The Ethereum Foundation exposed 100 Democratic People’s Republic of Korea (DPRK)‐linked IT workers embedded across roughly 53 crypto projects.
Ethereum Foundation Levels Up Its Security With A Detective Program
The North Korean secret crypto-agents don’t rest, so the Ethereum Foundation decided it was time they put on the detective’s hat to track them before they too fell victims to them, just as Drift Protocol was at the beginning of the month. And so, yesterday afternoon the Foundation announced on an official blog post the starking results yielded by the ETH Rangers Program (and yes, everything related to North Korean hackers inevitably sounds straight out of an RPG or action movie).
The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.
A decentralized defence for a decentralized network.
Read the full recap 👇
— EF Ecosystem Support Program (@EF_ESP) April 16, 2026
According to the blog post, the Ethereum Foundation teamed up with Secureum, The Red Guild, and Security Alliance (SEAL) in late 2024 to roll out said program. The initiative offered stipends to people carrying out public‐goods security work across the Ethereum ecosystem.
Related Reading: Blockchain Is South Korea’s New Fiscal Weapon — A Blow To Privacy?
The program’s mission consisted in backing independent security initiatives that strengthen Ethereum’s overall robustness, while spotlighting and rewarding contributors with a proven history of delivering high‐impact security work for the broader network.
After six months, the results of the program speak for itself.
The DPRK Crypto-Infiltration Saga, Parth Who-Is-Even-Counting-At-This-Point
The ETH Rangers Program funded multiple crypto-security projects, but the Ketman Project was the one “focused on discovering and expelling North Korean (DPRK) IT workers who have infiltrated blockchain projects under fake identities”, per the blog post.
Over the six months of the investigation, they contacted roughly 53 different projects and uncovered around 100 DPRK IT operatives embedded inside Web3 organizations.
Their findings were shared in a series of detailed reports on ketman.org, which drew more than 3,300 active users and 6,200 page views, and explored themes such as account‐takeover techniques, the infiltration of freelance platforms, and emerging DPRK‐Russia ties. They also built and open‐sourced gh‐fake‐analyzer, a GitHub profile analysis tool designed to flag suspicious activity patterns, which is now available via PyPI.
In addition, they co‐authored the DPRK IT Workers Framework with SEAL, a document that has quickly become a go‐to reference for the industry, and supplied crucial data to the Lazarus.group threat‐intel project, with their work highlighted in a presentation at DEF CON.
Overall Results Of The Ethereum Program
The work produced by the 17 stipend recipients cover everything from vulnerability research and security tooling to education, threat intelligence, and hands‐on incident response.
According to the Ethereum Foundation, more than $5.8 million in funds have been recovered or frozen, while over 785 vulnerabilities, client bugs, and proof‐of‐concept exploits have been reported or documented. The Program has also helped identify around 100 DPRK state‐sponsored operatives embedded across multiple teams, and its threat‐intelligence and investigative content has reached over 209,000 viewers and users.
On the builder side, more than 800 teams have taken part in sponsored security challenges and investigations, supported by over 80 workshops, talks, and technical or educational resources. The initiative has coordinated responses to more than 36 security incidents and driven the creation or improvement of at least seven open‐source tooling repositories, frameworks, and implementations that further harden the ecosystem.
The Saga Continues
The DPRK-linked hacks continue to be a serious issue amongst the crypto community. Recently, key actors have been less lenient and more active in trying to uncover and stop their threat.
Let’s remember that, following the the attribution of the April 1st $285 million attack on Drift Protocol to UNC4736, a North Korea–aligned, state‐sponsored hacking group, crypto detective ZachXBT uncovered an internal North Korean payment server tied to 390+ accounts, chat logs, and transaction histories.
A few weeks ago, some crypto builders confessed on the social network X that they are passing tests during interviews to developers to make sure they are not North Korean agents.
Investing in visible, transparent security collaborations (like EF’s backing of ETH Rangers/Ketman/SEAL) may deserve a premium in risk models, while protocols with opaque teams and loose hiring are increasingly “headline risk” candidates.
At the moment of writing, ETH trades for around $2,300 on the daily chart. Source: ETHUSD on Tradingview.
Cover image from Perplexity. ETHUSD chart from Tradingview.
