Ethereum Targets North Korea’s Secret Workforce — Are Your Favorite DeFi Protocols Compromised?

The Ethereum Foundation exposed 100 Democratic People’s Republic of Korea (DPRK)‑linked IT workers embedded across roughly 53 crypto projects.

The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.

A decentralized defence for a decentralized network.

Read the full recap

According to the blog post, the Ethereum Foundation teamed up with Secureum, The Red Guild, and Security Alliance (SEAL) in late 2024 to roll out said program. The initiative offered stipends to people carrying out public‑goods security work across the Ethereum ecosystem.

The program’s mission consisted in backing independent security initiatives that strengthen Ethereum’s overall robustness, while spotlighting and rewarding contributors with a proven history of delivering high‑impact security work for the broader network.

After six months, the results of the program speak for itself.

The ETH Rangers Program funded multiple crypto-security projects, but the Ketman Project was the one “focused on discovering and expelling North Korean (DPRK) IT workers who have infiltrated blockchain projects under fake identities”, per the blog post.

Over the six months of the investigation, they contacted roughly 53 different projects and uncovered around 100 DPRK IT operatives embedded inside Web3 organizations.

Their findings were shared in a series of detailed reports on ketman.org, which drew more than 3,300 active users and 6,200 page views, and explored themes such as account‑takeover techniques, the infiltration of freelance platforms, and emerging DPRK‑Russia ties. They also built and open‑sourced gh‑fake‑analyzer, a GitHub profile analysis tool designed to flag suspicious activity patterns, which is now available via PyPI.

In addition, they co‑authored the DPRK IT Workers Framework with SEAL, a document that has quickly become a go‑to reference for the industry, and supplied crucial data to the Lazarus.group threat‑intel project, with their work highlighted in a presentation at DEF CON.

The work produced by the 17 stipend recipients cover everything from vulnerability research and security tooling to education, threat intelligence, and hands‑on incident response.

According to the Ethereum Foundation, more than $5.8 million in funds have been recovered or frozen, while over 785 vulnerabilities, client bugs, and proof‑of‑concept exploits have been reported or documented. The Program has also helped identify around 100 DPRK state‑sponsored operatives embedded across multiple teams, and its threat‑intelligence and investigative content has reached over 209,000 viewers and users.

On the builder side, more than 800 teams have taken part in sponsored security challenges and investigations, supported by over 80 workshops, talks, and technical or educational resources. The initiative has coordinated responses to more than 36 security incidents and driven the creation or improvement of at least seven open‑source tooling repositories, frameworks, and implementations that further harden the ecosystem.

The DPRK-linked hacks continue to be a serious issue amongst the crypto community. Recently, key actors have been less lenient and more active in trying to uncover and stop their threat.

Investing in visible, transparent security collaborations (like EF’s backing of ETH Rangers/Ketman/SEAL) may deserve a premium in risk models, while protocols with opaque teams and loose hiring are increasingly “headline risk” candidates.

Cover image from Perplexity. ETHUSD chart from Tradingview.