The Ethereum Foundation said it funded a six-month initiative that uncovered 100 North Korean operatives who had infiltrated Web3 companies using fake identities.
In a recap shared Thursday, the foundation detailed its ETH Rangers program, launched in late 2024 to provide stipends for individuals carrying out public-good security work across the ecosystem.
One recipient used the funding to create the Ketman Project, which focuses on identifying “fake developers” embedded in crypto firms—particularly operatives from North Korea.
Over the six-month period, the project identified 100 DPRK-linked IT workers operating within Web3 organizations and contacted around 53 projects to warn them they may have unknowingly employed such individuals.
The Ethereum Foundation said the effort targets one of the most pressing operational security threats facing the ecosystem today.
North Korean actors have long targeted the crypto sector, contributing to billions of dollars in stolen funds over the years, with groups like the Lazarus Group among the most prominent.
The Ethereum Foundation did not detail exactly how the Ketman Project identified the DPRK operatives. However, the project’s website outlines a wide range of tactics, behaviors, and operational patterns used by these actors.
These include technical red flags such as reusing avatars and profile metadata across multiple GitHub accounts, inadvertently revealing unlinked email addresses during screen sharing, and showing default language settings—like Russian—that conflict with their claimed nationality.
In addition to uncovering North Korean operatives, the Ketman Project also developed an open-source detection tool to flag suspicious GitHub activity and co-authored an industry-standard framework for identifying DPRK-linked IT workers, in collaboration with the blockchain-focused nonprofit Security Alliance.
