Blockchain TechnologySafetyCryptocurrency

Ethereum Foundation Project Exposes 100 North Korean Operatives in Web3 Firms

lu****@gmail.comlu****@gmail.com2026-04-23
Ethereum Foundation Project Exposes 100 North Korean Operatives in Web3 Firms

Ethereum Foundation funded a project that uncovered ~100 North Korean agents infiltrating Web3 firms, exposing rising state-backed threats exploiting remote hiring.


Ethereium Foundation has revealed that it funded a 6-month-long security project that had found about 100 North Korean agents who had reportedly infiltrated Web3 companies under fake identities. The results emphasize the increasing size of state related threats against the cryptocurrency and blockchain ecosystem, in which remote work arrangements and pseudonymous employment practices can be abused by the malicious actors.


This was revealed on Thursday as a wider summary of the ETH Rangers program by the foundation, a program that was initiated in late 2024 to finance public goods security efforts in the Ethereum ecosystem. The program offers stipends to the independent researchers and security contributors to work on the ecosystem level threat that is usually hard to tackle by individual companies.

ETH Rangers Program and Its Security Mission

The ETH Rangers program was established with the aim of enhancing security of Ethereum, and web3 infrastructure by funding researchers to investigate vulnerabilities, scams, and systemic risks.


The Ethereum Foundation stated that the program was meant to promote work on securing public goods, i.e., work that was not aimed at the individual companies but at the ecosystem at large. This involves detection of bad actors, investigating attack patterns and enhancing knowledge of new threats.


Among those who benefited this funding was a recipient who spent their stipend on initiating what is now referred to as the Ketman Project, an intensive research on the so-called fake developers who operate in the crypto companies. The project put a particular emphasis on locating the operatives suspected of having connections with North Korea working under false identities.

The Ketman Project findings

In its six-month investigation, the Ketman Project discovered nearly 100 North Korean tech workers working at Web3 organizations. The North Koreans had been embedded at numerous crypto-related firms and posed as legitimate remote software developers and engineers while working there.


The project claims to have contacted approximately 53 crypto projects to warn them that they could have inadvertently hired people affiliated with a North Korean operation. The project also cited the Ethereum Foundation as citing that the North Korean initiative is evidence of an ongoing serious operational security issue in the decentralized technology industry; remote employees and pseudo-identity practices present a challenge in developing appropriate hiring standards for employee verification.


The Ethereum Foundation has indicated that this project has addressed one of the highest-risk security problems facing the Ethereum ecosystem in the present.

How North Korean operatives infiltrate crypto companies

Security experts and global leaders have been warning since time immemorial that North Korean affiliated organizations employ advanced techniques to intrude into the world tech sectors, such as blockchain and cryptocurrency companies.


These agents frequently act as freelance developers or distant contractors, stealing identities, making forged resumes and creating bogus employment histories to obtain access into legitimate projects. After they are hired, they are able to make money, have access to inside information or even introduce a vulnerability to systems.

Widely used infiltration strategies are:

Getting bogus LinkedIn and GitHub accounts.


Hiding location with remote work tools and VPNs.


Success in technical interviews by organized support groups.


The use of freelance sites in various names.


Focusing on startups that have less security vetting procedures.


Some operatives might in other instances switch roles in the same project to ensure that they are not detected and continue to work under different identities.

Connection To Broader Cyber Operations and Crypto Theft

Cyber-activity connected to North Korea has been linked to massive losses in cryptocurrency in many instances. International security agencies and blockchain professionals have connected a staggering amount of stolen digital funds (billions) to groups operating within known state-sponsored hacking organizations.


The Lazarus Group, one of the primary organized cyber-groups associated with North Korean cybercrime, has gained notoriety for a number of high-profile attacks on financial institutions, exchanges and blockchain platforms.


These organizations are thought to use stolen cryptocurrency to generate revenue in order to evade international sanctions and finance government programs. Because of their global reach and the fact that transactions using cryptocurrency are irreversible and provide ample liquidity, cryptocurrency networks make prime targets for hackers.

