A major security alert has been issued to the entire Web3 industry after an Ethereum Foundation-backed investigation uncovered approximately 100 North Korean IT operatives using fabricated identities to infiltrate crypto companies. The six-month probe by the Ketman Project, part of the ETH Rangers security program, reveals a dramatic shift in DPRK's threat model from remote hacks to coordinated, long-term insider infiltration, with operatives passing HR screenings and embedding within product teams for months.

Ethereum News: How the ETH Rangers Crypto Investigation Actually Worked – and What 100 North Korea Operatives Really Means

ETH Rangers launched in late 2024 through a partnership between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL), deploying 17 independent security researchers across a six-month mandate to strengthen the Ethereum ecosystem defenses.

The Ketman Project was one of those funded efforts, and its output went well beyond the typical audit or bug bounty scope.

Identifying 100 operatives means matching fabricated identities to known DPRK tradecraft patterns: inconsistent work histories, communication behaviors suggesting time-zone masking, payment routing through specific intermediaries, and technical fingerprints that recur across unrelated applicants. That’s intelligence work, not just security research.

It requires sustained monitoring across job boards, GitHub activity, hiring pipelines, and behavioral signals inside existing teams.

The broader ETH Rangers program delivered material results beyond the Ketman work: participants recovered or froze over $5.8 million in exploited funds, traced 785+ vulnerabilities and proof-of-concept exploits, ran 36 incident responses, and delivered more than 80 security training sessions.

The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.

A decentralized defence for a decentralized network.

Read the full recap

Open-source outputs included a DeFi incident analysis platform, a GitHub suspicious account detector, and a client-side DoS testing framework.

That GitHub tool is relevant here. Suspicious account detection is precisely the capability needed to surface DPRK-linked developers operating under cover – accounts with manufactured contribution histories, coordinated activity patterns, or anomalous repository access. The Ketman findings likely drew on exactly this tooling.

What “100 operatives” doesn’t mean: that those individuals were necessarily running exploits in real time. DPRK IT worker infiltration serves multiple functions: revenue generation for the regime through legitimate salaries, intelligence collection on protocols and codebases, and pre-positioning for future attacks.

The immediate financial damage may be limited; the long-term exposure is structural.