Ethereum Foundation-Backed ETH Rangers Uncover 100 North Korean Crypto Hackers Embedded in Web3 Firms
In a groundbreaking revelation shaking the blockchain community, the Ketman Project, operating under the Ethereum Foundation’s ETH Rangers security initiative, has exposed approximately 100 North Korean operatives covertly embedded within Web3 companies. This discovery marks one of the most detailed public accounts of Democratic People’s Republic of Korea (DPRK) infiltration in the crypto sector, following a rigorous six-month investigation.
A New Tactic in North Korean Crypto Operations
Historically, North Korea’s state-sponsored cyber activities in the crypto realm primarily focused on remote exploits and large-scale exchange hacks. However, the ETH Rangers’ findings indicate a significant shift in tactics throughout 2025. The adversary’s strategy now emphasizes coordinated workforce infiltration — deploying operatives who successfully pass human resources screenings, gain trusted access to internal repositories, and embed themselves within product teams for extended periods before being detected.
One notable incident involves Exchange Stabble, which issued a withdrawal alert after identifying a DPRK affiliate within its leadership, exemplifying the real-world risks posed by such insider threats.
Key Findings from the ETH Rangers Investigation
- Operative Identification: Around 100 DPRK IT personnel were discovered working under fabricated identities within various Web3 firms.
- Investigation Scope: A six-month endeavor powered by the Ketman Project with support from ETH Rangers.
- ETH Rangers Program Impact: The program funded 17 independent security researchers who collectively recovered or froze over $5.8 million in stolen funds, traced upwards of 785 vulnerabilities, and managed 36 incident response operations.
- Scale of DPRK Crypto Theft: North Korean hackers illicitly extracted approximately $2.02 billion in 2025 alone, a staggering 51% increase compared to 2024, bringing their cumulative crypto theft to around $6.75 billion.
- Noteworthy Exploit: On April 1, 2026, DPRK-linked actors carried out a massive DeFi hack on the Drift Protocol, siphoning $285 million — the largest decentralized finance exploit recorded so far this year.
The ETH Rangers Program: A Decentralized Defense Force
Launched in late 2024, the ETH Rangers was an ambitious collaboration between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL). This coalition deployed 17 independent researchers on a mission to reinforce Ethereum’s security posture.
The Ketman Project distinguished itself by going beyond traditional audits and bounty programs, employing intelligence-grade techniques to detect operatives. This included matching suspicious digital identities to DPRK tradecraft signatures such as inconsistent employment histories, communication indicative of time-zone obfuscation, payment pathways through known intermediaries, and recurring technical fingerprints across multiple accounts.
Tools and Techniques Behind the Discovery
The program developed open-source tools such as a DeFi incident analysis platform, a GitHub suspicious account detector, and a client-side denial-of-service testing framework. These technologies proved invaluable for identifying covert DPRK operatives by flagging accounts with artificially constructed contribution histories and unusual activity patterns.
The investigation’s success underscores the necessity for continuous monitoring across hiring channels, developer repositories, and behavioral signals inside organizations — blending cybersecurity with traditional intelligence methodologies.
Implications and Future Outlook
While not all identified operatives were actively engaging in real-time exploits, their presence within key Web3 projects serves multiple purposes for the DPRK regime. These include revenue generation via salaries, intelligence gathering on critical codebases and protocols, and establishing positions for potential future cyberattacks.
The Ethereum Foundation and security community expect increased regulatory scrutiny concerning employment vetting within decentralized finance (DeFi) firms. Tracking illicit proceeds from significant attacks like the Drift Protocol exploit remains a priority for ongoing investigations.
Market Snapshot
As of the latest update, key digital asset prices are trending downward amid ongoing security concerns:
- Bitcoin (BTC): $75,120.36 (-1.60%)
- Ethereum (ETH): $2,316.39 (-1.95%)
- Solana (SOL): $84.81 (-2.79%)
- PEPE: $0.0000037 (-3.42%)
- SHIB: $0.0000059 (-3.06%)
- DOGE: $0.093 (-3.03%)
- XRP: $1.42 (-1.50%)
- Ethereum Gas Price: 0.84 gwei
Conclusion
The ETH Rangers’ discovery of over 100 North Korean infiltrators within the Web3 ecosystem reveals evolving threat landscapes in crypto security. It highlights the urgent need for robust, intelligence-driven defenses to protect decentralized infrastructures from nation-state adversaries employing sophisticated infiltration methods.
As the Ethereum community digests these revelations, the broader industry is reminded that security in blockchain extends beyond code — it entails vigilance against human threat actors embedded within organizational structures.
Author: Ahmed Barakat
Last updated: April 18, 2026
For more detailed coverage and ongoing updates on Ethereum security and crypto market trends, follow our reports and stay informed about the rapidly evolving landscape of digital assets.