Ethereum Foundation-Supported Initiative Reveals 100 North Korean Agents Penetrating Cryptocurrency Companies

The Ketman Project, functioning under the Ethereum Foundation’s ETH Rangers security initiative, has recently reported in the latest Ethereum updates that it has uncovered around 100 North Korean crypto IT operatives embedded within Web3 companies using false identities. This finding is the culmination of a six-month investigation, resulting in one of the most comprehensive public accounts of DPRK infiltration in the industry’s history.

The threat landscape has evolved. Previously, North Korea’s state-sponsored crypto activities focused on remote exploits and exchange hacks; however, the 2025 trend indicates a coordinated infiltration of workforces, with operatives successfully passing HR screenings, gaining access to internal resources, and integrating into product teams for extended periods before being detected.

Key Takeaways:

• Operatives identified: Approximately 100 DPRK IT personnel discovered using fake identities within Web3 companies
• Investigation duration: Six months, carried out by the Ketman Project with support from ETH Rangers
• Program scope: ETH Rangers financed 17 independent researchers, recovered or froze $5.8 million in exploited assets, identified over 785 vulnerabilities, and managed 36 incident responses
• DPRK theft scale: $2.02 billion stolen in 2025 alone – a 51% increase compared to 2024 – bringing the total to $6.75 billion
• Drift Protocol hack: DPRK-affiliated attackers executed a $285 million exploit on April 1, 2026, marking the largest DeFi hack of the year
• Real-world case: Exchange Stabble issued a withdrawal alert following the infiltration of its leadership team by a DPRK IT worker
• Watch: Investigators are actively monitoring the proceeds from the Drift exploit; regulatory scrutiny regarding employment vetting in DeFi is anticipated to increase

Discover: The best crypto to diversify your portfolio with

Ethereum News: How the ETH Rangers Crypto Investigation Actually Worked – and What 100 North Korea Operatives Really Means

ETH Rangers was established in late 2024 through a collaboration between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL), deploying 17 independent security researchers over a six-month period to enhance the defenses of the Ethereum ecosystem.

The Ketman Project was among those funded initiatives, and its outcomes extended well beyond the standard audit or bug bounty scope.

Source: Ketman

Identifying 100 operatives involves correlating fabricated identities with known DPRK tradecraft patterns: inconsistent employment histories, communication behaviors indicative of time-zone masking, payment routing through specific intermediaries, and recurring technical fingerprints across unrelated applicants. This represents intelligence work rather than mere security research.

It necessitates ongoing monitoring of job boards, GitHub activities, hiring processes, and behavioral indicators within existing teams.

The broader ETH Rangers program yielded significant results beyond the Ketman efforts: participants recovered or froze over $5.8 million in exploited funds, traced more than 785 vulnerabilities and proof-of-concept exploits, conducted 36 incident responses, and provided over 80 security training sessions.

The ETH Rangers Program has concluded, and the results are evident: over $5.8 million recovered, more than 785 vulnerabilities reported, over 100 DPRK operatives identified, and much more.
A decentralized defense for a decentralized network.
Read the full recap

— EF Ecosystem Support Program (@EF_ESP) April 16, 2026

Open-source outputs included a DeFi incident analysis platform, a GitHub suspicious account detector, and a client-side DoS testing framework.

This GitHub tool is particularly relevant. The capability for suspicious account detection is essential for identifying DPRK-linked developers operating covertly – accounts with fabricated contribution histories, coordinated activity patterns, or unusual repository access. The findings from Ketman likely utilized this specific tool.

What “100 operatives” does not imply: that these individuals were necessarily executing exploits in real time. The infiltration of DPRK IT workers serves various purposes: generating revenue for the regime through legitimate salaries, gathering intelligence on protocols and codebases, and preparing for future attacks.

The immediate financial impact may be limited; however, the long-term exposure is structural.

Discover: The best pre-launch token sales

The post Ethereum Foundation-Backed Program Exposes 100 North Korea Operatives Infiltrating Crypto Firms appeared first on Cryptonews.