Ethereum Foundation Reveals Findings From ETH Rangers Program on DPRK-Linked IT Workers Across Web3 Projects

The Ethereum Foundation says it has identified 100+ Democratic People’s Republic of Korea (DPRK)-linked IT operatives embedded across roughly 53 crypto projects through its ETH Rangers Program, a security initiative aimed at strengthening defenses across the Ethereum ecosystem.

Cause: Targeting DPRK-linked infiltration

In a blog post, the Ethereum Foundation said the program was designed to track and expose DPRK-linked crypto agents before they could harm others, referencing prior incidents including the early-month case involving Drift Protocol.

Development: How the ETH Rangers Program was run

The Ethereum Foundation worked with Secureum, The Red Guild, and Security Alliance (SEAL) to launch the initiative in late 2024. The program provided stipends for public-goods security work across Ethereum, supporting independent security efforts intended to improve the network’s overall robustness.

According to the Foundation, the program also aimed to spotlight and reward contributors with a track record of delivering high-impact security work for the broader network.

Ketman Project focus

The Foundation said the Ketman Project was the main effort focused on discovering and expelling DPRK IT workers infiltrating blockchain projects under fake identities.

Data and findings

Over six months, the Ketman Project reportedly contacted roughly 53 projects and uncovered around 100 DPRK IT operatives embedded within Web3 organizations.

The findings were shared through a series of reports on ketman.org, which the Foundation said drew more than 3,300 active users and 6,200 page views. The reports covered topics including account-takeover techniques, infiltration of freelance platforms, and emerging DPRK–Russia ties.

The team also built and open-sourced gh-fake-analyzer, a GitHub profile analysis tool intended to flag suspicious activity patterns, and made it available via PyPI.

In addition, the project co-authored the DPRK IT Workers Framework with SEAL, and provided data to the Lazarus.group threat-intelligence project, with its work highlighted in a presentation at DEF CON.

Overall results across the program

The Ethereum Foundation said the 17 stipend recipients produced work spanning vulnerability research and security tooling, education, threat intelligence, and hands-on incident response.

• More than $5.8 million in funds recovered or frozen
• 785+ vulnerabilities, client bugs, and proof-of-concept exploits reported or documented
• 100+ DPRK state-sponsored operatives identified as embedded across multiple teams
• 209,000+ viewers and users reached through threat-intelligence and investigative content

Builder engagement and incident response

• 800+ teams participating in sponsored security challenges and investigations
• 80+ workshops, talks, and technical or educational resources
• Responses coordinated for 36+ security incidents
• Creation or improvement of at least 7 open-source tooling repositories, frameworks, and implementations

Impact and ongoing risk

The Foundation said DPRK-linked hacks remain a serious issue in the crypto community. It pointed to continued efforts by threat actors and referenced additional reporting and community measures, including claims that some builders are conducting interview tests to ensure developers are not DPRK agents.

The article also noted that, following attribution of an April 1 $285 million Drift Protocol attack to UNC4736, crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, along with chat logs and transaction histories.