Ethereum Foundation's Ketman Project Exposes 100 North Korean IT Workers in Web3 Firms

The infiltration of Web3 firms by North Korean operatives underscores significant vulnerabilities in the cybersecurity landscape, impacting trust and operational integrity.

• On April 16, 2026, the Ethereum Foundation revealed that its Ketman Project identified around 100 North Korean IT workers infiltrating 53 Web3 organizations.
• Operatives used forged identities, including fake KYC documents and AI-generated profiles, to operate undetected on freelance platforms.
• A detection tool was developed to help projects mitigate insider threats and expel the identified operatives.

• North Korea has a history of cybercrime, utilizing overseas IT workers and cryptocurrency theft to bypass international sanctions, with over $6.75 billion stolen since 2015.
• The ETH Rangers program, initiated in late 2024, aimed to bolster security in the Web3 ecosystem by funding independent researchers to investigate potential threats.
• The Ketman Project's findings included 62 merged pull requests from suspect repositories, indicating a systematic approach to infiltrating Web3 projects.

The Ethereum Foundation's ETH Rangers program was launched in response to escalating cybersecurity threats within the Web3 ecosystem. As the decentralized finance (DeFi) landscape grows, so does the risk of infiltration by malicious actors, particularly from nations like North Korea, which have been known to leverage cyber capabilities for financial gain. The Ketman Project's six-month investigation revealed a sophisticated network of approximately 100 North Korean IT workers posing as Japanese freelancers. This operation involved the use of forged identities and fake documentation, allowing these operatives to blend seamlessly into the global freelance market.

The investigation identified patterns that raised red flags, such as inconsistent work histories, timezone discrepancies, and unique technical fingerprints that deviated from typical developer profiles. By analyzing these indicators, researchers were able to pinpoint the infiltrators and alert the affected organizations. The release of the gh-fake-analyzer tool and the DPRK IT Workers Framework represents a proactive step towards mitigating insider threats, providing a framework for other projects to adopt similar security measures.

The implications of this infiltration extend beyond immediate security concerns. As Web3 projects increasingly rely on decentralized teams and remote work, the potential for insider threats grows. The Ethereum Foundation's findings have prompted a reevaluation of hiring practices within the industry, emphasizing the need for rigorous vetting processes to ensure that personnel are not only technically qualified but also trustworthy. The industry is now at a crossroads, where the balance between innovation and security must be carefully managed to maintain user trust and project integrity.

Moreover, the financial impact of these infiltrations cannot be overlooked. With the Ethereum Foundation reporting recoveries of $5.8 million and tracing 785 vulnerabilities, the economic stakes are high. Projects that fail to implement robust security measures risk not only financial loss but also reputational damage, which can have long-lasting effects on user confidence and market stability.

• Web3 developers: Increased scrutiny on hiring practices and potential delays in project timelines due to enhanced vetting.
• Freelancers in the tech space: Heightened competition and potential barriers to entry as projects implement stricter security measures.
• Investors in crypto projects: Increased risk awareness may lead to more cautious investment strategies and a focus on security protocols.

• Adoption of security frameworks: Monitor how quickly and widely the gh-fake-analyzer tool and DPRK IT Workers Framework are adopted across the Web3 ecosystem, as this will indicate the industry's response to insider threats.
• Regulatory changes: Watch for potential regulatory responses aimed at enhancing cybersecurity standards within the crypto and Web3 sectors, which could reshape operational practices.
• Emergence of new security technologies: Keep an eye on innovations in cybersecurity tools designed specifically for the decentralized finance space, as these may become critical in preventing future infiltrations.