Headline: Ethereum Foundation–backed probe uncovers 100 suspected DPRK developers quietly embedded in Web3 teams
The Ethereum Foundation says a six‑month, security-focused investigation it funded has exposed roughly 100 suspected Democratic People’s Republic of Korea (DPRK) IT operatives embedded in Web3 projects under fabricated identities.
The effort was financed through the ETH Rangers initiative, launched in late 2024 to support public‑goods security research via stipends for independent investigators. One stipend recipient used the funds to create the Ketman Project, a focused campaign to identify “fake developers” inside crypto organizations. Over six months the project flagged 100 suspected DPRK-linked developers and contacted 53 crypto teams that may have unknowingly employed them.
“This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,” the Ethereum Foundation said.
Longstanding infiltration, linked to Lazarus Group
The findings add to mounting evidence that DPRK-linked developers have been embedding themselves across the crypto industry for years. Security researcher and MetaMask developer Taylor Monahan previously noted that these activities date back to the early DeFi era, saying “Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer.” Monahan also cautioned that many claimed resumes are partly true—“seven years of blockchain dev experience” can be accurate—making detection harder.
Investigators and analysts frequently tie these operations to the Lazarus Group, a state‑linked collective blamed for some of the largest crypto thefts in recent years. R3ACH analysts estimate DPRK‑attributed thefts have totaled roughly $7 billion since 2017, pointing to high‑profile incidents such as the $625 million Ronin Bridge exploit, the $235 million WazirX breach, and a $1.4 billion compromise involving Bybit.
Low‑tech persistence over high‑tech exploits
Despite the massive sums involved, researchers say many infiltration campaigns rely less on cutting‑edge hacking and more on persistence, social engineering, and identity layering. Independent investigator ZachXBT called the tactics “basic and in no way sophisticated,” adding that “the only thing about it is they’re relentless.” Typical outreach vectors include job applications, LinkedIn profiles, email exchanges and remote interviews—methods that let operatives gradually build trust within teams.
Recent attacks highlight how far this social approach can go. Drift Protocol’s $280 million exploit, for example, has been linked to a North Korean‑affiliated group that used intermediaries and carefully constructed professional identities to gain credibility before striking.
How the Ketman Project detects false identities
Ketman’s reporting lays out common indicators used to spot potential DPRK operatives inside development teams. Red flags include:
- Reused avatars or profile metadata across multiple GitHub accounts
- Accidentally exposing unrelated email addresses during screen sharing
- System language settings or other metadata that contradict claimed nationalities
Beyond the investigation, Ketman built an open‑source tool to flag suspicious GitHub activity and co‑authored an industry framework for identifying DPRK‑linked IT workers in partnership with the Security Alliance.
Why it matters
The disclosure underscores an operational security challenge for crypto projects: talent can be weaponized, and legitimate technical contributions can mask state‑backed objectives. The ETH Rangers‑backed work and the tools it produced aim to give teams concrete ways to spot and address this threat—while reminding the industry that vigilance, robust due diligence, and layered onboarding security remain essential.
Read more AI-generated news on: undefined/news
