{"id":96278,"date":"2026-04-17T18:57:43","date_gmt":"2026-04-17T15:57:43","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96278"},"modified":"2026-04-17T19:00:19","modified_gmt":"2026-04-17T16:00:19","slug":"ethereum-foundation-scholar-uncovers-100-north-korean-it-agents-in-web3-firms","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ethereum-foundation-scholar-uncovers-100-north-korean-it-agents-in-web3-firms\/","title":{"rendered":"Ethereum Foundation Scholar Uncovers 100 North Korean IT Agents in Web3 Firms"},"content":{"rendered":"<p>The Ketman project, funded by the ETH Rangers program, identified a hundred North Korean IT specialists working in crypto companies under false identities over six months.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.<\/p>\n<p>A decentralized defence for a decentralized network.<\/p>\n<p>Read the full recap \ud83d\udc47<\/p>\n<p>\u2014 EF Ecosystem Support Program (@EF_ESP) <a href=\"https:\/\/twitter.com\/EF_ESP\/status\/2044784830412386421?ref_src=twsrc%5Etfw\">April 16, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The Ethereum Foundation has published a report on the ETH Rangers program\u2014an initiative launched at the end of 2024 to fund independent researchers focused on ecosystem security.<\/p>\n<p>One of the scholarship recipients allocated funds to create the Ketman project, specializing in identifying &#8220;fake developers&#8221; in the crypto industry. Researchers concentrated on operations supported by North Korea.<\/p>\n<p>North Korean IT specialists <a href=\"https:\/\/forklog.com\/en\/news\/north-korean-agents-secretly-developed-code-for-leading-defi-projects-for-seven-years\">have been infiltrating<\/a> Web3 companies under fake identities for years, earning salaries while simultaneously conducting reconnaissance and potentially accessing project infrastructure. The notorious Lazarus Group is behind the most prominent operations.<\/p>\n<p>In six months, the Ketman team documented 100 DPRK operatives actively working within Web3 organizations and notified 53 projects that they likely employ active agents.<\/p>\n<p>According to materials posted on the Ketman website, experts focused on identified traits of &#8220;tactics, behavior, and operational models&#8221; typical of North Korean IT operatives, including:<\/p>\n<ul class=\"wp-block-list\">\n<li>repeated use of avatars and profile metadata across multiple GitHub accounts under different names;<\/li>\n<li>accidental disclosure of unrelated email addresses during screen sharing in calls;<\/li>\n<li>system language settings that contradict claimed citizenship\u2014such as Russian or others;<\/li>\n<li>specific communication behavior patterns and atypical working hours for the stated time zone.<\/li>\n<\/ul>\n<p>The methodology for detecting DPRK agents in the project and Ethereum Foundation was not disclosed in detail.<\/p>\n<p>In addition to investigative work, Ketman developed an open-source tool for automatically detecting suspicious activity on GitHub. Together with the non-profit Security Alliance, an industry verification standard was created\u2014a framework for identifying North Korean IT workers during hiring.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThis work directly addresses one of the most acute operational security threats facing the Ethereum ecosystem today,\u201d states the Ethereum Foundation report on the ETH Rangers outcomes.<\/p>\n<\/blockquote>\n<p>As part of the initiative, the foundation supported 17 scholars in total. Their activities ranged widely, from researching vulnerabilities and security tools to education, threat analysis, and incident response.<\/p>\n<p>Earlier, on April 1, the DeFi platform Drift Protocol on Solana <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-on-solana-loses-280m\">was hacked<\/a> for $280 million. According to <a href=\"https:\/\/forklog.com\/en\/news\/the-week-a-bleak-quantum-outlook-and-a-280m-drift-protocol-hack\">findings<\/a> by the project team and cybersecurity experts, North Korean hackers were behind the attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Ketman project, funded by the ETH Rangers program, identified a hundred North Korean IT specialists working in crypto companies under false identities over six months.<\/p>\n","protected":false},"author":1,"featured_media":96279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Ketman project identified 100 North Korean IT specialists in crypto companies.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1111,1323,1202],"class_list":["post-96278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity","tag-investigations","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"32","promo_type":"1","layout_type":"1","short_excerpt":"Ketman project identified 100 North Korean IT specialists in crypto companies.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=96278"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96278\/revisions"}],"predecessor-version":[{"id":96280,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96278\/revisions\/96280"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/96279"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=96278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=96278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=96278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}