Ketman's guide describes how suspicious GitHub accounts associated with DPRK activity can be mapped through follower and following networks, profile context, repository behavior, and repeated identity patterns. It flags clusters of accounts created around similar periods, generic full-stack or blockchain developer bios, broken or low-activity social profiles, excessive forking or starring, copied projects, and mismatched personal details. The report also notes a recurring "SuperStar" pattern in handles, profile images, and text, while cautioning that image style alone is not proof of DPRK linkage. The value for defenders is the network-analysis approach: examine accounts two or three degrees out, compare repositories and commit history, and treat clusters of fake developer identities as part of broader Lazarus/DPRK IT worker tradecraft.