Ketman's February 2025 activity statement reports seven Web3 companies or projects directly affected by confirmed DPRK IT workers. The group counted ten confirmed IT workers for the month and estimated that affected projects transferred about $50,000 in cryptocurrency to those workers, while all observed engagements lasted at least three months. Ketman says no malicious code implant was detected in the February cases, but access had to be revoked and post-exploitation services were used in at least one incident. The statement also criticizes slow incident response in Web3 and notes that Ketman added 28 high-confidence DPRK IT worker accounts to its internal database for future investigations.