Ethereum-Funded Initiative Unmasks North Korean Infiltrators in Web3

A security initiative funded by the Ethereum Foundation has successfully exposed a network of North Korean IT workers operating under false identities within the Web3 sector. The Ketman Project, which received support through the foundation's ETH Rangers program, identified 100 operatives and alerted 53 different projects regarding the presence of DPRK personnel. The ETH Rangers program was established in late 2024 to provide stipends for public goods security work. The Ketman Project specifically targeted 'fake developers,' a known vector for state-sponsored actors from the Democratic People's Republic of Korea (DPRK) to gain access to sensitive infrastructure and corporate environments. Operatives were identified through a combination of behavioral patterns and technical red flags. These included the reuse of avatars and metadata across multiple GitHub accounts, accidental exposure of unlinked emails during screen shares, and language settings—such as Russian—that contradicted the workers' claimed nationalities. Beyond identifying individuals, the project developed an open-source detection tool for suspicious GitHub activity and co-authored a standardized framework for identifying DPRK workers in collaboration with the Security Alliance. This effort addresses a critical vulnerability, as North Korean hacking groups, including the Lazarus Group, have historically stolen billions in digital assets from the crypto ecosystem.