Ketman links multiple suspicious GitHub and Web3 freelance personas to DPRK IT worker activity on open source and pay-for-PR platforms, with onlyDust payments observed for accounts including 0xExp-po, bestselection18, and aidenwong812/cryptogru812. The investigation cites account-age and commit-history manipulation, spam issues used for credibility building, stolen repository histories, toxic follower networks, frequent identity rotations, AI-generated profile imagery, and shared emails or private repositories across personas. bestselection18 is described as connected to several other DPRK IT worker accounts and to an automation repository apparently used to manage multiple fake identities. The report also says an engagement with motokimasuo/kirbyAttack helped confirm coordination with bestselection18 when the actor failed a Japanese-language verification prompt during a video call. The findings matter because these personas gained paid access and reputation inside blockchain/open source ecosystems, creating risk that code, secrets, or files exchanged with them could be exposed to a DPRK-linked team.