Why Web3 companies are particularly vulnerable

Due to Web3 companies operating mostly under remote working models and decentralized team structures, background verification can be an even greater challenge than it is with a traditional corporate environment. Crypto startups are frequently hiring contributors from all over the world without face-to-face onboarding or defined identity verification processes.


The combination of these two factors means that malicious actors continue to infiltrate legitimate developer teams.

Critical Vulnerabilities:

Pseudonymous hiring common among crypto communities


Fast-paced hiring cycles in early-stage startups


Limited HR and Compliance infrastructure


Reliance on contractor-based development work


Global and borderless nature of Web3 Ecosystems


These factors create a perfect storm for well-organized infiltration operations, given the lack of appropriate security controls.

Ethereum Foundation Response and Ecosystem Implications

The Ethereum Foundation is working towards improving the ecosystem’s capacity to identify and respond to coordinated threats. One way the foundation hopes to accomplish this is by funding the Ketman Project, a program designed to inundate the foundation with a network of supporters that can help collectively identify and respond to suspected threats.


The identification of 100 people as suspected operatives by the Bitcoin Foundation demonstrates the extent of the problem and implies that infiltration efforts may be more common than originally believed.


The foundation’s publicization of this problem is an indicator of an increasing understanding that there are security risks outside of smart contracts and hacking exploits. The need for security at the human level, such as through identity verification and employee screening for honesty, is on the rise.


Experts on security state that this type of risk is especially concerning as they take place silently within organizations and are often not noticed until after the damage has been done.

Industry Response and Growing Security Concerns

The news will probably give Web3 businesses more motivation to put better policies in place concerning background checks on new employees, notably for building and maintaining sensitive systems (the infrastructure).


Some business members are already trying to develop stronger protections by advocating for:


1) More verified identities on remote developers


2) Better multi-stage background checks for technical positions


3) Decentralized reputation platforms for contributors


4) Mandatory security audits of internal development groups


5) More collaboration with security experts.


But balancing openness and decentralization with security enforcement is a continuing issue for the crypto industry.

Conclusion

ETH Rangers, Ketman Project, and The Ethereum Foundation have all recently recognized that threats to Web3 do not consist solely of technical (code) vulnerabilities; there are also sophisticated human-based infiltrations that are yet undiscovered.


Reports estimate that around 100 North Korean operatives now work at crypto organisations. The information corroborates the size of the existence of these threats and confirms ongoing worries about foreign government-sponsored cyber threats against the Digital (Virtual) Asset space.


Going forward, as the crypto market matures, the challenge will be to create an open and decentralised system that defends against well-coordinated, long-term adversaries using fake identities, who exist to harm crypto.


All views expressed are the author’s personal opinions, and do not constitute investment advice.

Latest Articles

Kast Hires Former SEC Official Stephanie Allen to Lead Policy Communications
to****@gmail.com|2026-05-07
Kast Hires Former SEC Official Stephanie Allen to Lead Policy Communications
A Quick Beginner's Guide to Futures Trading on LBank
abeebstacks|2026-05-07
A Quick Beginner's Guide to Futures Trading on LBank
The Truth About Crypto and Your Tax Money — What Scott Bessent Just Told Congress Will Shock Bitcoin
ob****@gmail.com|2026-05-07
The Truth About Crypto and Your Tax Money — What Scott Bessent Just Told Congress Will Shock Bitcoin
Sanctioned exchange Grinex halts trading after $13.7M hack
Natalia Ivanov|2026-05-07
Sanctioned exchange Grinex halts trading after $13.7M hack
Nexo Boosts Liquidity With 0% Interest Credit Lines for Solana and XRP
to****@gmail.com|2026-05-07
Nexo Boosts Liquidity With 0% Interest Credit Lines for Solana and XRP
How Shinhan Card's Partnership with Solana Could Bring Stablecoin Payments to Millions in South Kore
to****@gmail.com|2026-05-07
How Shinhan Card's Partnership with Solana Could Bring Stablecoin Payments to Millions in South Kore

Fear and Greed Index

Trade
13
Extreme fear
What do you think the current market sentiment is?
+78.57%+21.42%
SpotFutures
No data