Reality of DPRK IT Worker undermining the Japanese IT industry behind the scenes

Investigation on “Bravemaster619” and Measures Companies Can Take

10 min readNov 12, 2023

First edition created: 07/17/2022

Public English version created: 11/12/2023

This report expands on research published in an article in The New Yorker, which used publicly available information such as Google searches, social media profile information, and China-specific services to conduct the research.

Research Background

In an article published by The New Yorker in 2021, using the username Bravemaster619, a North Korean IT worker was reported to be working as a freelance programmer.

I have now revisited the article to gather evidence to bolster our case that this “Bravemaster619” is indeed a North Korean IT worker, which is not mentioned in the article, and have conducted the following investigation.

Key Findings

In conclusion, Bravemaster619 is most likely a North Korean IT worker.
I observed that Bravemaster619’s past work listed on his website includes transactions with a company in Japan that is believed to be affiliated with the General Association of Korean Residents in Japan (在日本朝鮮人総聯合会 aka Chongryon).
Bravemaster619 is likely to be of Korean descent, as he has been asked to translate Korean sentences into English on HiNative, a language learning website.
Bravemaster619 is likely to have acquired Chinese citizenship to avoid sanctions.
Therefore, even if Bravemaster619 is identified as a person of Korean descent residing in Jilin Province, it is difficult to confirm through public information whether he is of DPRK origin.
Bravemaster619 is most likely an IT worker living and working in China.
Bravemaster619 is most likely living in Jilin Province, not Dandong.
North Korean IT workers register on social media sites frequented by regular users and use them as a platform for earning foreign currency.
North Korean IT workers may be doing business with Japanese companies in addition to those identified in the news.

Background

North Korea is under strict economic sanctions from the United Nations, the United States, and other countries, but in spite of the sanctions, various government agencies are funding its nuclear and missile development by conducting various projects. For example, North Korea is known for its construction work by sending Worker to neighboring countries, its forestry business by cutting down, processing, and exporting trees, and its foreign currency acquisition activities by exporting arms to Middle Eastern countries.

In recent years, especially in cyberspace, they have been known to steal virtual currency through cyber-attacks, acquire illicit foreign currency through money laundering, and obtain foreign currency by pretending to be from other countries and working as freelance IT worker.

According to some reports, North Korean migrant IT workers are reportedly earning foreign currency not from within North Korea, but from China, Russia, and neighboring Asian countries through cyber-attacks.

In a document released on October 18, 2023, the U.S. Department of Justice stated that “The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program.” and has imposed sanctions to seize domain names and accounts used by migrant IT Worker.

In Japan, a similar case occurred in which a North Korean IT worker was allegedly involved in the development of a disaster prevention application for Hyogo Prefecture.

In this study, I investigated an IT worker with suspected North Korean ties using the username Bravemaster619. I focused on Bravemaster619 because, at the start of the investigation, he was still active despite an article in The New Yorker magazine pointing out his relationship with North Korea, and because his website stated that he had received work from a Japanese company in the course of profiling. The fact that he had accepted a job from a Japanese company in the process of profiling was noted on his website.

Investigation

In an article published in 2021 by The New Yorker, a North Korean IT worker using the username “Bravemaster619” is reported to be working as a freelance programmer.

The article states that no evidence of cyber attacks or other malicious online activity was found in Bravemaster619’s digital footprint. The author conducted an investigation from a similar perspective, but failed to find any.

Investigation of the same username also revealed some glimpses of online activity, including the publication of code via Github (removed as of October 30, 2023) and registration on various social media outlets. In particular, the language learning site HiNative was observed asking questions about the Korean language.

Bravemaster619’s website advertises its past experience in developing websites for Japanese companies, The website also mentions that Bravemaster619 has developed websites for Japanese companies. One of the most notable websites is 451039 (Shigoto Sankyu Japan).

Shigoto Sankyu Japan is operated by a company called ITZ Corporation, which uses the name of a person named “Han Su-ryeong(韓戍連)” as the Personal Information Protection Manager for this website.

I investigated the name “Han Su-ryeong(韓戍連)” and found a person with the same name who writes articles for a magazine related to the Chongryon, but I was unable to determine from public information whether he is the same person as the above-mentioned Personal Information Protection Manager and whether he has any direct relationship with the Chongryon.

Next, I checked the account of Bravemaster619 on Hashnode and found that he uses the name Liyou Ding. The profile shows that he states that he lives in Jilin Province, China.

Liyou Ding is also registered on LinkedIn, a social media site for businesses (deleted as of 10/30/2023), and at one point had a Bravemaster619 Github account tied to it. In this LinkedIn profile, he is listed as working for “吉林市骊泷科技发展有限公司”.

According to Tianyancha (天眼査), where information about Chinese companies can be verified, “吉林市骊泷科技发展有限公司” was founded on December 29, 2020 by Sang-ok Choi (崔相旭) and is located in Jilin Province, China.

