Ketman expands the Nick L Franklin investigation into a broader DPRK IT worker cluster centered on Aqua Protocol and related GitHub personas. The source says Aqua Protocol was a fake Web3 lending application built around Aave V3 code, seeded with nearly $800,000 in liquidity, and connected to accounts including NickLFranklin, SonataM, CrazyDream000, and jewelas. Ketman links the cluster to several threat types: AppleJeus-style payload delivery against security researchers, WageMole-style employment attempts, fake Web3 protocol credibility building, memecoin phishing pages, rug-pull activity, and a possible connection to the suspicious difx.com exchange. The article argues that DPRK-linked operators are mixing IT worker placement, malware delivery, phishing, and direct Web3 scams within the same network.