Ethereum Project Uncovers 100 North Korean IT Workers in Crypto Projects

The Ketman Project, supported by the Ethereum Foundation's ETH Rangers Program, has successfully identified approximately 100 individuals suspected of being North Korean IT workers operating within 53 different cryptocurrency projects. This six-month initiative focused on uncovering and removing operatives from the Democratic People's Republic of Korea (DPRK) who had infiltrated Web3 organizations using fabricated identities.

These operatives employed advanced deception techniques, including AI-generated profile photos, fake Japanese developer personas with names like "Hiroto Iwaki," and forged identity documents. Investigations revealed that these actors would often abandon video calls when pressed for authentic details, such as speaking Japanese. The project traced at least three distinct clusters of these operatives across 11 repositories, successfully merging 62 pull requests before their detection.

Beyond individual investigations, Ketman has developed and released gh-fake-analyzer, an open-source tool for analyzing GitHub profiles, and co-authored the DPRK IT Workers Framework with the Security Alliance (SEAL), which is now an industry standard. The broader ETH Rangers Program, which funded 17 recipients, has reported significant outcomes including the recovery of over $5.8 million in funds, the reporting of 785 vulnerabilities, and the handling of 36 incident responses.

This discovery is particularly concerning given North Korea's history of stealing billions in crypto assets. Security experts warn that the infiltration of IT workers often serves as a precursor to larger supply chain attacks orchestrated by state-sponsored DPRK hacking groups. For P2P merchants, this underscores the importance of robust KYC/AML procedures and vigilance against sophisticated scams that could impact platform integrity and user funds.