Among the millions of accounts on the popular freelance job platform Guru there was one featuring a photo of a striking young woman wearing red lipstick and a green top.
The account described her as a senior software engineer in Bosnia and Herzegovina with 50 completed projects to her name.
“You can contact me at any time,” it was written on the account in English. “I am available in both European and American time zones.”
The person in the photo had nothing to do with the account. Yet it was her name at the top, and an old email address of hers that was listed in the contacts.
In 2025, that email address was among 25 published in a report by the Multilateral Sanctions Monitoring Team, MSMT, a mechanism tasked with monitoring North Korean attempts to evade United Nations sanctions. Another identity used was that of a man in Serbia.
The Guru profile, it emerged, was the work of a group of North Korean hackers identified by sanctions monitors as using stolen identities to gain freelance work with US and European companies with the aim of raising revenues for North Korea.
“At least a portion” of these revenues has been used to help fund North Korean “weapons development and production, domestic infrastructure projects, and procuring consumer goods”, the MSMT reported. In 2024 alone, North Korea “likely earned around $350-800 million from its IT workers worldwide”.
The profile is no longer available on Guru. The person whose identity was stolen to create it is still trying to process what happened.
She only found out when contacted by BIRN. Speaking on condition of anonymity, she said: “What I would most like to find out perhaps is – why me?”
Landing jobs with stolen identities
A fake Guru profile identified as belonging to a woman in Bosnia but in fact created by North Korean hackers. Photo: Screenshot.
Analysing the hackers’ digital footprints, BIRN discovered that the email address belonging to the woman in Bosnia had been used – without her knowledge or consent – to create accounts on several job search platforms popular among freelancers, at least one of which bears her first name, last name and photo.
The woman, who is originally from Bosnia but lives in Vienna, said she hadn’t used the email address in question for years. The address was last accessed as recently as last month.
The Guru profile listed a range of IT skills, including proficiency in programming languages Python and JavaScript, as specified an hourly rate of $30.
The profile listed the Bosnian capital, Sarajevo, as her location. The woman actually lives in Austria.
“The profile picture that was used is very, very old – so old that I’d completely forgotten I even had it,” she told BIRN.
Hackers also used the identity of a man in Serbia called Marko Zrinjanin. In this case, the email account was still active as of last month, though Zrinjanin told BIRN in a written response that it was not his address. He said the photographs of him used on the fake profiles were likely taken from an IT forum or website where he had been registered, such as HashNode or Spiceworks.
“At first, I was worried,” Zrinjanin told BIRN, “but when I realised that my name and personal details had been used solely to circumvent the sanctions imposed by Western oppressors who promote quasi-democracy and false freedoms, I felt much better.”
On Guru, Zrinjanin is listed as having been active on the platform since 2018, during which time he has earned $43,000 working for a total of nine companies. His location is listed erroneously as Louisville in the United States.
“Feel free to contact me to discuss the details of your project and how I can help you achieve your goals,” the profile states. “I am very flexible regarding working hours and can overlap with your schedule for more than six hours a day.”
Similarly, on GoLance, a profile bearing Zrinjanin’s name and photo states he has been active since 2025, charges $35 per hour and has clocked up 200 hours of work.
Hackers from sanctioned North Korean company
The alleged hacker accused of creating the profile falsely attributed to a woman in Bosnia for North Korean cyber operations. Photo: MSMT report.
In the MSMT report, the alleged hackers behind the fake Bosnia and Serbia accounts are identified as An Chol Hun and Ri Kwang Hun respectively.
According to the report, both are employed by Korea Mangyongdae Computer Technology Corporation, KMCTC, an IT corporation headquartered in the Chinese cities of Shenyang and Dandong. The latter is on the border with North Korea.
The corporation’s parent organisation is Management Office 607, the MSMT said, which falls under North Korea’s Ministry of Atomic Energy Industry.
Managing North Korea’s nuclear programme, the ministry is subject to strict international sanctions.
After publication of the MSMT report, the US Treasury Department sanctioned KMCTC. The treasury accused KMCTC IT employees of using Chinese nationals as banking intermediaries to conceal the…
Read the full article at Balkan Insight (BIRN) →
Serbia