A six‑month research effort funded through an Ethereum Foundation stipend program uncovered 100 North Korean IT workers posing as developers inside Web3 organizations. The stipend program, ETH Rangers, launched in late 2024 to support public-goods security work; one recipient used the funds to create the Ketman Project with the goal of investigating “fake developers,” with particular focus on DPRK operatives.
During the stipend period Ketman identified 100 distinct DPRK-linked IT profiles operating in the Web3 space and alerted roughly 53 projects that may have employed active North Korean operatives. The Ethereum Foundation characterized the work as tackling a significant operational security threat to the Ethereum ecosystem.
Ketman’s public writeups describe the tactics and operational patterns the researchers observed. Technical and behavioral red flags include reuse of avatars and profile metadata across multiple GitHub accounts, accidentally revealing unlinked email addresses while screen sharing, and default language settings (for example, Russian) that conflict with a claimed nationality. The project also places these findings in the broader context of DPRK-linked groups such as the Lazarus Group, which have been tied to high‑value cryptocurrency thefts.
To help the industry respond, Ketman produced an open-source detection tool for suspicious GitHub activity and co-authored an identification framework in partnership with the blockchain nonprofit Security Alliance. The project’s reporting and tooling are intended to help Web3 projects detect embedded operatives in their supply chains and reduce the operational risk posed by covert contributors.