Eth Foundation-funded program flags 100 North Korean crypto workers

The Ethereum ecosystem has expanded its security toolkit with a six-month initiative funded through its ETH Rangers program. The Ketman Project, described as a public‑goods security effort, identified a network of North Korean operatives embedded in Web3 companies, pinpointing 100 DPRK IT workers and alerting about 53 projects that could be employing such operatives. The Ethereum Foundation summarized the findings in a recent recap, underscoring the importance of the project for the broader ecosystem.

According to the Ethereum Foundation, the Ketman Project was built during a six‑month period under the ETH Rangers program, which launched in late 2024 to fund individuals performing security work for the ecosystem. One recipient used the stipend to tackle the Ketman initiative, focusing on exposing fake developers and other actors impersonating legitimate crypto engineers.

During the stipend period, Ketman identified 100 DPRK IT workers operating within Web3 organizations and reached out to about 53 projects to alert them to potential DPRK involvement. The Foundation framed the effort as a direct response to a pressing operational security threat facing the Ethereum ecosystem today.

The Ketman Project’s own materials outline the tactics, behaviors, and patterns used by DPRK-linked actors. The project describes several red flags used to spot impersonators and suspicious activity, including the reuse of avatars and profile metadata across multiple GitHub accounts, exposure of unlinked email addresses during screen sharing, and default language settings—such as Russian—that contradict the operators’ claimed nationality.

Beyond identification, Ketman co‑developed an open‑source detection tool to flag suspicious GitHub activity and helped author an industry-standard framework for identifying DPRK IT workers in partnership with the blockchain‑focused nonprofit Security Alliance. The Ketman site provides deeper dives into the operational methods employed by DPRK operatives and how attackers blend into crypto teams.

Key takeaways

• Ethereum Foundation funded the Ketman Project through the ETH Rangers program for six months, revealing a DPRK‑linked presence in Web3 and alerting dozens of projects.
• The effort identified 100 North Korean IT workers and prompted alerts to roughly 53 projects over the course of the program.
• Ketman developed an open‑source detection tool and co-authored an industry‑standard framework for identifying DPRK IT workers with the Security Alliance.
• Red flags highlighted by Ketman include reused avatars across GitHub accounts, exposed emails from screen sharing, and default language settings that conflict with stated nationality.
• The work illustrates a broader push to harden the crypto economy against state‑backed threat actors, leveraging community‑driven intelligence alongside formal governance bodies.

Operational security gains and investor implications

The Ethereum Foundation’s recap frames Ketman as a pragmatic response to a persistent risk: state‑backed actors tied to DPRK have repeatedly targeted the crypto sector, contributing to significant losses over the years. By mapping specific operational patterns and distributing defensive signals to projects, the initiative helps reduce the attack surface for startups and established protocols alike. For investors and builders, the development signals a maturing security culture where threat intel is disseminated more quickly and translated into concrete protections rather than remaining in isolated analysis.

From a risk management perspective, the Ketman project embodies a shift toward proactive defense in public ecosystems. The combination of detection tooling and a formal framework provides participants with repeatable methods to vet contributors and contractors, potentially lowering the likelihood of insider risks or compromised open‑source projects slipping through governance gaps. While it is not a silver bullet, the approach adds a data‑driven layer to ongoing security work in the space where rapid innovation often clashes with evolving threat models.

Context: DPRK actors, Lazarus, and the crypto threat landscape

Threat actors associated with North Korea have long loomed over crypto infrastructure, with high‑profile breaches attributed to groups such as Lazarus. Analysts note that as the market grows, so does the fingerprint of these actors—ranging from social engineering and fake personas to sophisticated supply‑chain compromises. The Ketman Project’s findings fit within this larger pattern of state‑linked crypto threats, reinforcing the case for heightened due diligence, better attribution signals, and more transparent security collaborations among projects and communities.

That context matters for investors and practitioners alike. Enhanced threat intelligence—especially when backed by open‑source tools and cross‑organizational collaboration—can help teams prioritize security spend and adopt stronger onboarding and verification practices. It also raises questions about how to balance openness with security in open ecosystems where contributors span the globe and operate under varying regulatory regimes.

What to watch next

Several questions remain as the Ketman initiative wraps its six‑month window. How widely will the open‑source detection tool be adopted by projects and exchanges? Will the Security Alliance and Ketman publish ongoing, standardized benchmarks to measure the effectiveness of the DPRK‑identification framework? And how will platforms translate these threat signals into concrete changes—such as enhanced contributor vetting, more robust identity checks, or stricter code‑review processes?

The Ethereum Foundation’s involvement signals continued institutional support for security tooling that is broadly usable across the ecosystem. If Ketman’s tools and methodologies gain traction, we could see a shift from ad hoc security reviews to more coordinated, sector‑wide threat intelligence sharing. That development would be a meaningful catalyst for ecosystem resilience, especially as decentralized finance, layer‑2 scaling, and new Web3 use cases proliferate.

In the near term, what remains uncertain is the scalability and sustainability of such programs. Will funding through ETH Rangers translate into a larger, repeatable budget for security research? How will other ecosystems—ranging from alternative smart contract platforms to fiat‑onramp operators—adopt similar threat intelligence frameworks? The coming months will reveal whether Ketman’s approach can be generalized into a standard practice for securing crypto projects against sophisticated, state‑backed adversaries.

Readers should monitor announcements from the Ketman Project and the Security Alliance for updates on the framework, as well as any new threat alerts tied to DPRK‑linked actors. The effort underscores a broader industry trend: security is increasingly a collaborative, community‑driven discipline that complements technical development with actionable intelligence and governance‑level responses.

For those evaluating risk in personal or institutional deployments, this development offers a reminder to emphasize transparency, contributor verification, and proactive security monitoring as core components of any long‑term crypto strategy. The fight against sophisticated threat actors is ongoing, but initiatives like Ketman mark a tangible step toward a safer, more resilient ecosystem.

This article was originally published as Eth Foundation-funded program flags 100 North Korean crypto workers on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.