# Background:
Late last year, we stumbled upon a trove of pictures and logs belonging to an IT worker stationed in Laos. The pictures, discovered in an open Dropbox folder, are shot in a "home movie" style and follow a group of North Korean IT workers who resided in Laos between 2021 and 2023.
In the past year, Laos has gained more public attention as an IT worker hotspot due to Palo Alto's reporting on Niko Sonexarth, an IT Worker involved with Contagious Interview, and sanctions being placed on three North Korean front companies run by Department 53, who directed groups of IT Workers in Laos:
| Sanctioned Company | Sanctioned Representative | Active in Laos Since |
|---|---|---|
| Korea Osong Shipping Co | Son Kyong Sik | 2022 |
| Chonsurim Trading Corporation | Jong In Chol | 2021 |
| Liaoning China Trade Industry Co., Ltd | N/A | N/A |
According to Palo Alto, Niko Sonexarth was pictured in Laos sometime between late 2020 and mid-2021. Although we never see Niko pictured in the photos we acquired, if this timeline is accurate, it is highly possible he was working alongside the IT workers documented in this post.
As far as we are aware, this cluster operated out of Laos from September 2021 until roughly February 2024—when some members appeared in Vladivostok, Russia. Two individuls in this cluster, Naoki Murano> and Kei Nakano, were reported on by ZachXBT in August 2024. Naoki Murano is frequently pictured in the photos and was later seen with two other IT Workers documented by ZachXBT near Vladivostok in February 2024.
According to public reporting, Naoki Murano is associated with the DeltaPrime heist of $6M+ that occurred in Sept. 2024
In an effort to better document how IT workers operate, we have identified all of the locations seen in the photos and included a set of IOCs at the end of the post. Some faces have been censored because we do not believe the individuals pictured met the level of maliciousness necessary to have their faces publicly documented here. If you disagree or would like the photos for security research, feel free to contact us at: chollima_group@proton.me.
Photos are not necessarily discussed in chronological order
# Timeline
Note: These dates are an educated guess and not perfect. There is an unclear discrepency in timestamps taken from the photo's exif data.
Map of locations visited by DPRK IT Workers in Vientiane, Laos
# The Photos
## A Celebration in Vientiane:
On one of the last days documented in the photos, roughly around New Year's 2023, a private celebration was thrown that acts as a good starting point to introduce some members of this cluster. Photographed at an upscale Chinese restaurant a block down from a USAID office in the suburbs of Vientiane, we believe there were roughly 6-7 individuals present that night.
Out of the six individuals pictured, we were able to associate two with online developer personas claiming to be based in Japan, and one as a North Korean IT worker (also claiming to be based in Japan):
Jenson Collins AKA nfbigjc AKA jcollinsx
Keisuke Watanabe AKA kAsky53 AKA hirayama1534
Kazune Takeda AKA Greg Takeo AKA Joe Hisaishi AKA mtfuji25
Naoki Murano AKA supermutecx
None of the identified personas stated their connections to Laos and had little to no online presence outside of freelancing/development work.
Edit:In our original post we stated that we were unable to identify the individual between Jenson Collins and Kazune Takeda. However,
since then we have identified him as another North Korean IT Worker who uses the persona Keisuke Watanabe. Similar to Kazune, they have
also held a CTO role at various cryptocurrency projects. NKC03 and NKC06 will not be seen again until Fbruary 2024 in Vladivostok.
## Victory Fields:
The first photos in the album were taken on three separate occasions between June 12th and July 10th of 2022 at Victory Football Stadium in Vientiane, Laos. Though potentially just a coincidence, we thought it was interesting that this location is almost directly across the street from the North Korean Embassy.
The photos from Victory Football Stadium mainly focus on Jenson Collins, although Keisuke Watanabe and another IT Worker who used the persona "Peter Wang" is also present. On the three separate days the photos were taken,
there appear to be at least 3-4 other individuals present, one of whom we were able to tie back to a freelancer profile on Hubstaff. We believe it is safe to assume that all of the individuals pictured are most likely North Korean IT Workers.
