A major security probe backed by the Ethereum Foundation has identified 100 individuals with links to North Korea secretly working within a range of cryptocurrency companies. The six-month initiative revealed persistent infiltration of Web3 developer teams by operatives deploying false identities, raising serious concerns over operational security across decentralized networks.
Covert developer network spans global Web3 organizations
The Ethereum Foundation, a non-profit supporting development and research on the Ethereum blockchain since its founding in 2014, launched the ETH Rangers program in late 2024. This program channels funds to independent security experts focused on defending Ethereum’s infrastructure. One such initiative, the Ketman Project, began a detailed investigation to track suspect developer activity.
The Ketman Project centered on identifying individuals adopting multiple fabricated identities in order to embed themselves within Web3 organizations. Over six months, the team traced 100 North Korea-connected contributors, distributed throughout crypto projects worldwide. The research team alerted 53 blockchain projects believed to have unwittingly hired these individuals.
To help the sector counteract such threats, researchers created an open-source platform able to flag unusual contributor patterns across GitHub and project repositories. This tool is part of ongoing efforts to bolster web3’s resilience to coordinated security breaches.
Long-term threat linked to Lazarus Group and billion-dollar thefts
Investigators mapped North Korean activity in the crypto sector back several years, with evidence tying many developers to the Lazarus Group—an infamous state-backed cybercrime organization. Their operations frequently involve embedding into core project teams while using convincing credentials and technical skills.
Since 2017, cyberattacks attributed to these DPRK-linked agents have resulted in a total haul of around $7 billion from cryptocurrency platforms. Major incidents included the Ronin Bridge breach and the WazirX hack, highlighting how these tactics have led to substantial financial losses.
Security experts have observed that these operatives are often technically proficient, enabling them to build trust and take on key developer responsibilities within critical DeFi and blockchain ecosystems. This issue poses not just isolated risks but a systemic vulnerability across the cryptocurrency sector.
Simple deception fuels extended infiltration
The investigation found that the operatives largely relied on common remote work tactics, such as submitting standard job applications, building professional online profiles, and navigating video interviews. These straightforward methods enabled them to gain credibility and access within development teams.
Red flags identified by researchers included reuse of stock or recycled profile photos, mismatched language preferences across accounts, and accidental reveals of unrelated email addresses. Clues occasionally surfaced during code reviews or online collaboration sessions, offering subtle hints about true identities.
To address the threat, the Ketman Project teamed up with the Security Alliance—a cybersecurity coalition serving the web3 industry—to develop guidelines and share detection strategies. The collaboration has improved the ability of blockchain organizations to identify and respond to potential security breaches linked to covert state-sponsored actors.
