The Ketman project, funded through the ETH Rangers program, has identified a hundred North Korean IT specialists working in crypto companies under fake identities over the past six months.
The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.
ā EF Ecosystem Support Program (@EF_ESP) April 16, 2026
A decentralized defense for a decentralized network.
Read the full recap š
The Ethereum Foundation has released a report on the ETH Rangers program, an initiative launched in late 2024 to fund independent researchers focused on ecosystem security.
One of the scholarship recipients allocated funds to create the Ketman project, which specializes in identifying "fake developers" in the crypto industry. The researchers concentrated on operations supported by North Korea.
North Korean IT specialists have been working in Web3 companies for years under false identities, receiving salaries while simultaneously conducting intelligence operations and potentially gaining access to project infrastructures. The notorious Lazarus Group is behind many of these high-profile operations.
In six months, the Ketman team documented 100 DPRK operatives actively working within Web3 organizations and alerted 53 projects that they likely employed active agents.
According to materials published on the Ketman website, experts focused on identifying specific "tactics, behaviors, and operational patterns" typical of North Korean IT operators, including:
- reusing avatars and profile metadata across multiple GitHub accounts under different names;
- accidental disclosure of unrelated email addresses during screen-sharing on calls;
- setting the system language to Russian or another language contrary to the claimed nationality;
- specific behavioral patterns in communication and atypical working hours for the stated time zone.
The methodology for detecting DPRK agents in the project has not been fully disclosed by Ketman or the Ethereum Foundation.
In addition to investigative work, Ketman developed an open-source tool for automatically detecting suspicious activity on GitHub. They also collaborated with the nonprofit Security Alliance to create an industry verification standard ā a framework for identifying North Korean IT workers during hiring.
"This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today," the Ethereum Foundation report stated regarding the ETH Rangers initiative.
As part of the initiative, the foundation supported a total of 17 scholars. Their activities spanned a wide range, from vulnerability research and security tools to education, threat analysis, and incident response.
It is worth noting that on April 1, the DeFi platform Drift Protocol, built on Solana, suffered a hack amounting to $280 million. According to findings from the project team and cybersecurity experts, the attack was carried out by North Korean hackers.