• An Ethereum Foundation funded program identified 100 North Korean IT workers operating inside Web3 organizations
• The investigation alerted 53 crypto projects that may have unknowingly hired them
• The initiative developed tools to detect suspicious developer activity across GitHub

Ethereum Foundation Program Identifies 100 North Korean Workers in Web3 Ecosystem

A security initiative funded by the Ethereum Foundation has uncovered a significant infiltration attempt involving North Korean IT workers embedded within Web3 companies.

The investigation, conducted through the foundation’s ETH Rangers program, identified 100 developers linked to the Democratic People’s Republic of Korea (DPRK) operating under false identities across multiple blockchain organizations.

The findings highlight growing cybersecurity risks facing the Ethereum ecosystem and the broader crypto industry.

ETH Rangers Program Uncovers Hidden Web3 Operatives

The six month investigation was funded through the ETH Rangers initiative, a program launched in late 2024 by the Ethereum Foundation to support security researchers and public goods contributors working within the blockchain ecosystem.

One stipend recipient used the funding to create the Ketman Project, an investigative initiative designed to track fraudulent developers operating inside Web3 companies.

During the program period, the project identified 100 DPRK linked IT workers who were reportedly working inside crypto organizations using fabricated identities.

Researchers also alerted approximately 53 Web3 projects that may have unknowingly hired these individuals.

The Ethereum Foundation described the work as addressing “one of the most pressing operational security threats facing the Ethereum ecosystem today.”

How Investigators Identified Suspicious Activity

Although the full methodology was not publicly disclosed, the Ketman Project documented several behavioral and technical indicators used to identify suspected operatives.

Key red flags included:

• Reusing avatars and profile metadata across multiple GitHub accounts
• Accidentally revealing hidden email addresses during screen sharing
• Device language settings that contradicted claimed nationalities
• Repeated behavioral patterns across developer profiles

These signals helped researchers detect coordinated activity across developer communities.

The project also introduced an open source detection tool capable of identifying suspicious GitHub activity patterns that could indicate fraudulent developer accounts.

Collaboration With Security Alliance

In addition to the investigative work, the Ketman Project collaborated with Security Alliance to develop an industry standard identification framework aimed at improving security practices across Web3 organizations.

The framework helps crypto companies identify potential infiltration attempts before sensitive access is granted to developers.

Such tools are becoming increasingly important as Web3 teams often rely on global remote talent, making identity verification more difficult.

DPRK’s Ongoing Crypto Operations

North Korea has long been associated with large scale cryptocurrency theft operations, frequently attributed to state linked hacking groups such as Lazarus Group.

These groups have been connected to billions of dollars in crypto exploits and hacks targeting exchanges, DeFi protocols, and blockchain infrastructure.

The newly revealed infiltration efforts represent a different layer of the threat, where operatives attempt to secure legitimate roles within crypto companies before exploiting internal access.

Security analysts say such infiltration strategies can precede major cyberattacks or financial theft within blockchain ecosystems.

Rising Security Concerns Across Web3

The findings highlight the growing need for stronger identity verification, developer vetting, and operational security practices across the Web3 industry.

As blockchain projects increasingly operate with distributed teams and open source development environments, security experts warn that insider risks may become as critical as external hacking attempts.

With initiatives like ETH Rangers and investigations such as the Ketman Project, the Ethereum Foundation aims to strengthen the resilience of the Web3 ecosystem against emerging threats.