Ethereum Foundation-funded project reveals 100 DPRK developers working on crypto

A six-month investigation supported by the Ethereum Foundation has revealed how North Korean operatives quietly installed themselves inside many Web3 groups under false identities.

The Ethereum Foundation said Thursday that its ETH Rangers program sponsored a security-focused effort that identified 100 people with ties to the Democratic People’s Republic of Korea working inside crypto companies. The program, which began in late 2024, was designed to support public goods work through grants for private researchers.

One of those recipients used the funding to launch the Ketman Project, which focuses on tracking down “fake developers” working within Web3 organizations. In a six-month period, the project flagged 100 suspected DPRK IT employees and reached 53 crypto projects that may have been employed unknowingly.

“This project directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the foundation said.

The findings add to a growing body of evidence showing that North Korean-linked developers have spent years embedding themselves throughout the crypto industry, often banding together in groups with trusted technical contributions and fictitious technology identities.

Security researcher and MetaMask developer Taylor Monahan has previously stated that such activity dates back to the early days of DeFi, with DPRK-affiliated developers contributing to widely used protocols.

“Most of the DPRK IT staff have created protocols that you know and love, from back in the summer of DeFi,” he said, noting that more than 40 platforms rely on such donors in different areas. Claims of extensive experience don’t happen often, he added, saying that “seven years of blockchain dev experience” is “not a lie.”

Investigators have been tying these activities to the Lazarus Group, a state-sponsored group linked to some of the biggest crypto thieves in recent years. Estimates from R3ACH analysts put stolen funds at around $7 billion since 2017, including attacks like the $625 million Ronin Bridge exploit, the $235 million WazirX breach, and the $1.4 billion Bybit incident.

Simple tricks, continuous practice

Despite the magnitude of the damage, most penetration attempts rely on basic methods rather than advanced exploits. Analysts say persistence, social engineering, and identity theft are often more effective than sophisticated technology.

Independent blockchain researcher ZachXBT noted that many of these operations are “basic and not advanced in any way,” adding that “the only thing about them is that they are uncompromising.” Access usually occurs through job applications, LinkedIn profiles, email exchanges, and remote conversations, allowing operatives to gradually build trust in teams.

Recent incidents have shown how far such tactics can go. The $280 billion Drift Protocol exploit has been linked to a group linked to North Korea, with attackers using intermediaries and fully constructed identities to gain credibility before breaching the law.

Red flags and detection efforts are increasing

Insights from the Ketman Project shed light on how these companies maintain cover within development teams. Common indicators include reusing avatars or profile metadata across multiple GitHub accounts, unintentionally revealing unrelated email addresses during screen sharing, and using system language settings that conflict with desired nationalities.

Along with its investigative work, the project has developed an open source tool designed to flag suspicious GitHub activity. It also co-authored an industry framework for identifying DPRK-linked IT personnel in collaboration with the Security Alliance.