luke ~ % su

How to break into tech, as a North Korean government employee

Feb 1, 2026
cultural AI
7 Minutes
1269 Words

It’s about not standing out…

The Email

Recently, I got an email from LinkedIn.

It was your boilerplate connection request, from a guy I’d never heard of who claims to work at Garmin1 named “James Canary”.

This act in itself is nothing I would be surprised by. Garmin is a large company with a heavy level of separation between segments, even on the same campus. I frequently get requests from people who don’t work in my segment, and just want to grow their network of Software Engineers around the Kansas City metro (it’s not that big!).

I’m always curious when somebody reaches out to me, and I like to see if we have anything in common that I can strike up a conversation about. So, I accepted James’ invitation and opened his profile2:

A LinkedIn profile full page screenshot of James Canary.

At first, I’m a little impressed. There’s a more traditional view of levels tied to “tenure” at Garmin, and the same experience timeline applies to new hires. This means James must have came in with a good degree of education and career history. And while not uncommon, it’s a bit more rare of to have SWEs with an EE background - especially with embedded software.

But something’s weird. Why are James’ descriptions over his tenured career all so sparse? And not only are they sparse… they’re completely devoid of meaning. It’s as if you had asked an ML model to generate a few keywords related to {company} and then strung them into a sentence. Not only that, but, he was working as a part-time position, which is extremely rare within Garmin.

Typically at this point, I would have removed James as a connection and moved on with my life. If James is just some LinkedIn scraper bot, staying connected won’t benefit me. But that’s when I remembered an article I had seen from last year. To quote from the article:

Nearly all executives who spoke to The Register in recent months have seen a flood of [North Korean] applicants applying for open positions, most of them in engineering and software development, and all of them remote work. There are many disconnects… Chief among these disconnects were “shallow” LinkedIn profiles paired with “beefy resumes,” she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies’ flagship products … but then only having 25 LinkedIn connections.

While of course I can’t jump to connections… James sure can. When I investigated his nearly 100 connections (update: now over 100), a pattern emerged. His oldest connections were seemingly random people working in disporate white collar jobs, mostly within the US. Then, he shifted onto making connections with employees at Nvidia - mostly selecting employees located in India, which would be an odd choice for someone who claims to work in Santa Clara. This was followed by a string of connections to students, mostly at his alma mater of UT Austin and UMich. Finally, his most recent connections were all employees at Garmin, with most being very recent new grad hires (within the last 6 months) or interns. Notably, the vast majority of James’ connections were “LinkedIn verified”, while James was not.

The Investigation

First, I ran some simple checks. Has James’ name shown up anywhere in our corporate wiki? No… how about our org chart? Microsoft LDAP directory? Nope. Okay, well, I might as well confront James directly. I shot off a message:

A LinkedIn message.

In the meantime, let’s check on his public internet presence. Googling the name “James Canary” fills the first page of Google with results from a Chemistry Professor at NYU. A pretty clever strategy if your intention is to hide the fact that you don’t exist online. Next, I checked the email he listed in his LinkedIn “contact info”. From the article I mentioned earlier:

In all cases [of fake North Korean applicants], they noted a number of oddities: new-ish email addresses…

Does his email show up anywhere on Google? Sadly, no results came up from a direct quote search. Nothing relevant from the username, either. I plugged it into a public OSINT tool to check for other accounts that might suggest this email belongs to a real person:

A screenshot.

And… Nothing.

Okay, well, seeing as this is a Gmail account, let’s just check in to see if he’s created a profile picture:

A screenshot.

With all signs pointing to James not being a real person, I want to give him the benefit of the doubt. Maybe he’s a LinkedIn scraper bot? After all, LinkedIn is notorious for being difficult to scrape anonymously. But then, a reply:

A LinkedIn message.

That’s a convenient reply and sidesteps a lot of the red flags I had raised earlier about his employment. And who knows, maybe he just moved to New York so he isn’t really replying to me at 4 in the morning? I decided to come back to him with a couple softball questions. If James could answer a few things that aren’t known to the internet, maybe he was employed after all…

A LinkedIn message.

How disappointing. But… he does have a point. I don’t know enough about corporate legal policy to know what’s on the table to discuss after you’ve left the company, and I certainly don’t want to get him in trouble for disclosing information that could be enumerated by an attacker. But, come on James, the mascot?3

The Fallout

I’d like to say there is a fallout from all of this, but sadly there isn’t. These kinds of schemes are, as I’ve shown, very difficult to verifiably prove beyond a shadow of a doubt. And on LinkedIn’s part, they have little incentive to remove these fake accounts. I reached out to multiple of James’ connections, and heard from all of them that they did not know who James was. Despite our multiple combined account reports, James’ account is not only still live, but is continuing to amass a large number of connections. I’ve looped in, I’ll say, other entities who might have more power than I do to address James’ account. But even if this one account is shut down, the formula is simply too easy to replicate. Create a plausible background, connect with the low hanging fruit to gain verisimilitude, then start interviewing!

Conclusion

If you’re looking to hire a software engineer for a really cool job, make sure they’re legit. This is basic due diligence of checking whether the person exists online, comparing their LinkedIn profile picture with their real visage, and ideally meeting with them at least once in person (for example, require that they pick up their laptop in person, all travel expenses paid). If you’ve got some pretty cool work you’re doing, might I recommend someone with a slightly more Google-able name? While I can’t guarantee they’re a better software engineer than James, I can guarantee that their salary won’t be dipped into by a nation-state with a massive scary nuclear weapons program- wait maybe scratch that…4

/lukeaschenbrenner

Footnotes

  1. NB: I’m employed by Garmin at time of publication. These views are all my own, of course.

  2. Link: https://www.linkedin.com/in/james-canary-b2354431b/.

  3. Just between you and me, the mascot is a shark. It’s very cute.

  4. Well okay, they can uh… be a cool fun guy who hangs out with the team in person! And they’re okay moving to New York too. James is just here for the paycheck.

Hello Internet
Title:How to break into tech, as a North Korean government employee
Author:Luke
Pulbished:Feb 1, 2026
Copyright 2026
Sitemap