A recent six-month security investigation supported by Ethereum‘s ETH Rangers program uncovered around 100 suspected North Korean IT operatives working inside various Web3 and crypto companies. The findings pointed to a shift in cyber infiltration tactics, marking an increased risk of insider threats across the cryptocurrency sector.
Probe reveals widespread infiltration of crypto firms
The Ketman Project, known for its focus on tracking cybercrime in crypto, led the inquiry with backing from ETH Rangers. ETH Rangers is a notable security initiative connected to the Ethereum Foundation and funds expert researchers to assess vulnerabilities across decentralized platforms.
The project’s team identified about 100 individuals suspected of ties to North Korea gaining roles at crypto companies, mainly by presenting fake names and fabricated work histories. Investigators observed that these operatives slipped into organizations through standard hiring processes, making detection challenging for human resources teams.
Investigators noted that the activity appeared coordinated rather than isolated, with many suspects occupying roles at several firms throughout the sector. This pattern indicated a systematic approach to infiltrating the crypto workspace instead of targeting single entities.
The broader initiative has backed 17 independent researchers, helped identify more than 785 vulnerabilities, and handled 36 incident response operations so far, according to ETH Rangers. The program has also assisted with recovering or blocking $5.8 million in compromised crypto funds, underscoring its central role in ongoing digital asset security efforts.
Insider risk and hiring become new focal points
Traditionally, North Korean cyberattacks focused on hacking exchanges and technical exploits from the outside. Recent evidence, however, shows that perpetrators are increasingly aiming for internal access through employment.
Once inside, these workers acquire access to critical systems, code repositories, and workflow tools, often remaining undetected for extended periods. The evolving tactics mean conventional perimeter security such as firewalls and wallet guards are less effective against internal abuse.
These developments have raised concern about the effectiveness of standard recruiting protocols. Security experts emphasized that rigorous identity checks are now essential, following instances such as the Stabble crypto exchange, where an individual linked to DPRK joined the company’s management, resulting in a withdrawal alert.
Cases like these have highlighted how access to sensitive information can extend to senior company positions, putting user assets and operational integrity at additional risk.
Sector faces renewed pressure after record thefts
Financial losses attributed to North Korea-linked crypto crime remain substantial. In 2025, $2.02 billion was reportedly stolen by associated actors, reflecting a 51% surge compared to the previous year. Total losses tied to these incidents have now reached $6.75 billion.
In April 2026, the Drift Protocol platform suffered an exploit valued at $285 million, described as the largest decentralized finance (DeFi) hack of the year. Investigations into these stolen assets are ongoing, as highlighted by the security probe’s findings.
Rising cases of infiltration and theft have led crypto firms to strengthen internal monitoring and tighten access to wallets and sensitive systems. Industry observers anticipate that regulators may also escalate scrutiny over remote hiring and employee verification procedures as the threat landscape evolves.