## The Rental House:
The last set of photos from Laos appear to all have been taken on the same night at a large secluded house near the US Embassy in Vientiane. Realizing the house was quite large and most likely a rental, we were able to locate it by searching Airbnb listings in the Vientiane area.
Though we do not believe the home was actually rented on Airbnb, the listing states that it has 14 bedrooms and is currently available for $2,000/night. Based on the pictures, we believe some of the IT workers in this cluster may have resided here for an extended period of time.
## Parkson Mall & Downtown Vientiane:
Most of the photos were shot in and around downtown Vientiane, primarily in the vicinity of Parkson Mall, which was first mentioned by Palo Alto in their report on Niko Sonexarth. Jenson Collins can be seen taking a picture in the same general area as Niko, but in July 2022.
Other images from the Mekong Terrassen in downtown show another individual, Seo Sigoto, who is seen traveling frequently with Naoki Murano and Jenson Collins. In our original post we were unable to tie NKC04 to any online personas and stated that we believed he was unlikely to be an IT Worker and that we believed he may have filled a managerial or support role. Several months later we were finally able to identify him as an IT Worker operating as a blockchain engineer and advisor. He, similar to others in this cluster, claimed to be located in Japan.
## From Vladivostok with Love:
Though technically in Ussuriysk, a Russian city with a large Korean minority near Vladivostok, and not Vladivostok itself,
several members of the Laos cluster were spotted here in early 2024, almost a year after the last photo from Laos.
While several of the IT workers seen in our Laos photos do not appear in Vladivostok, we do see Naoki Murano, Seo Sigoto, NKC03, and NKC06.
Naoki's appearance in Russia also aligns with ZachXBT's report referenced earlier in this post, which included IP addresses originating from roughly the same general area.
While observant readers may notice even more faces in the crowd, two other IT workers from ZachXBT's reporting, Joshua Palmer and Jason Kwon, can also be seen at this event in Vladivostok alongside Naoki Murano and Seo Sigoto. Seeing them together in person like this only supports Zach's findings that they were operating as a team and most likely based out of Russia.
Edit:
In our original report, we stated that Naoki Murano, Joshua Palmer, Seo Sigoto, and NKC06 dissappear after the above photos of them were taken. We also stated that NKC03 and Jason Kwon along with many of the other IT Workers pictured seem to be local to the area.
Since the original post, Naoki Murano, Joshua Palmer, Jason Kwon, Kazune Takeda and NKC06 have been spotted on multiple different ocassions in Primorskiy Krai (the territory in which Vladivostok resides).
Naoki Murano, Kazune Takeda, and NKC06 were last seen in this area in May 2025.
# The Documents
Along with the photos above, several documents were also found that shed more light on how IT workers operate. One document, titled "0503_April_base_report_SHS.pdf", contains a balance sheet and a list of tasks with the names of 19 different companies and the current developer assigned to each task:
Another spreadsheet, titled "remote or hybrid.xlsx,", seems to have been used to track application status, open job listings, a list of company names (broken into two tabs called "green(disable)" and "non-clear(green)"), and nearly 1500 different projects from the Japanese freelancing site Wantedly.
Another sheet, which we have chosen not to include, contained what appeared to be a list of items that an IT worker was requesting be purchased for them in Russia. This included two mink coats, coffee beans, Ecco shoes, and several different types of medicine totaling $2,104 USD.
# Tools, Services, and Other Findings
## Phone Services:
While this cluster was observed primarily targeting the Japanese freelancer market, we also observed two personas that claimed to be based out of Poland and Ireland. These personas both made use of Polish and Irish phone numbers that did not appear to be VOIPs and belonged to carriers such as T-Mobile, Play.pl, and Liffey Telecom. At least one of these numbers appears to belong to an unknown elderly female in Poland. While we are not sure how these IT workers are sourcing these numbers, they also made use of several temporary phone number providers that allow longer-term number rentals. The services we saw used were:
anonymsms.com
sms-man.com
smsverify.co.uk
smsverify.co
We have frequently seen anonymsms.com used by IT workers in the past, as well as Skype for US-based numbers.
