author
Ahmed Barakat
author
Share
The Ketman Project, which operates under the Ethereum Foundation’s ETH Rangers security program, in recent Ethereum news, has identified nearly 100 North Korean crypto IT operatives embedded inside Web3 companies using fabricated identities, the result of a six-month investigation that concluded with one of the most detailed public statistics on DPRK internal infiltration in the sector’s history.
The threat model has changed. Where is North Korea? Encryption operations at the state level Once focused on remote exploits and exchange hacks, the 2025 pattern is one of coordinated workforce infiltration, customers passing HR checks, gaining access to internal repositories, and sitting inside product teams for months before being discovered.
- Activists identified: About 100 DPRK IT workers were found using fake identities within Web3 companies
- Investigation duration: Six months, conducted by the Ketman Project with support from ETH Rangers
- Program scope: ETH Rangers funded 17 independent researchers, recovered or frozen $5.8 million in exploit funds, tracked more than 785 vulnerabilities, and handled 36 incident responses
- DPRK theft scale: $2.02 billion was stolen in 2025 alone – a 51% increase from 2024 – bringing the cumulative amount to $6.75 billion.
- Drift Protocol Hack: DPRK-linked attackers executed a $285 million exploit on April 1, 2026, the largest DeFi hack of the year.
- Real world case: Exchange Stable has issued a withdrawal alert after a DPRK IT employee infiltrated its leadership team
- He watches: Investigators are actively tracking the proceeds of the Drift exploit; Regulatory scrutiny on DeFi hiring screening is expected to intensify
Discover: The best cryptocurrencies to diversify your investment portfolio
Ethereum News: How the Ethereum Rangers Cryptocurrency Investigation Actually Succeeded – and What Having 100 North Korean Clients Really Means
Launched in late 2024 through a partnership between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL), ETH Rangers deployed 17 independent security researchers over a six-month mandate to bolster the defenses of the Ethereum ecosystem.
The Ketman Project was one of those funded efforts, and its results went beyond the scope of a typical audit or bug bounty.
Identifying the 100 clients meant matching fabricated identities to known trading patterns in the DPRK: inconsistent business histories, contact behaviors indicating time zone masking, payment routing through specific intermediaries, and technical fingerprints repeated across unrelated applicants. This is intelligence work, not just security research.
It requires constant monitoring across job boards, GitHub activity, hiring pipelines, and behavioral signals within existing teams.
The broader ETH Rangers program has achieved material results beyond Ketman’s work: participants have recovered or frozen more than $5.8 million in exploit funds, tracked more than 785 proof-of-concept vulnerabilities and vulnerabilities, managed 36 incident responses, and delivered more than 80 security training sessions.
The open source deliverables included a DeFi incident analysis platform, a suspicious account detector on GitHub, and a client-side DoS testing framework.
GitHub tool is relevant here. Detecting suspicious accounts is precisely the capability needed to detect DPRK-linked developers operating under cover – accounts with manufactured contribution histories, coordinated patterns of activity, or abnormal access to the repository. It is likely that Kitman’s findings were based on exactly these tools.
What “100 agents” does not mean is that these individuals were necessarily executing exploits in real time. The infiltration of DPRK IT workers serves multiple functions: generating revenue for the system through legitimate salaries, gathering intelligence on protocols and code bases, and prepositioning for future attacks.
Immediate financial damage may be limited; Long-term exposure is structural.
Discover: The best pre-launch token sales
