Ethereum Foundation-funded program exposes 100 DPRK workers in crypto

The Ethereum Foundation said it funded a six-month project that exposed 100 North Korean operatives who had infiltrated Web3 companies under fake identities.

The foundation on Thursday shared a recap of its ETH Rangers program, which was launched in late 2024 to provide “stipends for individuals doing public goods security work” within the ecosystem.

One of the recipients used the capital to build the Ketman Project to focus on investigating “fake developers” embedded within crypto, particularly operatives from the People's Republic of Korea.

During the six-month stipend period, the Ketman Project identified “100 different DPRK IT workers operating within Web3 organizations” and reached out to about 53 projects to alert them about having potentially employed active DPRK operatives.

“This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the Ethereum Foundation said.

North Korean operatives have been plaguing the crypto sector, leading to billions worth of crypto stolen over the years. One of the highest-profile hacking groups from North Korea is known as the Lazarus Group.

Ketman Project website articles on DPRK operatives. Source: Ketman Project

The Ethereum Foundation did not go into detail about how the Ketman Project was able to identify the DPRK operatives. However, the project's website has an extensive range of articles explaining the types of “tactics, behaviors and operational patterns” the operatives deploy.

Related: CIA to integrate AI ‘co-workers’ to process intelligence, catch spies

They include technical red flags such as reusing avatars and profile metadata across multiple GitHub accounts, exposing unlinked email addresses during accidental screen sharing, and displaying default language settings, such as Russian, that contradict their claimed nationality.

Alongside identifying North Korean operatives, the Ketman Project also developed an open-source detection tool to identify suspicious GitHub activity and co-authored an industry-standard framework for identifying DPRK IT workers in partnership with blockchain-focused nonprofit organization the Security Alliance.