## VPNs and Software:
Alongside Astrill, which is already well documented, we saw use of PureVPN and OpenVPN that we believe was most likely run on an AWS instance. We believe that the account used to purchase Astrill was most likely compromised and taken over by these IT workers.
In addition to TeamViewer, AnyDesk, OBS, Slack, and Teams, an application called CallRI.exe was also installed on at least one of the hosts used by this group. CallRI.exe, which may also be named CallRT.exe, appears to be an internal DPRK application used to monitor IT workers. This, alongside NetKey and OConnect, are extremely strong indicators that a computer is affiliated with the DPRK.
# Conclusion:
We hope that this post has provided you with some unique insight into the operations of North Korean IT Workers. The DPRKs integration of IT Workers into their illicit funding networks poses an incredible threat to global companies — especially as their tactics and techniques become increasingly sophisticated, and their willingness to exploit and steal grows.
We would like to reiterate that all of the information in this post was acquired legally and without gaining unauthorized access.
If you are a security researcher or company and would like to discuss or provide more information, feel free to contact us at chollima_group@proton.me
Emails:
johnmichael0325@outlook.com
JohnMichaelMillen0325@outlook.com
never08mind25@gmail.com
seo.sigoto@gmail.com
sunmoonstar0319@outlook.com
blockchaindeveloper777@gmail.com
seo.shigoto.001@gmail.com
ivan.dimov.work@gmail.com
kazune.takeda@yahoo.com
densyaou@gmail.com
zombie.eye.dev@gmail.com
stevechendragon@gmail.com
stevechendragon@outlook.com
yamamotoziro.0113@gmail.com
keinakano415@gmail.com
lainhong1205@gmail.com
jenson.collins@hotmail.com
sunshineseo0614@gmail.com
watanabeatari@gmail.com
sunmoonlee.19900113@outlook.com
johnpatch0502@outlook.com
eliteknightgold@outlook.com
superdev0292@gmail.com
jamescharlie94@outlook.com
denisleedragon@outlook.com
ivandimov921016@outlook.com
ZachXBT Supplied:
0xm00neth@gmail.com
naokimurano@outlook.com
joshupgig@gmail.com
smart.solidity@gmail.com
Crypto Wallets: Note: These are low confidence. We do not conduct blockchain investigations. These wallets were found in log files originating from IT Worker hosts and do not, in our opinion, indicate maliciousness.
0x29bDfbf7D27462a2d115748ace2bd71A2646946c
0x52b4567c37b48d51198b25caa6e79e4fda6d9734
0x9149C1552e663AF9f1b6584857715a39a520a889
0xA88800CD213dA5Ae406ce248380802BD53b47647
0xBD612a3f30dcA67bF60a39Fd0D35e39B7aB80774
0xb0e5e8c2E7C89aCB19525234a025D3c27faa6519
0xeC5a810E589A42b2Ce9FCAaf07829fD72c0EE96E
0xE4d368c7Ee0F20F9Ac4a8DD4e51912F97f24d3d5
0x1C42DF20F9dE0A9b1493ba49bAf4Eef2eD617864
0x0540dacCfDA70374aDdfcAaCa6D21C35811F8A71
0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
0xdAC17F958D2ee523a2206206994597C13D831ec7
Github:
github.com/Hiccup19940325
github.com/neverm25
github.com/seosigoto
github.com/JCollinsX
github.com/mtfuji25
github.com/supermutexc
github.com/call-by
Persona Names:
Seo Kiwon
Seo Sigoto
Jenson Collins
Kazune Takeda
Joe Hisaishi
George Takeo
Kei Nakano
Steven Chen
Lucas Steve Moore
Jason Kwon
Joshua Charles Palmer
Naoki Murano
IPs:
50.7.159.34
Hashes:
CallRT.exe: d513bd5b54098b4713f323eb8d8bc8d814061a7f042b613311a5c750f8896b2c