The Ethereum Foundation has disclosed that its ETH Rangers Program, a six-month security initiative launched in late 2024, identified approximately 100 IT workers linked to North Korea embedded across 53 crypto projects. The program also recovered roughly $5.8 million in funds and surfaced more than 785 security vulnerabilities across the Ethereum ecosystem. The Foundation published its findings in a blog post on April 16, the same week the U.S. Department of Justice sentenced two American nationals to at least seven years in prison for helping DPRK operatives pose as U.S.-based developers to infiltrate roughly 100 domestic companies.
The Ketman Project: Hunting Fake Developers
The core detection work was led by the Ketman Project, a research initiative funded through an ETH Rangers stipend. Ketman partnered with the Security Alliance (SEAL) to develop a framework for identifying DPRK-linked personnel within crypto organizations. The framework targets behavioral, technical, and identity-based red flags rather than relying solely on on-chain analysis.
According to Ketmanโs published research, common indicators of DPRK operatives include reusing avatars and profile metadata across multiple GitHub accounts, accidentally exposing unlinked email addresses during screen sharing sessions, and displaying default language settings (such as Russian or Korean) that contradict their claimed nationality. The operatives typically enter through normal hiring channels, presenting fabricated professional identities and sometimes making credible technical contributions to build trust before exploiting their access.
Ketman also developed and open-sourced gh-fake-analyzer, a GitHub profile analysis tool designed to detect suspicious activity patterns. The tool is available on PyPI and has already been adopted by multiple project teams for screening developer applicants.
North Korean IT Workers Have Been Building DeFi Protocols Since 2020
ETH Rangers by the Numbers
The Ethereum Foundation described the programโs combined output as evidence that securing a decentralized network requires a decentralized defense.
| Metric | Result |
|---|---|
| DPRK operatives identified | ~100 |
| Crypto projects alerted | 53 |
| Funds recovered | $5.8 million |
| Vulnerabilities reported | 785+ |
| Teams engaged in security challenges | 800+ |
| Views and users reached | 209,000+ |
| Program duration | 6 months (late 2024 โ mid 2025) |
Blockchain investigator Nick Bax played a parallel role outside the formal program structure, independently identifying and notifying more than 30 project teams that DPRK-linked workers were on their active payrolls. He helped freeze hundreds of thousands of dollars in crypto already received by those operatives.
Not Just Ethereum: A Sector-Wide Infiltration Problem
The ETH Rangers findings add to a growing body of evidence about the scale of DPRK infiltration across the crypto industry. Chainalysis reported that North Korean hackers stole approximately $2 billion in cryptocurrency in 2025, a 51% increase from the previous year. The Drift Protocol exploit earlier this month, which drained $285 million from the Solana-based decentralized exchange, was linked to a DPRK-affiliated group tracked as UNC4736 (Citrine Sleet), the same actors behind the 2024 Radiant Capital hack.
MetaMask developer Taylor Monahan has previously noted that DPRK-linked developers have been contributing to widely used protocols since the early DeFi era. โLots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,โ she said, adding that more than 40 platforms have relied on such contributors at various points.
DOJ Sentences Two Americans Who Helped DPRK Workers
The Ethereum Foundationโs disclosure coincided with a U.S. criminal enforcement action targeting the support infrastructure behind DPRK infiltration. The Department of Justice reported that two U.S. nationals pleaded guilty to wire fraud and money-laundering conspiracy charges for helping DPRK workers pose as Americans to gain access to roughly 100 U.S. companies. Each received a sentence of at least seven years in prison. The pair received $700,000 for their roles in routing millions in proceeds from victimized companies to DPRK-controlled accounts. Eight additional defendants indicted in connection with the same scheme remain at large.
Security Is No Longer Just About Code
The ETH Rangers results underscore a shift in how the crypto industry must think about security. The threat is no longer limited to smart contract bugs and oracle manipulation. It now includes who writes the code and who operates the infrastructure. Investigators recommend stronger KYC and background screening for remote technical hires, monitoring of contributor payment patterns, and active collaboration with blockchain analytics firms when wallet behavior appears suspicious. The Ethereum Foundation described the programโs conclusion as a structural milestone, but the underlying threat remains active and requires ongoing investment in detection infrastructure.
