partner
Last update:
Project Ketman, which operates under the Ethereum Foundation’s ETH Rangers security program, managed to identify nearly 100 North Korean tech workers hacking Web3 companies using fake identities. The discovery, the latest news on Ethereum, is the result of a six-month investigation, which culminated in one of the most detailed public statistics on internal hacking by the Democratic People’s Republic of Korea in the history of the industry.
The threat model has undergone a radical change; While the North Korean government’s crypto operations previously focused on remote exploits and platform hacking, the 2025 model now relies on coordinated workforce infiltration. These customers pass HR tests, gain access to internal code repositories, and work on product development teams for months before being discovered.
- Customer identification: Around 100 North Korean tech workers were observed using fake identities at Web3 companies.
- Duration of the investigation: Six months, led by the Ketman project with support from the ETH Rangers program.
- Program scope: The ETH Rangers program has funded approximately 17 independent researchers, recovered or frozen $5.8 million in exploited funds, tracked more than 785 vulnerabilities, and processed 36 incident responses.
- The scale of the thefts in North Korea: $2.02 billion was stolen in 2025 alone – a 51% increase from 2024 – bringing the total amount stolen to $6.75 billion.
- Drift Protocol Hack: Attackers linked to North Korea completed a $285 million exploit on April 1, 2026, the largest decentralized finance (DeFi) hack this year.
- Realistic case: Trading platform Stabble has issued a takedown alert after a North Korean technician infiltrated its management team.
- Follow up: Investigators are actively monitoring the results of the Drift hack; Regulatory oversight of employee selection in the DeFi sector is expected to intensify.
Ethereum News: How the ETH Rangers crypto investigation is going – and what 100 North Korean clients mean
The ETH Rangers program launched in late 2024 through a partnership between the Ethereum Foundation, Secureum, The Red Guild and the Security Alliance (SEAL), deploying 17 independent security researchers on six-month missions to strengthen the defenses of the Ethereum ecosystem.
The Ketman Project was one such funded effort, and its results were beyond the scope of traditional audits or bug bounty programs.
Identifying 100 clients involved matching fake identities with known North Korean business models: inconsistent work histories, communication behaviors suggesting time zone anonymity, routing payments through specific intermediaries, and repeated technical fingerprints between unrelated candidates. This is intelligence work par excellence, not just security research.
This requires constant monitoring across job boards, GitHub activity, hiring funnels, and behavioral signals within existing teams.
The broader ETH Rangers program has achieved tangible results beyond Ketman’s work; Participants recovered or froze more than $5.8 million in exploited funds, traced more than 785 vulnerabilities and proof-of-breach patterns, managed 36 incident responses, and delivered more than 80 security training sessions.
Open source deliverables included a DeFi incident analysis platform, a tool for detecting suspicious GitHub accounts, and a framework for client-side denial of service (DoS) testing.
This GitHub tool is very relevant here; The ability to detect suspicious accounts is exactly what is needed to show that North Korea-linked developers are operating undercover – accounts with artificial contribution records, coordinated activity patterns, or anomalous access to repositories. It is likely that Ketman’s results relied particularly on these tools.
What “100 agents” does not mean is that these individuals were necessarily carrying out hacks in real time. The infiltration of North Korean technicians serves multiple functions: generating revenue for the regime through lawyers’ salaries, gathering intelligence on protocols and code bases, and positioning themselves in advance for future attacks.
Immediate financial damage may be limited, but long-term exposure represents a structural risk.
