A recent investigation tied to the Ethereum Foundation’s ETH Rangers initiative has uncovered a major security concern within the Web3 sector. The Ketman Project, one of several efforts funded under the program, reports that roughly 100 individuals linked to North Korea have secured roles inside blockchain companies by using false identities.
The findings come after six months of analysis and represent one of the most detailed public accounts of insider activity connected to the country in this space. The findings point to a shift in tactics. In previous years, cyber operations associated with Pyongyang largely focused on breaching exchanges or exploiting external vulnerabilities.
Investigators now describe a coordinated effort to place operatives inside organizations, where they move through hiring processes, gain access to internal systems, and remain embedded within teams for extended periods without raising suspicion.
ETH Rangers was launched toward the end of 2024 as a joint effort involving the Security Alliance, the Ethereum Foundation, The Red Guild, and Secureum. Seventeen independent researchers were assigned to examine risks across the Ethereum ecosystem, with a mandate to strengthen defenses. The Ketman Project emerged as one of the more in-depth undertakings, extending beyond standard code reviews or vulnerability hunting.
Researchers linked fabricated personas to known behavioral patterns tied to North Korean operations. These included irregular employment records, communication habits that suggested concealed locations, and financial arrangements routed through specific intermediaries. Recurring technical markers across otherwise unrelated job applicants also played a role in identifying connections.
The broader ETH Rangers initiative reported additional outcomes. Participants helped recover more than $5.8 million connected to past exploits, identified close to 800 vulnerabilities, and responded to dozens of incidents. Over 80 training sessions were also conducted to improve awareness across the ecosystem.
Among the tools developed was a system designed to flag suspicious GitHub accounts. Such technology is particularly relevant in cases like this, where individuals may attempt to build credible profiles through fabricated contribution histories or coordinated activity. The Ketman findings are believed to have drawn on similar capabilities to detect anomalies.
Researchers caution that identifying around 100 operatives does not necessarily mean each was actively conducting attacks at the time. Instead, these placements appear to serve multiple purposes.
Salaries earned through legitimate employment can provide financial support, while access to codebases and internal discussions offers valuable insight. In some cases, positions may also allow preparation for future operations.
While immediate losses linked to these individuals may be limited, the longer-term risks are harder to measure. Access from within can expose structural weaknesses, making organizations more vulnerable over time.
The uncovering of these embedded operatives raises serious concerns, and entities like Canaan Inc. (NASDAQ: CAN) may need to do thorough background checks to ensure that all their employees are who they say they are.
About CryptoCurrencyWire
CryptoCurrencyWire (“CCW”) is a specialized communications platform with a focus on blockchain and the cryptocurrency sector. It is one of 75+ brands within the Dynamic Brand Portfolio @ IBN that delivers: (1) access to a vast network of wire solutions via InvestorWire to efficiently and effectively reach a myriad of target markets, demographics and diverse industries; (2) article and editorial syndication to 5,000+ outlets; (3) enhanced press release enhancement to ensure maximum impact; (4) social media distribution via IBN to millions of social media followers; and (5) a full array of tailored corporate communications solutions. With broad reach and a seasoned team of contributing journalists and writers, CCW is uniquely positioned to best serve private and public companies that want to reach a wide audience of investors, influencers, consumers, journalists and the general public. By cutting through the overload of information in today’s market, CCW brings its clients unparalleled recognition and brand awareness. CCW is where breaking news, insightful content and actionable information converge.
To receive SMS alerts from CryptoCurrencyWire, text “CRYPTO” to 888-902-4192 (U.S. Mobile Phones Only)
For more information, please visit https://www.CryptoCurrencyWire.com
Please see full terms of use and disclaimers on the CryptoCurrencyWire website applicable to all content provided by CCW, wherever published or re-published: https://www.CryptoCurrencyWire.com/Disclaimer
CryptoCurrencyWire
New York, NY
www.CryptoCurrencyWire.com
212.994.9818 Office
Editor@CryptoCurrencyWire.com
CryptoCurrencyWire is powered by IBN
