Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
beloved
Project Ketman, which operates under the umbrella of the Ethereum Foundation’s ETH Rangers security program, has successfully identified nearly 100 North Korean tech workers hacking into Web3 companies using fake credentials. This discovery, which is the latest news on Ethereum, is the result of a six-month investigation, which ended with the largest number of internal hacks in the Democratic People’s Republic of Korea in the history of the sector.
The threat model has changed dramatically; When it was Government crypto service While North Korea has previously focused on remote information and platform hacking, the 2025 model is now set on a coordinated input of workers. These clients go through HR screenings, access internal databases, and work in creative teams for months before being recognized.
Important points:
- Customer ID: About 100 North Korean tech workers have been seen using false information within Web3 companies.
- Search period: Six months, managed by the Ketman Project with the support of the ETH Rangers Program.
- Program scope: The ETH Rangers program funded approximately 17 independent investigators, recovered or blocked $5.8 million in stolen funds, tracked more than 785 threats, and responded to 36 incidents.
- The extent of theft in North Korea: $2.02 billion was stolen in 2025 alone – a 51% increase from 2024 – bringing the total amount stolen to $6.75 billion.
- Drift Protocol hack: North Korean-linked criminals spent $285 million on April 1, 2026, the largest digital currency (DeFi) fraud of that year.
- Actual events: Trading platform Stabble has issued a takedown warning after a North Korean tech worker joined its leadership team.
- Correct: Researchers are actively monitoring the recovery of the Drift hack; The monitoring of monitoring of operators in the DeFi sector is expected to increase.
Ethereum News: How ETH Rangers Crypto Investigation Goes – and What 100 North Korean Customers Mean
The ETH Rangers program was launched at the end of 2024 through a partnership between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL), sending 17 independent researchers over six months to strengthen the security of the Ethereum ecosystem.
Ketman’s work was one of the activities supported by the funds, and the contributions were beyond the scope of regular research or grant programs.
Identifying 100 customers means matching false information with North Korean business practices: inconsistent work history, communication patterns showing anonymity of time, payments through intermediaries, and technical fingerprints duplicated on registrants. This is a very good practice, not just a safety check.
This requires constant monitoring of project groups, GitHub events, hiring fans, and behavioral indicators in existing groups.
The main ETH Rangers program has achieved more visible results than Ketman’s work; Participants recovered or stopped more than $5.8 million in revenue, tracked more than 785 vulnerabilities and evidence of breaches, answered 36 solutions, and delivered more than 80 security training courses.
Public offerings include a DeFi activity monitoring platform, a tool to detect suspicious GitHub accounts, and a denial-of-service (DoS) testing system.
This GitHub tool is very important here; The ability to identify suspicious accounts is what’s needed to identify North Korean-affiliated producers operating underground — accounts with donation histories, associated behavior, or access to storage facilities. It seems that Ketman’s results depended mainly on these tools.
What “100 contributors” doesn’t mean: is that these people only spend real time. The infiltration of technical personnel from North Korea serves several functions: obtaining government funds through legal fees, gathering information on protocols and codebases, and positioning itself in advance for future attacks.
Long-term financial losses may be small, but long-term exposure represents structural risk.
