Ethereum Foundation-Backed Program Identifies 100 Suspected DPRK Operatives in Crypto

• An Ethereum Foundation-backed security project says it identified 100 suspected North Korean IT workers operating across Web3 organizations.
• The initiative also contacted 53 projects to warn that they may have hired active DPRK-linked operatives.

The Ethereum Foundation is drawing attention to a quieter threat inside crypto, one that begins long before any wallet is drained.

In a recap of its ETH Rangers program publishedon Thursday, the foundation highlighted the work of the Ketman Project, a stipend-backed initiative focused on identifying fake developers embedded in Web3 firms. Over a six-month period, the project says it identified 100 suspected DPRK IT workers and contacted 53 crypto projects to warn that they may have employed active North Korean operatives.

The threat starts before the exploit

That detail matters because the crypto industry still tends to frame North Korea mainly as an external hacking problem. The Ketman findings point to something more operational and, in some ways, more difficult to detect. Malicious actors do not always arrive through an exploit. Sometimes they arrive through a hiring process.

According to the Ethereum Foundation, the project focused on “fake developers” working inside Web3 organizations, particularly individuals believed to be tied to North Korea. A developer embedded in a team can gain access to internal tooling, code repositories, deployment habits and security workflows well before any theft becomes visible onchain.

The foundation described this as one of the most pressing security risks facing the Ethereum ecosystem today. That is probably not an exaggeration.

A wider pattern across crypto

North Korean-linked operatives have been tied to some of the industry’s largest losses over the years, with billions of dollars in digital assets stolen across multiple campaigns. The most widely known name remains the Lazarus Group, but the broader DPRK-linked ecosystem extends well beyond a single label.

What stands out here is that the response did not come from a private intelligence firm alone, but from a public-goods security effort funded through the Ethereum ecosystem itself. ETH Rangers, launched in late 2024, was designed to provide stipends for individuals working on ecosystem security.

In this case, the result was not another audit or bug fix. It was a reminder that crypto security is not only about defending smart contracts. It is also about knowing who is being trusted to build them.