ETH Rangers: Ethereum Foundation Exposes 100 DPRK Agents in Web3

The Ethereum Foundation on Thursday published results of its ETH Rangers program. Over six months, a funded project called Ketman tracked down 100 North Korean IT agents operating inside Web3 companies under fake identities. The team warned 53 organizations they may have hired DPRK operatives without knowing it.

Where Ketman Project came from

ETH Rangers launched in late 2024 to fund public-goods security work in the ecosystem. One recipient went a different direction: instead of building code, they started tracking fake developer profiles. That work became the Ketman Project.

The Lazarus Group has used this playbook for years. Agents get hired as freelance developers and route salaries back to Pyongyang. What Ketman found is that the problem runs deeper than most people realized.

100 agents, 53 projects warned

Over six months, Ketman identified 100 distinct DPRK IT workers active inside Web3 organizations. The team reached out to roughly 53 projects with a single message: you may be paying someone who reports to North Korean intelligence.

These "developers" have repository access and can plant vulnerabilities or leak private keys from crypto wallets. The Ethereum Foundation did not share Ketman's methodology, but the project website is public and lists a detailed catalogue of detection signals.

An open framework for hiring teams

Beyond the investigation, Ketman built an open-source tool to flag suspicious GitHub activity. Working with the Security Alliance nonprofit, the team turned the findings into an industry-standard framework any crypto company can use when screening new hires.

The cost goes well beyond salaries

DPRK agents in crypto are not about money for a Pyongyang office. A person with repository access can do the same damage as an external attacker, except from the inside. Drift Protocol, hit for $285 million in April, is a reminder of what one overlooked hire can cost.

ETH Rangers showed that fighting this threat does not require waiting on regulators. The community is self-funding intelligence, publishing findings openly, and building tools anyone can use. The next step is making these checks standard practice at hiring, not an afterthought.