarezdev
https://github.com/techwhiz74
https://github.com/seniorvuejsdeveloper
https://github.com/po1206
https://github.com/Forest410
https://github.com/devconductor125
https://github.com/devlancer0328
https://github.com/goldenfinix68
https://github.com/xaramore
https://github.com/LuckyGangStar
https://github.com/HappyCodingWizard
https://github.com/superdragonstar1226
https://github.com/undyingkevin007
https://github.com/ironcg20
https://github.com/Sobhan-mp
https://github.com/kingp08
https://github.com/blue0316
https://github.com/blockchainstar1112
https://github.com/911-carrera
https://github.com/Rzyzh
https://github.com/billyjacksone
https://github.com/simamatin
https://github.com/hudesdev
https://github.com/teamchong
https://github.com/SdDev0224
https://github.com/DevStar1016
https://github.com/dirkarnez
https://github.com/ero-ge
https://github.com/WaelDev
https://github.com/Idouble
https://github.com/NoctisAvem
https://github.com/george0st
https://github.com/AMagicHarry
https://github.com/standardgalactic
https://github.com/hmltn-0
https://github.com/george0st
https://github.com/SerKore
https://github.com/nana9292
https://github.com/warmice71
https://github.com/goaldev
https://github.com/IDouble
https://github.com/luckyengineer053
https://github.com/SWxEng
https://github.com/DarkLorenEstrada
https://github.com/vhkechichian
https://github.com/afsalat
https://github.com/Swanstonn
https://github.com/kenjinote
https://github.com/K-Najwno
https://github.com/black-harry
https://github.com/ITexpLee
https://github.com/kelleymartin872
https://github.com/keeneyetact
https://github.com/DevHunter128
https://github.com/web3gru
https://github.com/zealotry1developer
https://github.com/smartman1234
https://github.com/PeterPan627
https://github.com/BestFriend67
https://github.com/Sherifrancis
https://github.com/lovelypuppy0607
https://github.com/kevinleeelsa
https://github.com/smart-maker
https://github.com/Calebtan978
https://github.com/CodyStone-boy
https://github.com/LoveNuna
https://github.com/WarnerDemon
https://github.com/silent-sea1119
https://github.com/elicohen12
https://github.com/Kobra-soft
https://github.com/leaderfrank
https://github.com/mustafacagri
https://github.com/madeindex
https://github.com/Connor9994
https://github.com/Crypto400600
https://github.com/Perfect0B0D
https://github.com/tosky199412h09ttps://github.com/tonny0831
https://github.com/rust-sol
https://github.com/ayelet326
https://github.com/paulo-magls
https://github.com/tothetop430
https://github.com/smartDev420
https://github.com/code-wizard21k
https://github.com/AP2Topper0127
https://github.com/noa1020
https://github.com/webscriptmaster
https://github.com/jindev2718
https://github.com/techwhiz74
https://github.com/ryukaizen
https://github.com/GenioustaWiz
https://github.com/RealDiligentDev
https://github.com/NextThread
https://github.com/GDIATTA
https://github.com/code-wizard21
https://github.com/bahomaid23
https://github.com/smartcoder0310
https://github.com/dreamjet31
https://github.com/BlackHole1225
https://github.com/redtomato0129
https://github.com/seniorvuejsdeveloper
https://github.com/JensonCollins
https://github.com/devlancer0328
https://github.com/sengulatik66
https://github.com/goldenfinix68
https://github.com/robertking731
https://github.com/smart-fullstack-iot
https://github.com/gentlepuck071
https://github.com/mrmajid007
https://github.com/HappyCodingWizard
https://github.com/stacksculptor

Heiner.

Coinmonks