Ketman analyzes DPRK IT worker activity across GitHub, Telegram, freelance job boards, open-source communities, and Web3 projects, where actors build fabricated developer personas to obtain work and evade sanctions controls. The investigation centers on the “Motoki Masuo” persona, linking interviews and Telegram engagement to GitHub accounts including motokimasuo, bestselection18, and kirbyAttack, as well as activity around the private AssetX-dex-frontend repository. Observed tradecraft includes persona cultivation, social-graph manipulation, repository activity used for credibility and reconnaissance, KYC and interview evasion, and proxy or remote-access infrastructure. Video-interview mistakes exposed identity artifacts including [email protected] and [email protected], while language and behavioral inconsistencies undermined the claimed Japanese identity. The report matters for DPRK-focused tracking because it shows how GitHub and freelance ecosystems can support both revenue generation and operational coordination by sanctioned IT workers.