The Ethereum Foundation exposed 100 IT workers associated with the Democratic People’s Republic of Korea (DPRK) who were embedded in approximately 53 cryptographic projects.
Ethereum Foundation strengthens security with detective program
North Korea’s secret crypto agents never rest, so the Ethereum Foundation decided it was time to put on its detective hat and track down North Korea’s secret crypto agents before they fall victim to them, just like Drift Protocol did at the beginning of the month. And yesterday afternoon, the Foundation announced the surprising results produced by the ETH Ranger program in an official blog post (yes, anything involving North Korean hackers inevitably sounds like something straight out of an RPG or action movie).
The ETH Rangers program has concluded and the results speak for themselves. Over $5.8 million was recovered, over 785 vulnerabilities were reported, and over 100 North Korean operatives were identified.
Distributed defense for distributed networks.
Read the full summary 👇
— EF Ecosystem Support Program (@EF_ESP) April 16, 2026
According to a blog post, the Ethereum Foundation rolled out the program in collaboration with Securelum, Red Guild, and Security Alliance (SEAL) in late 2024. The initiative provided incentives to those performing public goods security activities across the Ethereum ecosystem.
Related article: Blockchain is South Korea’s new financial weapon — a blow to privacy?
The program’s mission consisted of supporting independent security initiatives that strengthen the overall robustness of Ethereum, while spotlighting and rewarding contributors with a proven track record of delivering high-impact security work to the broader network.
After 6 months, the results of the program will speak for themselves.
North Korea’s crypto intrusion saga, who’s counting at this point?
The ETH Rangers program funded multiple crypto security projects, but the Ketman project was a project “focused on finding and expelling North Korean (DPRK) IT workers who infiltrated blockchain projects under false identities,” according to a blog post.
Over a six-month investigation, they contacted approximately 53 different projects and discovered approximately 100 North Korean IT operatives hiding within the Web3 organization.
Their findings were shared in a series of in-depth reports on ketman.org, attracting more than 3,300 active users and 6,200 page views, exploring topics such as account takeover techniques, freelance platform infiltration, and emerging North Korea-Russia ties. We also built and open sourced gh-fake-analyzer, a GitHub profile analysis tool designed to flag suspicious activity patterns. This is currently available via PyPI.
In addition, they co-authored the SEAL and DPRK IT Workers Framework. This document quickly became the industry’s go-to reference and provided critical data for Lazarus.group’s Threat Intel project. The results were highlighted in a presentation at DEF CON.
Overall results of the Ethereum program
The work produced by the 17 scholarship recipients spans everything from vulnerability research and security tools to education, threat intelligence, and practical incident response.
According to the Ethereum Foundation, more than $5.8 million in funds have been recalled or frozen, and more than 785 vulnerabilities, client bugs, and proof-of-concept exploits have been reported or documented. The program also helped identify approximately 100 North Korean state-sponsored operatives across multiple teams, and its threat intelligence and investigative content reached more than 209,000 viewers and users.
On the builder side, over 800 teams are participating in sponsored security challenges and research, supported by over 80 workshops, talks, and technical and educational resources. This effort has coordinated responses to more than 36 security incidents and driven the creation or improvement of at least seven open source tool repositories, frameworks, and implementations that further strengthen the ecosystem.
story continues
North Korea-related hacking remains a serious issue within the crypto community. These days, major threat actors are less lenient and more proactive in uncovering and thwarting threats.
Recall that after the April 1st $285 million attack on Drift Protocol was attributed to UNC4736, a state-sponsored hacker group aligned with North Korea, crypto detective ZachXBT discovered a payment server inside North Korea associated with over 390 accounts, chat logs, and transaction histories.
A few weeks ago, some cryptocurrency builders confessed on the social network X that they had passed a test during developer interviews to ensure they were not North Korean agents.
While investments in visible and transparent security cooperation (such as EF’s support of ETH Rangers/Ketman/SEALs) may merit a premium in the risk model, protocols with opaque teams and slow hiring are increasingly candidates for “headline risk.”
At the moment of writing, ETH trades for around $2,300 on the daily chart. Source: ETHUSD on Tradingview.
Perplexity cover image. ETHUSD chart on Tradingview.
editing process for is focused on providing thoroughly researched, accurate, and unbiased content. We adhere to strict sourcing standards, and each page is carefully reviewed by our team of top technology experts and experienced editors. This process ensures the integrity, relevance, and value of your content to your readers.
