What did the Ketman project discover about North Korean IT workers in crypto?

The Ethereum-funded Ketman project identified around 100 suspected North Korean (DPRK) IT workers across 53 crypto projects. These individuals infiltrated Web3 teams using fake identities. The findings highlight a growing security threat within the crypto development ecosystem.

Who funded the Ketman investigation?

The project was funded by the Ethereum Foundation through its ETH Rangers Program. This initiative supports security research and ecosystem protection. It shows increasing institutional focus on internal threats in crypto.

How did North Korean operatives get hired by crypto projects?

The operatives posed as Japanese developers using fake names, AI-generated profile photos, and forged identity documents. They passed KYC checks and secured roles on platforms like OnlyDust. This allowed them to gain access to real development environments.

What evidence confirmed these workers were using fake identities?

In one case, a suspect failed to speak Japanese during a video call and abruptly left when questioned. Investigators also traced suspicious activity across multiple repositories. These inconsistencies exposed the deception.

What risks do these infiltrations pose to crypto projects?

These workers can introduce malicious code, steal sensitive data, or enable larger supply chain attacks. Security researchers warn this is often a first step in coordinated hacking campaigns. The risk extends beyond individual projects to the wider ecosystem.

How widespread was the infiltration across crypto projects?

Ketman identified DPRK-linked activity across 53 projects and traced three main actor clusters. These groups contributed to at least 11 repositories, with 62 pull requests merged before detection. This shows how deeply embedded they became.

What tools did the Ketman project develop to combat this threat?

The team created an open-source tool called gh-fake-analyser to detect suspicious GitHub profiles. It is available on PyPI for public use. This helps projects identify fake contributors earlier in the hiring process.

What is the DPRK IT Workers Framework?

The framework, co-developed with the Security Alliance (SEAL), provides guidelines to detect and prevent infiltration by North Korean operatives. It is becoming a standard reference in the industry. This reflects growing coordination on security best practices.

Ethereum project flags 100 North Korean crypto operatives

Written by Brie CarterPublished Apr. 19 2026Last Updated Apr. 19 2026

An Ethereum Foundation-funded initiative has identified around 100 suspected North Korean IT workers embedded across 53 crypto projects.

The six-month Ketman Project, supported by the ETH Rangers Programme, focused on detecting and removing DPRK-linked operatives infiltrating Web3 firms using fabricated identities.

Investigators found workers posing as Japanese developers with forged KYC documents and AI-generated profiles to secure roles within crypto teams.

The report detailed cases where fake identities such as “Hiroto Iwaki” were used, with one suspect abandoning a video call after failing to speak Japanese when prompted.

Ketman also identified coordinated activity clusters across multiple repositories, where dozens of code contributions were merged before detection, raising supply chain security concerns.

The project developed an open-source GitHub analysis tool and contributed to an industry framework alongside the Security Alliance to standardise detection methods.

The ETH Rangers Programme, launched with partners including Secureum and The Red Guild, reported outcomes such as $5.8 million in recovered funds, 785 vulnerabilities identified, and 36 incident responses handled.

At the time of reporting, Ethereum price was $2,326.04.