A security effort backed by the Ethereum Foundation has uncovered something the crypto industry has been quietly worried about for a while.
The Ketman Project, working under the ETH Rangers program, says it identified around 100 suspected North Korean IT operatives working inside Web3 companies—often under fake names and identities. The findings come after a six-month investigation and represent one of the most detailed looks yet at how deep this kind of infiltration might go.
What’s changing here is the strategy.
In the past, North Korea-linked activity in crypto was mostly about hacking exchanges or exploiting smart contracts from the outside. Now, the approach appears more subtle—and potentially more dangerous. Instead of breaking in, operatives are getting hired. They’re passing interviews, joining teams, and gaining access to internal systems, sometimes staying undetected for months.
What the Investigation Found
The numbers alone are striking:
Roughly 100 suspected DPRK-linked IT workers identified across Web3 firms
A six-month investigation led by the Ketman Project
The broader ETH Rangers initiative involved 17 independent researchers
Over $5.8 million in stolen funds recovered or frozen
More than 785 vulnerabilities tracked and 36 incidents handled
At the same time, the scale of crypto-related theft tied to North Korea continues to grow. Estimates suggest over $2 billion was stolen in 2025 alone—pushing the cumulative total to nearly $7 billion.
One recent example often cited is the major exploit involving Drift Protocol, where attackers linked to these networks reportedly carried out a $285 million hack earlier this year.
There have also been real-world infiltration cases. One exchange, Stabble, reportedly had to issue an alert after discovering that someone with suspected links had made their way into a leadership role.
How Did They Identify These Operatives?
This wasn’t a simple checklist or automated scan. It looked more like intelligence work than traditional cybersecurity.
Investigators pieced things together using patterns—things like inconsistent job histories, odd communication habits, or activity that didn’t match the claimed location. Payment trails and technical fingerprints also played a role, especially when similar patterns showed up across multiple identities.
They were essentially tracking behavior across platforms—job applications, GitHub activity, internal workflows—looking for signals that didn’t quite add up.
Tools developed within the ETH Rangers program helped with this. For example, systems designed to flag suspicious GitHub accounts made it easier to spot profiles with fabricated contribution histories or coordinated activity patterns.
What This Actually Means
It’s important not to misunderstand the headline number.
“100 operatives” doesn’t necessarily mean 100 active hackers launching attacks from inside companies. In many cases, the role is more gradual and strategic.
Some are there to earn income, which can be funneled back to the state. Others may be gathering information—learning how systems work, identifying weak points, or positioning themselves for future actions.
That shift—from external attacks to internal access—changes the risk entirely. It’s not just about defending code anymore; it’s about who’s writing it, reviewing it, and quietly sitting inside the system.
