So, it turns out that while we were all busy trying to figure out if our NFTs were worth more than a slightly damp biscuit, a bunch of North Korean operatives were quietly infiltrating Web3 teams like a herd of digital ninjas. The Ethereum Foundation, in a move that can only be described as “finally noticing the elephant in the blockchain,” funded a six-month investigation that uncovered this rather unsettling truth.
- The Ethereum Foundation’s ETH Rangers (yes, that’s a real thing) backed a probe that found 100 North Korean operatives playing hide-and-seek in Web3 firms.
- The Ketman Project, which sounds like a rejected Bond villain’s side hustle, alerted 53 crypto teams after sniffing out fake GitHub accounts and suspicious coding habits.
- Turns out, this isn’t just a one-off prank-it’s part of a long-running DPRK infiltration scheme tied to the Lazarus Group, who are basically the Ocean’s Eleven of crypto theft.
The Ethereum Foundation announced on a Thursday (because why not?) that their ETH Rangers initiative-which sounds like a blockchain-themed boy band-funded a security effort that identified 100 individuals linked to the Democratic People’s Republic of Korea (DPRK) lurking in crypto companies. Launched in late 2024, the program was designed to support public goods by giving stipends to independent researchers, because nothing says “public good” like uncovering state-sponsored hackers.
One of these researchers used the funding to start the Ketman Project, which focused on hunting down “fake developers” in Web3 organizations. Over six months, they flagged 100 suspected DPRK IT workers and reached out to 53 crypto projects that may have accidentally hired them. Because nothing says “trustless system” like trusting the wrong people.
“This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the foundation said, probably while nervously checking their own GitHub accounts.
Infiltration runs deeper than a black hole’s gravity
Turns out, North Korean developers have been playing the long game, embedding themselves in the crypto industry like a particularly persistent weed in a blockchain garden. They’ve been blending in with credible technical contributions and fake LinkedIn profiles, making them the ultimate crypto chameleons.
Security researcher and MetaMask developer Taylor Monahan pointed out that this activity dates back to the early DeFi era, with DPRK-linked developers contributing to widely used protocols. “Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” she said, adding that more than 40 platforms have relied on these contributors. And no, their “seven years of blockchain dev experience” isn’t a lie-they’ve just been practicing their hacking skills for that long.
Investigators have consistently linked these operations to the Lazarus Group, a state-backed collective responsible for some of the largest crypto heists in recent history. R3ACH analysts estimate they’ve stolen around $7 billion since 2017, including the $625 million Ronin Bridge exploit, the $235 million WazirX breach, and the $1.4 billion Bybit incident. Because when you’re stealing crypto, why stop at a few million?
Simple tactics, relentless execution
Despite the massive damage, many of these infiltration attempts rely on tactics that are about as sophisticated as a rubber chicken. Analysts say persistence, social engineering, and identity layering are their go-to methods, proving that sometimes the simplest tricks are the most effective.
Independent blockchain investigator ZachXBT noted that these operations are “basic and in no way sophisticated,” adding that “the only thing about it is they’re relentless.” They typically reach out through job applications, LinkedIn profiles, and remote interviews, gradually building trust before striking. It’s like a digital version of the Trojan Horse, but with more GitHub repos.
Take the Drift Protocol’s $280 million exploit, for example. It was linked to a North Korean-affiliated group that used intermediaries and fully constructed professional identities to establish credibility before executing the breach. Because nothing says “professional” like stealing hundreds of millions of dollars.
Red flags and detection efforts expand
The Ketman Project shed some light on how these operatives maintain their cover. Common red flags include reusing avatars across multiple GitHub accounts, accidentally exposing unrelated email addresses during screen sharing, and using system language settings that don’t match their claimed nationality. It’s like they’re trying to fail a digital background check.
Alongside their investigative work, the project developed an open-source tool to flag suspicious GitHub activity. They also co-authored an industry framework for identifying DPRK-linked IT workers with the Security Alliance. Because if you can’t beat them, at least make it harder for them to blend in.
Read More
- Trails in the Sky 2nd Chapter launches September 17
- Solo Leveling’s New Character Gets a New Story Amid Season 3 Delay
- HBO Max Just Added the Final Episodes of a Modern Adult Swim Classic
- All 7 New Supes In The Boys Season 5 & Their Powers Explained
- PRAGMATA ‘Eight’ trailer
- Pragmata Shows Off Even More Gorgeous RTX Path Tracing Ahead of Launch
- Crimson Desert’s Momentum Continues With 10 Incredible New Changes
- Hulu Just Added One of the Most Quotable Movies Ever Made (But It’s Sequel Is Impossible To Stream)
- Frieren: Beyond Journey’s End Gets a New Release After Season 2 Finale
- ‘Project Hail Mary’: The Biggest Differences From the Book, Explained
2026-04-17 11:16