Ethereum Foundation Program Identifies 100 DPRK-Linked Crypto Workers

A project funded through a six-month stipend has produced an open-source detection tool and an identification framework aimed at uncovering fake developer identities inside crypto companies. The work, known as the Ketman Project, focused on tracking North Korean IT workers embedded in Web3 organizations.

Ketman Project findings and scope

Over six months, the project tracked down 100 North Korean IT workers operating within Web3 organizations. It reported that 53 projects were contacted and warned that they may have hired active operatives linked to the Democratic People’s Republic of Korea.

The Ethereum Foundation described the threat as one of the most pressing operational security risks facing the Ethereum ecosystem. The project’s results were shared publicly by CryptOpus on April 17, 2026.

How operatives were identified

The Ketman Project’s website outlines the tactics it says these workers used to appear as legitimate developers, including behavioral patterns, technical habits, and identity techniques. The report highlights several “basic” red flags observed across cases.

• Reusing the same profile photos and metadata across different GitHub accounts.
• Accidentally exposing unlinked email addresses during screen-sharing sessions.
• Using device language settings set to Russian, which in some cases conflicted with the nationalities the workers claimed.

Tools and frameworks released

Beyond identifying individuals, the project also built supporting infrastructure. It developed an open-source tool designed to flag unusual GitHub activity associated with suspicious accounts.

In addition, a separate framework for identifying DPRK-linked workers was co-authored with the Security Alliance, a nonprofit focused on blockchain security. Both resources are described as available for other organizations to use.

Context and reported scale of the broader threat

North Korea’s involvement in crypto has been a recurring concern. State-linked hacking groups, including the Lazarus Group, have been tied to major thefts in the industry’s history.

Reports cited in the article state that billions of dollars in digital assets have been stolen by North Korean actors over the years.

Ethereum Foundation program and disclosure limits

The article notes that the ETH Rangers program was created to address security gaps through stipend-funded individuals performing public-interest work. The Ketman Project is described as one of the first publicly documented outcomes from the program.

It also states that the Ethereum Foundation did not disclose the specific methods used to unmask the operatives beyond what the Ketman Project’s own publications describe. The project’s website, however, is presented as containing detailed write-ups on the operational patterns that reportedly gave the workers away.