Ethereum Foundation Scholar Uncovers 100 North Korean IT Agents in Web3 Firms

Ketman project identified 100 North Korean IT specialists in crypto companies.

The Ketman project, funded by the ETH Rangers program, identified a hundred North Korean IT specialists working in crypto companies under false identities over six months.

The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.

A decentralized defence for a decentralized network.

Read the full recap 👇

— EF Ecosystem Support Program (@EF_ESP) April 16, 2026

The Ethereum Foundation has published a report on the ETH Rangers program—an initiative launched at the end of 2024 to fund independent researchers focused on ecosystem security.

One of the scholarship recipients allocated funds to create the Ketman project, specializing in identifying “fake developers” in the crypto industry. Researchers concentrated on operations supported by North Korea.

North Korean IT specialists have been infiltrating Web3 companies under fake identities for years, earning salaries while simultaneously conducting reconnaissance and potentially accessing project infrastructure. The notorious Lazarus Group is behind the most prominent operations.

In six months, the Ketman team documented 100 DPRK operatives actively working within Web3 organizations and notified 53 projects that they likely employ active agents.

According to materials posted on the Ketman website, experts focused on identified traits of “tactics, behavior, and operational models” typical of North Korean IT operatives, including:

• repeated use of avatars and profile metadata across multiple GitHub accounts under different names;
• accidental disclosure of unrelated email addresses during screen sharing in calls;
• system language settings that contradict claimed citizenship—such as Russian or others;
• specific communication behavior patterns and atypical working hours for the stated time zone.

The methodology for detecting DPRK agents in the project and Ethereum Foundation was not disclosed in detail.

In addition to investigative work, Ketman developed an open-source tool for automatically detecting suspicious activity on GitHub. Together with the non-profit Security Alliance, an industry verification standard was created—a framework for identifying North Korean IT workers during hiring.

“This work directly addresses one of the most acute operational security threats facing the Ethereum ecosystem today,” states the Ethereum Foundation report on the ETH Rangers outcomes.

As part of the initiative, the foundation supported 17 scholars in total. Their activities ranged widely, from researching vulnerabilities and security tools to education, threat analysis, and incident response.

Earlier, on April 1, the DeFi platform Drift Protocol on Solana was hacked for $280 million. According to findings by the project team and cybersecurity experts, North Korean hackers were behind the attack.