A security effort funded by the Ethereum Foundation has identified about 100 suspected North Korean IT workers operating within Web3 projects. The six‑month project, often described as part of the ETH Rangers security effort, focused on tracking wallet activity, developer accounts, and hiring trends across the ecosystem.
Researchers say the agents used fictitious identities and posed as remote engineers and developers. Instead of relying on direct hacks, they allegedly entered through normal hiring channels and ended up inside about 53 Web3 and crypto projects.
How Investigators Linked Operatives to North Korea
The program combined on‑chain analysis with off‑chain intelligence. Investigators traced payment flows on Ethereum and other networks, then matched them with reused GitHub handles, LinkedIn‑style profiles, and resume templates seen in earlier DPRK cases.
In several instances, the team flagged suspicious GitHub contributors who pushed code to multiple projects using similar patterns. The Ketman Project, funded under the same umbrella, built an open‑source tool to detect abnormal GitHub activity tied to these worker networks.
According to summaries shared with media and ecosystem partners, the program then privately alerted affected teams. Some projects responded by cutting access, rotating keys, and, in a few cases, freezing funds that investigators linked to the operatives.
Why North Korea Targets Crypto Jobs
The results match broader research on North Korea’s remote IT worker programs, which authorities say generate hundreds of millions of dollars a year. These schemes place developers in overseas companies, where they gain technical access, earn salaries, and sometimes help move or launder stolen crypto.
Facilitators convert client payments into cryptocurrency and return them to North Korea, according to a recent Chainalysis investigation and a different U.S. Treasury sanctions action. According to officials, the money supports ransomware and other hacks in addition to missile and weapons projects.
Unlike direct exploits, this method hides behind normal business processes. Operatives use stolen or rented identities, conduct remote interviews, and then blend into global engineering teams until an investigation uncovers them.
The Ethereum‑backed program underscores a shift in how Web3 must think about security. It is no longer just about smart contract bugs and protocol exploits. It is also about who writes the code and runs the infrastructure.
Investigators recommend stronger KYC and background checks for remote technical hires in sensitive roles. They also urge projects to monitor contributor patterns, track unusual payment routes, and work with analytics firms when wallet behavior looks suspicious.
READ MORE: Celestia Price Breaks Key Resistance, But RSI Signals Pullback Risk