Note that access to Tianyancha was blocked (IP address) and the website could not be accessed, so the block was circumvented by accessing the website via Google Translate. All the screenshots of Tianyancha that appear in this report are in Japanese because they were accessed by the above-mentioned method.

When I checked this registered address on Baidu Map, “吉林市⻰潭区新山街55号新地·山湾C区12号楼5单元6层71号”, it looked like a residential complex and the office seemed a bit small for the number of items in the business scope.

Next, I searched using Google for the name of the company and other information led to the name of a person named Geng Bingjie(郑炳九). This person’s name did not appear on Tianyancha. However, since it appeared in the summary section of the Google search, I determined that it was the name of a person associated with the company. A second Google search for this person’s name turned up the name of the company, “吉林市欣荣软件开发有限公司”.

According to Tianyancha, “吉林市欣荣软件开发有限公司” was founded on November 9, 2018, and is located at “吉林省吉林市昌邑区嘉业花园1号楼3单元1层26号”. The name of this founder is Liyou Ding(丁利有), which is the same name listed on Bravemaster619’s Hashnode and appears to be a company founded by Bravemaster619. Ding is also known as a surname that is common on the Korean Peninsula.

On Tianyancha, you can view historical information about the company’s personnel and shareholders. Therefore, I checked the historical information about “吉林市欣荣软件开发有限公司”

In the historical information in the above image, it should be noted that Liyou Ding’s ID type is “Resident ID Card of the People’s Republic of China”. A resident ID card can only be obtained by a citizen of the People’s Republic of China, which means that Liyou Ding is a Chinese citizen.

For the North Korean government, having its own migrant worker acquire Chinese citizenship is considered a risky act, such as the possibility of defecting, but the possibility cannot be ruled out that the government had them acquire citizenship in order to avoid sanctions.

In addition, since Jilin Province is originally an area with a large Korean population, it is difficult to determine whether or not this person was sent to China as a migrant IT worker at the will of the North Korean government. In addition, these circumstances may have the advantage that North Korea allows migrant workers to conduct their activities while blending in with the ethnic Koreans living in China.

Additional research has revealed some interesting occurrences in Cambodia. In this article, it is mentioned that North Koreans can naturalize in Cambodia and become Cambodian citizens, allowing them to conduct business while circumventing UN economic sanctions. I believe that “naturalization” has been established as a means of circumventing sanctions, and that similar events may be occurring in China as in Cambodia.

Outlook

It is likely that sanctions against North Korea will remain in place, and North Korean IT workers will continue to be a threat, as Bravemaster619 has already ceased his activities under the same ID, as some of his information on the Internet has been removed.

In a separate investigation, a person believed to be a North Korean IT worker has been active by disguising his identity, creating accounts on social media, and otherwise characterizing himself to make it easier for him to get work from the public.

The guidance provided by the US Department of Justice focuses mainly on events occurring in the US, and there are undeniably some shortcomings when Japanese companies take countermeasures based on this material. For reference, the following is a summary of the characteristics of North Korean IT workers impersonating Japanese nationals in past surveys conducted by the author.

The name on your ID card, the name on your SNS, and the name on your account are different from each other
The country of residence is listed differently on each of the SNSs and portfolios in which you are registered
Areas near the China-North Korean border (Yanbian, Dandong, etc.) appear in some way (address on resume, SNS location, account information)
Profile photo is of a good-looking Asian guy
Stubbornly refuses to provide a passport and tries to provide a fake ID from the country where the applicant lives.
Uses an unusual surname (as a Japanese).
Claims to be a graduate of Tokyo University or other universities that are generally considered highly educated.
They claim to be Japanese, but stubbornly refuses to use Japanese in his profile.

Countermeasure

One of the first steps companies can take is to thoroughly check the identities of those who are outsourcing work to freelance sites and the like.

Especially for large companies, it is recommended that they confirm that their contractors do not outsource work to freelance sites, etc., and if they do, that they screen them properly.

In addition, it is also recommended to check whether there were any suspicious persons in past transactions, and if so, whether there were any suspicious activities or malicious code embedded in the work or work content undertaken by such persons.

Opinion

I would like to do more research like this. I really wanted to report on the historical background of North Korea, including its history, its fundamental ideology, and past incidents, but I gave up on that because it would have been too much of a mess.

The threats discussed in this report are of a different dimension that cannot be prevented by installing anti-virus software or the latest security software. Combining classic espionage techniques with the latest attack methods in cyberspace is likely to result in more sophisticated attacks.

Management should take basic measures against unauthorized access in cyberspace, such as re-intensifying management of human, material, and financial resources, thorough screening in HR, and raising awareness in employee training.

Ordinary employees should be reminded that there are human and physical threats in addition to cyber attacks and other threats. In particular, they need to be aware of how they should take countermeasures in terms of contact on social networking services and e-mail.

In the outlook, I wrote a summary of the perspectives of IT engineers that security personnel in Japanese companies should focus on for future countermeasures.

In general terms, the fact that the person who has offered them a job may be from North Korea, and that their reward may turn out to be a missile passing over their heads, must be frightening.