Recent investigations have demonstrated flaws in the cryptocurrency industry, with North Korean state-sponsored operatives breaching various Web3 projects. Multiple independent sources confirm that this is not an isolated incident, but the result of a structured initiative on the Ethereum ecosystem.
The findings originate from the ETH Rangers Program, established by the Ethereum Foundation in 2024 to support independent security research. The Ketman Project, a primary outcome of this initiative, dedicated six months to investigating suspicious developer behavior across various crypto organizations.
According to the Ethereum Foundation’s official recap, the project identified around 100 North Korean IT workers embedded within Web3 companies and alerted approximately 53 projects that they may have unknowingly hired these operatives.
The large-scale infiltration that took place shows an organized activity, with multiple attackers working across numerous projects — some of which have even been listed on the crypto heatmap.
What makes this situation particularly significant is how the infiltrations are made. These actors use legitimate hiring methods to gain access to organizational systems instead of directly attacking technical security flaws. They create fake identities and forge certificates to secure employment as developers or contributors.
After infiltrating an organization, these operatives establish themselves as trustworthy members, eventually gaining access to confidential information. This strategy changes the threat model from external hacking attempts to internal system breaches.
Researchers have documented specific behavioral and technical patterns used to execute these infiltrations: like account duplication through profile image reuse, language and system settings discrepancies, and unusual GitHub activity.
In response to this, the Ketman Project developed open-source tools designed to detect suspicious developer platform activity and protect the industry from emerging security threats.
The broader context explains why such operations are occurring. North Korean entities have targeted the cryptocurrency industry since its inception, reportedly accumulating more than 13,500 BTC. Based on the current Bitcoin price chart, this treasury is valued in excess of $1 billion. Analysts believe that these operations are meant to create income streams that could help the country bypass international sanctions.
State-backed organizations have carried out major cryptocurrency theft operations that were later made public due to their association with the Lazarus Group. The current strategy takes a new direction. Instead of relying on usual hacking, the agents now combine legitimate employment, insider access, and long-term positioning to maximize impact.
This new development will certainly bring major changes to the crypto field. Web3 projects depend on a global, remote contributor base that often prioritizes anonymity. While this openness facilitates rapid growth, it undermines the efficacy of standard identity verification methods.
Decentralized systems maintain many technical strengths, yet their security has become less effective against human-centric attacks. The Ethereum Foundation itself has described this as one of the “most pressing operational security threats” facing the ecosystem. The future will tell how effective the mitigation strategies adopted by the industry will be.