ETH Rangers Program Exposes 100 DPRK Crypto Workers

The Ethereum Foundation ETH Rangers program has uncovered a sprawling North Korean infiltration campaign inside Web3, with a stipend-funded investigator tracking down 100 DPRK IT workers who had burrowed into crypto projects under false identities. The foundation shared a recap of the effort on April 16, 2026, marking one of the most concrete public tallies yet of state-sponsored operatives inside the decentralized ecosystem.

How the ETH Rangers Program Funded This Hunt

The Ethereum Foundation ETH Rangers program launched in late 2024 with a simple premise: hand out stipends to people doing unglamorous but necessary security work for the Ethereum ecosystem. No bounties, no publicity stunts. Just funding for researchers willing to dig into the problems nobody else wanted to touch.

One of those researchers built the Ketman Project. Over six months, they focused entirely on fake developer infiltration, specifically operatives from the Democratic People's Republic of Korea running under fabricated professional identities inside crypto teams. What they found was not a handful of edge cases. It was a systematic, coordinated presence inside Web3 organizations across the board.

The Ethereum Foundation put it bluntly: this work directly addresses one of the most pressing operational security threats facing the ecosystem today. That framing matters. This is not a niche concern for a few hiring managers. This is a threat the Foundation itself is now treating as ecosystem-wide.

This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today.

What Did the Ketman Project Actually Find?

One hundred confirmed DPRK IT workers, operating inside active Web3 projects. That is the headline number from the Ketman Project's six-month investigation. The researchers did not stop at identifying individuals. They went further, reaching out to roughly 53 crypto projects to warn them that their teams may have included North Korean operatives on payroll.

Think about that for a second. Fifty-three separate crypto companies received a cold message telling them someone on their team might be a state-sponsored actor with North Korean ties. For some of those teams, that conversation probably came as a total shock. For others, it may have confirmed suspicions they had already been quietly sitting on.

The Ethereum Foundation was careful not to detail exactly how the Ketman Project built its identification process. The project's own website fills some of that gap, publishing a detailed breakdown of the tactics, behavioral signatures, and operational patterns these workers typically deploy when embedding themselves inside crypto organizations.

How Do You Spot a North Korean Developer?

What technical red flags does the Ketman Project use to identify DPRK IT workers?

The Ketman Project's detection methodology leans heavily on patterns that sound mundane on their own but become damning in combination. According to the project's published research, common red flags include:

These are not sophisticated nation-state hacking tells. They are the kinds of slip-ups that happen when someone is managing multiple fake identities at once, across multiple projects, under constant operational pressure. The volume of the operation creates the mistakes.

Beyond manual investigation, the Ketman Project also released an open-source tool specifically designed to flag suspicious GitHub activity. Pair that with the industry framework they co-authored with the Security Alliance, a blockchain-focused nonprofit, and you have the beginning of what could become a standardized vetting layer for crypto hiring. That framework is now available to any project that wants it.

• Reusing avatars and profile metadata across multiple GitHub accounts
• Accidentally exposing unlinked email addresses during screen sharing sessions
• Default device language settings, such as Russian, that contradict the worker's claimed nationality or location
• Behavioral inconsistencies in claimed technical backgrounds versus actual coding output

Why Does the DPRK Keep Targeting Crypto?

North Korea's crypto operations are not new. The Lazarus Group, one of the most prolific state-sponsored hacking outfits on the planet, has been tied to billions of dollars in stolen cryptocurrency across multiple years and multiple chains. But the IT worker infiltration campaign is a different beast from the typical hack-and-drain playbook.

Instead of breaking in, these operatives get hired. They sit inside projects, collect salaries that flow back to the DPRK state, and potentially exfiltrate code, keys, or intelligence over time. The risk is not just a single exploit. It is sustained, quiet access to the inner workings of active protocols.

$3 billion is a commonly cited floor for DPRK crypto theft over the past several years, according to various blockchain analytics firms. The IT worker campaign represents a softer, harder-to-detect extension of that same financial pipeline, just without the dramatic on-chain forensics that typically follow a major hack.

The fact that the Ethereum Foundation is now funding proactive countermeasures says something about how seriously the industry is finally taking this. Reactive forensics after a theft is one thing. Stipend-funded infiltration hunting before the damage is done is a different posture entirely.

What Should Crypto Projects Do Now?

Practically speaking, any Web3 project with remote developers should be looking at the Security Alliance framework and the Ketman Project's published research right now. Not because every remote developer is suspect, but because the cost of one embedded DPRK operative is catastrophically higher than the cost of a more rigorous hiring review.

The open-source GitHub detection tool is a start. Cross-referencing contributor metadata, verifying communication patterns, and building better onboarding verification processes all belong in the same toolkit. The Ketman Project's work gives teams something concrete to act on, not just a vague threat advisory.

The harder question is whether 53 projects being quietly warned is the beginning of a broader disclosure conversation or a one-time intervention that gets absorbed quietly and forgotten by next month. The DPRK did not stop after previous exposure cycles. They adapted.