A six-month investigation backed by the Ethereum Foundation has uncovered how North Korean operatives quietly embedded themselves inside dozens of Web3 teams under false identities.
Summary
- Ethereum Foundation backed a six-month probe that identified 100 North Korean operatives inside Web3 firms.
- Ketman Project alerted 53 crypto teams after tracing fake developer identities and suspicious GitHub activity.
- Investigators linked the pattern to long-running DPRK infiltration tied to major exploits involving the Lazarus Group.
The Ethereum Foundation said Thursday that its ETH Rangers initiative funded a security-focused effort that identified 100 individuals linked to the Democratic People’s Republic of Korea operating within crypto companies. The program, launched in late 2024, was designed to support public goods work through stipends for independent researchers.
One of those recipients used the funding to launch the Ketman Project, which focused on tracking “fake developers” working inside Web3 organizations. Over the six-month period, the project flagged 100 suspected DPRK IT workers and reached out to 53 crypto projects that may have unknowingly employed them.
“This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the foundation said.
Findings add to a growing body of evidence showing that North Korean-linked developers have spent years embedding themselves across the crypto industry, often blending into teams through credible technical contributions and fabricated professional identities.
Security researcher and MetaMask developer Taylor Monahan has previously said such activity dates back to the early DeFi era, with DPRK-linked developers contributing to widely used protocols.
“Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” she said, noting that more than 40 platforms have relied on such contributors at different points. Claims of extensive experience are not always fabricated, she added, saying their “seven years of blockchain dev experience” is “not a lie.”
Investigators have consistently tied these operations to the Lazarus Group, a state-backed collective linked to some of the largest crypto thefts in recent years. Estimates from R3ACH analysts put total stolen funds at around $7 billion since 2017, including attacks such as the $625 million Ronin Bridge exploit, the $235 million WazirX breach, and the $1.4 billion Bybit incident.
Simple tactics, persistent execution
Despite the scale of damage, many infiltration attempts rely on relatively basic methods rather than advanced exploits. Analysts say persistence, social engineering, and identity layering often prove more effective than technical sophistication.
Independent blockchain investigator ZachXBT noted that many of these operations are “basic and in no way sophisticated,” adding that “the only thing about it is they’re relentless.” Outreach typically happens through job applications, LinkedIn profiles, email exchanges, and remote interviews, allowing operatives to gradually build trust within teams.
Recent incidents have shown how far such tactics can go. Drift Protocol’s $280 million exploit was linked to a North Korean-affiliated group, with attackers using intermediaries and fully constructed professional identities to establish credibility before executing the breach.
Red flags and detection efforts expand
Details from the Ketman Project shed light on how these operatives maintain cover inside development teams. Common indicators include reusing avatars or profile metadata across multiple GitHub accounts, unintentionally exposing unrelated email addresses during screen sharing, and using system language settings that contradict claimed nationalities.
Alongside its investigative work, the project developed an open-source tool designed to flag suspicious GitHub activity. It also co-authored an industry framework for identifying DPRK-linked IT workers in collaboration with the Security Alliance.