The Ethereum Foundation-backed initiative has identified 100 individuals linked to North Korea operating within crypto firms, exposing a persistent security risk across the industry. The findings point to infiltration at the workforce level rather than through code exploits alone.
The ETH Rangers program funded a six-month investigation known as the Ketman Project, launched in late 2024. The effort flagged suspected Democratic People’s Republic of Korea (DPRK) developers and contacted 53 crypto projects that may have unknowingly hired them. The initiative was structured as a public goods grant supporting independent security research.
blackbigswan
How Deep Does DPRK Infiltration Run In Crypto?
Evidence suggests these operations are not recent or isolated. Security researchers have traced DPRK-linked developer activity back to early decentralized finance (DeFi) cycles, with contributions to widely used protocols over several years. Estimates from R3ACH analysts place total funds stolen by associated groups at roughly $7 billion since 2017.
“This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the Ethereum Foundation said.
Researcher Taylor Monahan added that many DPRK developers have legitimate experience, noting their years of blockchain work “is not a lie.”
But the methods used often rely on persistence rather than technical sophistication. Investigators report that operatives build credibility through job applications, GitHub activity, and remote interviews, gradually embedding themselves within teams before exploiting access or facilitating attacks.
Still, the scale of impact continues to grow, with groups such as Lazarus linked to major incidents including the $625 million Ronin Bridge exploit and the $1.4 billion Bybit breach. The Ketman Project has released detection tools and frameworks, with the next phase focused on whether industry-wide adoption can reduce infiltration risk before further large-scale exploits emerge.
