Ketman Project Backed by Ethereum Foundation Uncovers 100 North Korean Agents in Crypto Companies

A research initiative called Ketman, funded through the Ethereum Foundation's ETH Rangers stipend program, has identified over 100 North Korean IT operatives covertly employed by crypto companies under fabricated identities. The findings were published as part of the foundation's program wrap-up report.

ETH Rangers Program and Its Results

The Ethereum Foundation released the results of its ETH Rangers program — an initiative launched in late 2024 to fund independent security researchers working to protect the ecosystem. The program supported 17 fellows in total, with work spanning vulnerability research, security tooling, threat analysis, education, and incident response.

«The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more. A decentralized defence for a decentralized network.» — EF Ecosystem Support Program (@EF_ESP), original post

The aggregate outcomes are striking: over $5.8 million recovered, more than 785 vulnerabilities reported, and 100+ DPRK operatives identified across the ecosystem.

How Ketman Tracked Pyongyang's Operatives

One of the fellows used their grant to build Ketman, a project focused specifically on uncovering "fictitious developers" in the crypto industry. The team concentrated on operations backed by North Korea. DPRK IT workers have spent years infiltrating Web3 companies using forged identities, earning salaries while simultaneously conducting reconnaissance and gaining potential access to project infrastructure. The Lazarus Group is linked to the most high-profile operations of this kind.

Over six months, the Ketman team documented 100 DPRK operatives actively working inside Web3 organizations and notified 53 projects that they likely had active agents on their payrolls.

According to materials published on the Ketman website, the researchers relied on distinctive "tactics, behaviors, and operational patterns" characteristic of North Korean IT operators. Key indicators included:

• Reuse of avatars and profile metadata across multiple GitHub accounts registered under different names;
• Accidental exposure of unrelated email addresses during screen-sharing in video calls;
• Default system language settings (such as Russian) contradicting the claimed nationality;
• Unusual communication patterns and working hours inconsistent with the stated time zone.

Neither Ketman nor the Ethereum Foundation disclosed the full detection methodology publicly.

Why This Matters

The infiltration of North Korean operatives into crypto companies represents one of the most pressing operational security threats facing the blockchain industry. The Ethereum Foundation's ETH Rangers report explicitly states that this work "directly addresses one of the most acute operational security threats facing the Ethereum ecosystem today."

The scale of the problem is underscored by recent events: on April 1, DeFi platform Drift Protocol on Solana suffered a $280 million hack, which the project's team and cybersecurity experts attributed to DPRK-linked hackers.

Tools to Combat the Threat

Beyond the investigative work itself, the Ketman team built an open-source tool for automated detection of suspicious activity on GitHub. They also collaborated with the nonprofit Security Alliance to develop an industry-standard verification framework designed to identify DPRK IT workers during the hiring process.

These tools aim to provide Web3 companies with practical defenses against infiltration — a problem that until recently was addressed mostly on an ad hoc, manual basis. With the threat from state-sponsored actors only growing, systematic approaches like the Ketman framework could become essential for any crypto project's security posture.