{"id":82282,"date":"2026-04-17T20:01:33","date_gmt":"2026-04-17T20:01:33","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=82282"},"modified":"2026-04-17T20:01:33","modified_gmt":"2026-04-17T20:01:33","slug":"ethereum-foundation-program-identifies-100-dprk-linked-crypto-workers","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=82282","title":{"rendered":"Ethereum Foundation Program Identifies 100 DPRK-Linked Crypto Workers"},"content":{"rendered":"
\n

An open-source detection tool and an industry-standard identification framework \u2014 those were among the outputs of a single researcher working on a six-month stipend.<\/p>\n

The findings, published by the Ethereum Foundation, came out of a program called ETH Rangers<\/a>, which was set up in late 2024 to fund security work that benefits the broader crypto ecosystem.<\/p>\n

One Researcher, One Stipend, 100 Operatives<\/h2>\n

One of the grant recipients used the funding to build the Ketman Project<\/a>, an investigation focused on fake developer identities inside crypto companies.<\/p>\n

Over six months, the project tracked down 100 North Korean IT workers embedded in Web3 organizations. About 53 projects were contacted and warned that they may have hired active operatives linked to the Democratic People\u2019s Republic of Korea.<\/p>\n

The Ethereum Foundation described the threat<\/a> as \u201cone of the most pressing operational security threats facing the Ethereum ecosystem today.\u201d<\/p>\n

\n

\"\ud83d\udea8\" A project funded by the #Ethereum<\/a> Foundation revealed 100 North Korean IT workers who sneaked into #Web3<\/a> companies using false identities. \"\ud83d\udc9b\"#cryptosona<\/a> $ETH<\/a> pic.twitter.com\/aCDKUV4mGO<\/a><\/p>\n

\u2014 CryptOpus (@ImCryptOpus) April 17, 2026<\/a><\/p>\n<\/blockquote>\n

The Ketman Project\u2019s website lays out the tactics these workers use \u2014 behavioral patterns, technical habits, and identity tricks that allow them to pass as legitimate developers.<\/p>\n

Some of the red flags are surprisingly basic. Workers were caught reusing the same profile photos and metadata across different GitHub accounts.<\/p>\n

During screen-sharing sessions, unlinked email addresses were accidentally exposed. In some cases, device language settings \u2014 set to Russian \u2014 gave away identities that contradicted the nationalities being claimed.<\/p>\n

<\/p>\n

How Operatives Were Caught<\/h2>\n

The Ketman Project did not just identify individuals. It built infrastructure. An open-source tool was developed to flag unusual GitHub<\/a> activity tied to suspicious accounts.<\/p>\n

A separate framework for identifying DPRK-linked workers was co-authored with the Security Alliance, a nonprofit focused on blockchain security. Both resources are now available for other organizations to use.<\/p>\n

Reports indicate the Ethereum Foundation<\/a> did not disclose the specific methods used to unmask the operatives beyond what the Ketman Project\u2019s own publications describe. The project\u2019s website, however, offers detailed write-ups on the operational patterns that gave workers away.<\/p>\n

A Threat Measured In Billions<\/p>\n

North Korea\u2019s presence in crypto is not new. State-linked hacking groups, including the well-known Lazarus Group, have been tied to some of the largest thefts in the industry\u2019s history.<\/p>\n

According to reports, billions of dollars in digital assets have been stolen by North Korean actors over the years.<\/p>\n

The ETH Rangers program was created specifically to address security gaps through stipend-funded individuals doing public-interest work.<\/p>\n

The Ketman Project represents one of its first publicly documented results. Whether other grant recipients have produced similar findings has not been disclosed.<\/p>\n

Featured image from Chief Learning Officer, chart from TradingView<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

An open-source detection tool and an industry-standard identification framework \u2014 those were among the outputs of a single researcher working on a six-month stipend. The findings, published by the Ethereum Foundation, came out of a program called ETH Rangers, which was set up in late 2024 to fund security work that benefits the broader crypto […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-82282","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/82282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=82282"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/82282\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=82282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=82282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=82282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}