The Ethereum Foundation funded a six-month effort that exposed 100 North Korean operatives posing as developers within Web3 companies. The stipend program, ETH Rangers, launched in late 2024 to support public-goods security work; one recipient used funds to create the Ketman Project aimed at investigating “fake developers,” especially DPRK operatives.
Over the stipend period, Ketman identified 100 different DPRK IT workers operating inside Web3 organizations and notified about 53 projects that may have employed active North Korean operatives. The Ethereum Foundation described the work as addressing a major operational security threat to the Ethereum ecosystem.
North Korean-linked groups, such as the Lazarus Group, have been implicated in high-profile crypto thefts worth billions. Ketman’s website outlines the tactics, behaviors, and operational patterns used by DPRK IT workers. Technical red flags include reusing avatars and profile metadata across multiple GitHub accounts, accidentally exposing unlinked email addresses during screen sharing, and showing default language settings (for example, Russian) inconsistent with claimed nationalities.
Ketman also developed an open-source detection tool to spot suspicious GitHub activity and co-authored an industry-standard framework for identifying DPRK IT workers in partnership with the blockchain nonprofit Security Alliance. The project’s reporting and tooling aim to help projects detect and mitigate the risk of embedded operatives in the Web3 supply chain.