Ketman frames DPRK IT worker risk around remote-first open source, DAO, crypto, and grant-funded organizations that hire through public channels or accept outside pull requests. The article distinguishes these workers from intrusion operators but warns that their employment can still create fraud, sanctions, credential-sharing, extortion, and future intrusion risks. It cites February operations where suspected workers used shared accounts, leaked wallet keys, GitHub tokens, private RPC endpoints, and AWS keys in public repositories, sometimes from prior gigs. The main defensive point is to treat contributor identity, payroll controls, repository permissions, and code-review boundaries as security controls, not only HR checks.