Ethereum Foundation Uncovers 100 DPRK IT Agents in Web3 Firms Apr 2026

The Ethereum Foundation said on April 16, 2026 that its ETH Rangers program identified approximately 100 Democratic People's Republic of Korea IT workers operating inside Web3 organizations over six months. The Ketman Project, funded by an ETH Rangers stipend, reached around 53 crypto teams to flag the suspected operatives before they could cause further damage.

Security breaches shape crypto markets overnight. Web Snack delivers the stories that matter in a five-minute daily briefing. Subscribe to stay ahead of the next hack, not behind it.

Context

North Korea has run an industrial-scale remote IT worker scheme for years, placing operatives inside Western companies to collect salaries and siphon sensitive access. The crypto sector has taken the brunt of it. Chainalysis estimated DPRK-linked actors stole roughly $2 billion in digital assets during 2025, with the Lazarus Group tied to the largest hits.

The Ethereum Foundation launched ETH Rangers in late 2024 alongside Secureum, The Red Guild, and Security Alliance. The six-month program distributed stipends to 17 independent researchers working on public goods security, from vulnerability hunting to incident response. One recipient used the funding to build the Ketman Project.

On April 16, 2026, the foundation published a full program recap detailing the results. The DPRK infiltration numbers stood out even among the broader security wins, which included 785+ reported vulnerabilities and $5.8 million in recovered or frozen funds.

Details

The Ketman Project flagged approximately 100 different DPRK IT workers embedded across roughly 53 Web3 organizations. The team built gh-fake-analyzer, an open-source GitHub profile analysis tool now available on PyPI, and co-authored the DPRK IT Workers Framework with Security Alliance, now the industry reference for detecting and removing these actors.

Detection patterns published by Ketman focus on operational tells: reused avatars and metadata across multiple GitHub accounts, accidentally exposed email addresses during screen shares, and system language settings like Russian that conflict with claimed nationalities. "This work directly addresses one of the most pressing operational security threats," the Ethereum Foundation wrote in its April 16 recap.

Separately, researcher Nick Bax contributed to more than 36 SEAL 911 incident response tickets during the program, including the Loopscale exploit that returned $5.8 million in stolen funds. Bax also helped alert over 30 teams about DPRK contractors on their payrolls and coordinated the freezing of mid-six-figure sums tied to those accounts.

Impact

The scale of the infiltration changes how Web3 firms need to think about hiring. Open-source culture, remote work, and pseudonymous contributions have long been assets for the industry. Those same traits are now the attack surface, with credentials checked by LinkedIn and GitHub instead of background verification.

"Lots of DPRK IT workers built the protocols you know and love," Taylor Monahan, security researcher at MetaMask, said in comments reported by crypto.news. She noted that more than 40 platforms have relied on such contributors at different points, with activity stretching back to the 2020 DeFi boom.

Legal exposure is the other half of the problem. SEAL's framework warns that paying a sanctioned-jurisdiction worker can trigger US Treasury scrutiny and asset freezes, even when the protocol didn't know who it hired. According to SEAL, the salaries paid to these workers flow directly to the North Korean military ministry rather than to the individuals themselves.

Next Steps

The ETH Rangers program has concluded, but its deliverables are now embedded in the ecosystem. The gh-fake-analyzer tool, the DPRK IT Workers Framework, and the Lazarus.group threat intelligence database remain active and open-source, with Ketman continuing to publish updates at ketman.org.

SEAL operates a 24/7 Telegram tip line (@seal_tips_bot) for immediate assistance with DPRK IT Worker incidents. Web3 hiring teams can cross-reference the framework before onboarding remote contributors, and the Ketman analyzer tool can audit existing GitHub contributor histories for the behavioral indicators flagged during the investigation.

Nick Bax's representation of SEAL at a US Department of Treasury roundtable and at Interpol headquarters in Lyon signals that regulatory coordination will continue. Expect more industry-wide hiring protocols and potentially further enforcement actions against facilitators of the DPRK IT worker pipeline in the coming months.

The next crypto story worth reading lands in your inbox every morning. Web Snack cuts through the noise to what actually moves markets and builders. Subscribe to get the daily briefing.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.