SKN | Ethereum Foundation Program Uncovers 100 North Korean Operatives in Crypto Sector

Key Points

• Ethereum-backed program exposed 100 DPRK-linked operatives.
• Over 50 crypto projects were alerted to potential infiltration.
• Highlights growing cybersecurity risks in Web3 development.

The Ethereum Foundation has revealed that a grant-backed initiative successfully identified 100 North Korean operatives working within Web3 companies under false identities. The effort was part of its ETH Rangers program, launched to support public-good security work across the Ethereum ecosystem.

Ketman Project Targets Fake Developers

A key recipient of the program funding developed the Ketman Project, an initiative focused on uncovering “fake developers” embedded in crypto organizations. Over a six-month period, the project tracked and identified individuals linked to the Democratic People’s Republic of Korea operating across multiple blockchain projects.

Dozens of Crypto Firms Alerted

The investigation extended beyond identification. The Ketman Project contacted approximately 53 Web3 projects to warn them that they may have unknowingly employed North Korean operatives. This proactive outreach underscores the scale of infiltration and the operational risks facing decentralized organizations.

Tactics Used by DPRK Operatives

The project outlined several behavioral and technical patterns used by these operatives. These included reused avatars and profile metadata across platforms like GitHub, accidental exposure of unrelated email addresses, and inconsistencies such as mismatched language settings compared to claimed identities. These signals helped build a framework for detecting suspicious developer activity.

Broader Threat to Crypto Ecosystem

North Korean-linked cyber groups, including the well-known Lazarus Group, have been associated with billions of dollars in crypto theft over recent years. Their increasing focus on infiltrating development teams marks a shift from external attacks to internal compromise.

Open-Source Tools and Industry Collaboration

Beyond identifying threats, the Ketman Project also contributed to the ecosystem by developing an open-source detection tool for suspicious GitHub behavior. It further collaborated with Security Alliance to create a standardized framework for identifying and mitigating DPRK-linked risks.

Rising Need for Developer-Level Security

The findings highlight a critical shift in crypto security challenges. As Web3 continues to grow, safeguarding not just infrastructure but also human access points—such as developers and contributors—has become essential for maintaining trust and system integrity.