The Ethereum Foundation-funded Ketman Project has identified approximately 100 suspected North Korean IT workers operating across 53 crypto projects, according to an ETH Rangers Program recap published on April 16.
The six-month initiative, backed through stipends from the Ethereum Foundation’s ETH Rangers Program, focused specifically on detecting and expelling DPRK operatives who had infiltrated Web3 organizations under fabricated identities.
How North Koreans Use Forged Identities and Fake KYC Documents
A recent Ketman investigation detailed how DPRK-linked actors posed as Japanese developers on the Web3 freelance platform OnlyDust.
The operatives used AI-generated profile photos, fabricated names such as “Hiroto Iwaki” and “Motoki Masuo,” and submitted forged Japanese identity documents during verification.
Investigators confirmed the deception during a video call when one suspect, asked to introduce himself in Japanese, removed his headset and left the call.
The team traced at least three actor clusters across 11 repositories, where 62 pull requests were merged before detection.
Open-Source Tools and Industry Framework
Beyond individual investigations, Ketman developed gh-fake-analyzer, an open-source GitHub profile analysis tool now available on PyPI.
The project also co-authored the DPRK IT Workers Framework with the Security Alliance (SEAL), which has become a standard industry reference.
The ETH Rangers Program, launched in late 2024 alongside Secureum, The Red Guild, and SEAL, funded 17 stipend recipients in total.
Consolidated outcomes included over $5.8 million in recovered funds, 785 reported vulnerabilities, and 36 incident responses handled.
North Korean operatives have stolen billions in crypto assets in recent years. Security researchers warn that IT worker infiltration often serves as a stepping stone for larger supply chain attacks coordinated by DPRK hacking teams.
The post Ethereum-Funded Project Exposes 100 North Korean IT Workers in Crypto appeared first on BeInCrypto.
