Ethereum Foundation-Backed Project Exposes 100 North Korean Operatives in Web3

A six-month investigation funded by the Ethereum Foundation has unmasked 100 North Korean IT workers who infiltrated Web3 companies using fake identities, marking one of the most comprehensive efforts to combat state-sponsored infiltration in the crypto industry.

The Ketman Project, backed by the foundation's ETH Rangers program, identified the operatives and directly contacted approximately 53 projects to warn them they may have unknowingly hired DPRK personnel.

How They Caught Them

The investigation uncovered a pattern of sloppy operational security that gave the operatives away. Technical red flags included reusing avatars and profile metadata across multiple GitHub accounts—a rookie mistake for supposedly sophisticated actors.

Other tells were more revealing. During accidental screen shares, some workers exposed unlinked email addresses. Others had default language settings like Russian that didn't match their claimed nationalities. These small inconsistencies, when aggregated, painted a clear picture.

"This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today," the Ethereum Foundation stated in its recap of the ETH Rangers program, which launched in late 2024 to fund public goods security work.

The Bigger Picture

North Korean operatives, most notably the Lazarus Group, have stolen billions in crypto over the years. But while high-profile hacks grab headlines, the quieter threat of embedded workers has received less attention—until now.

These aren't just hackers trying to break in from outside. They're getting hired, sitting in Slack channels, reviewing code, and accessing internal systems. The damage potential extends far beyond simple theft.

Beyond identifying individuals, the Ketman Project built an open-source detection tool for flagging suspicious GitHub activity. They also partnered with the Security Alliance, a blockchain-focused nonprofit, to create an industry-standard framework for identifying DPRK IT workers.

What Comes Next

The 53 warned projects now face difficult decisions about how to verify their existing teams and what due diligence looks like going forward. The Ketman Project's detection tools and framework offer a starting point, but the cat-and-mouse game won't end here.

North Korean operatives will adapt their tactics. The question for Web3 companies: will their hiring practices adapt faster?