Ketman describes GitHub organizations allegedly established and maintained by DPRK IT workers as hubs for credibility building, codebase management, recruitment fronts, malware-spreading opportunities, and crypto scams. The report focuses on organizations such as m8s-lab and HyperbuildX, which are described as fake outsourcing agencies around Solana, Web3, AI, crypto trading bots, and casino or lottery dApps. It details tactics including copied code presented as original work, inflated stars and followers, job-begging on social platforms, frequent identity changes, facilitator recruitment, and coordinated boosting between accounts. The source names multiple personas, emails, GitHub profiles, social accounts, and one on-chain address, giving defenders and hiring teams concrete identity-linkage signals for DPRK IT worker screening.