Author
Ahmed Barakat
Author
Share it
The work of Ketman, who works under the protection program of the Ethereum Foundation of ETH Rangers, is in the recent news of Ethereum, which has been known about 100 North Korean Crypto IT operatives included within the companies Web3 of the identity of the fiction, the result of a six-month investigation that ended with one of the most public records of the DPRK entering the history of the sector.
The method of intimidation has changed. There in North Korea crypto level functions Once a staple of remote operations and exchange hacks, the 2025 feature is linked to employee onboarding, employees who pass HR checks, enter internal storage, and stay in sales teams for months before being identified.
- Operations are recognized: ~ 100 DPRK IT employees were found using false information within the company’s Web3
- Search period: Six months, managed by the Ketman Project with the support of ETH Rangers
- Program scope: ETH Rangers funded 17 independent researchers, recovered or blocked $5.8M in leverage, tracked 785+ vulnerabilities, responded to 36 solutions.
- The kidnapping of the DPRK: $2.02 billion was stolen in 2025 alone – a 51% increase from 2024 – pushing it to $6.75 billion
- Drift Protocol hack: Attackers linked to the DPRK spent $285 million on April 1, 2026, the largest DeFi fraud of the year.
- Actual events: Exchange Stabble issued a takedown warning after a DPRK IT employee joined its leadership team
- Watch: Researchers are actively tracking Drift’s exploits; Regulatory scrutiny of DeFi service monitoring should increase
Note: The best crypto to change your profile
Ethereum News: How ETH Rangers Crypto Investigation Really Works – and What 100 North Korean Operatives Really Mean
ETH Rangers was launched at the end of 2024 through a partnership between the Ethereum Foundation, Secureum, The Red Guild, and the Security Alliance (SEAL), sending 17 independent researchers over six months to strengthen the security of Ethereum.
Ketman’s work was one of the projects supported by the fund, and its results exceeded the usual research rate or bug rate.
Identifying the 100 workers means comparing the fabricated information with the known practices of the DPRK: inconsistent work history, communication patterns that show the concealment of time, payment methods through specific places, and technical stamps that are repeated to applicants who do not match them. It is an intelligence exercise, not a security investigation.
It requires continuous monitoring of all job boards, GitHub events, rental pipelines, and code of conduct within existing teams.
The massive ETH Rangers program delivered results beyond Ketman’s work: participants secured or froze more than $5.8 million, tracked 785+ vulnerabilities and testimonials, responded to 36 responses, and provided more than 80 security trainings.
Open source products include a DeFi activity monitoring platform, a suspicious GitHub account monitor, and a client-side DoS testing system.
The GitHub tool is useful here. Suspicious account detection is a key capability to identify DPRK-linked developers who are operating undercover – accounts with fabricated profiles, associated behavior, or access to suspicious assets. Ketman’s results must have been based on this tool.
What the “working 100s” does not mean: that those people were doing well in real time. The input of DPRK IT personnel serves several functions: generating government revenue through official payments, collecting information on protocols and codebases, and installing future displays.
The economic damage in the near future may be minimal; long-term exposure is designed.
Note: The best deals before the sale starts
