The Ethereum Foundation has issued a critical security warning after its ETH Rangers program identified approximately 100 cryptocurrency workers with direct links to North Korean (DPRK) state-sponsored operations. The findings, stemming from a single researcher's six-month investigation funded by the Foundation, reveal that open-source detection tools and industry-standard identification frameworks successfully uncovered these threats to the broader crypto ecosystem.

One Researcher, One Stipend, 100 Operatives

One of the grant recipients used the funding to build the Ketman Project, an investigation focused on fake developer identities inside crypto companies.

Over six months, the project tracked down 100 North Korean IT workers embedded in Web3 organizations. About 53 projects were contacted and warned that they may have hired active operatives linked to the Democratic People’s Republic of Korea.

The Ethereum Foundation described the threat as “one of the most pressing operational security threats facing the Ethereum ecosystem today.”

A project funded by the #Ethereum Foundation revealed 100 North Korean IT workers who sneaked into #Web3 companies using false identities.#cryptosona $ETH pic.twitter.com/aCDKUV4mGO

— CryptOpus (@ImCryptOpus) April 17, 2026

The Ketman Project’s website lays out the tactics these workers use — behavioral patterns, technical habits, and identity tricks that allow them to pass as legitimate developers.

Some of the red flags are surprisingly basic. Workers were caught reusing the same profile photos and metadata across different GitHub accounts.

During screen-sharing sessions, unlinked email addresses were accidentally exposed. In some cases, device language settings — set to Russian — gave away identities that contradicted the nationalities being claimed.

How Operatives Were Caught

The Ketman Project did not just identify individuals. It built infrastructure. An open-source tool was developed to flag unusual GitHub activity tied to suspicious accounts.

A separate framework for identifying DPRK-linked workers was co-authored with the Security Alliance, a nonprofit focused on blockchain security. Both resources are now available for other organizations to use.

Reports indicate the Ethereum Foundation did not disclose the specific methods used to unmask the operatives beyond what the Ketman Project’s own publications describe. The project’s website, however, offers detailed write-ups on the operational patterns that gave workers away.

North Korea’s presence in crypto is not new. State-linked hacking groups, including the well-known Lazarus Group, have been tied to some of the largest thefts in the industry’s history.

According to reports, billions of dollars in digital assets have been stolen by North Korean actors over the years.

The ETH Rangers program was created specifically to address security gaps through stipend-funded individuals doing public-interest work.

The Ketman Project represents one of its first publicly documented results. Whether other grant recipients have produced similar findings has not been disclosed.

Featured image from Chief Learning Officer, chart from TradingView