An Ethereum Foundation-funded investigation has unmasked 100 North Korean IT workers embedded across the crypto industry, exposing a systematic infiltration campaign that spans at least 53 blockchain projects.
The Ketman Project: How DPRK Operatives Were Exposed
The Ketman Project, operating on a stipend from the Ethereum Foundation, spent months compiling intelligence on North Korean nationals using false identities to obtain remote employment at cryptocurrency and blockchain companies worldwide. The project’s researchers identified approximately 100 individual DPRK-linked workers and proactively notified 53 projects believed to be unknowingly employing them.
The operation takes its name from a concept describing the practice of concealing one’s true beliefs under authoritarian pressure — a fitting label for an effort to surface hidden identities inside an industry that prizes pseudonymity. Researchers cross-referenced GitHub activity, on-chain wallet patterns, communication metadata, and known DPRK infrastructure signatures to build profiles on each worker.
The scale of the findings is significant. One hundred confirmed operatives across 53 projects suggests this is not an opportunistic side operation — it is an organized state-sponsored workforce deployed specifically to harvest salaries, steal intellectual property, and potentially insert backdoors into protocol-level code.
Why North Korea Targets Crypto
The DPRK’s reliance on cryptocurrency as a sanctions-evasion mechanism is well-documented. The United Nations has linked North Korean hacking groups — primarily the Lazarus Group and affiliated clusters — to over $3 billion in crypto theft since 2017. In 2024 alone, blockchain analytics firm Chainalysis attributed roughly $1.3 billion in stolen crypto assets to North Korean actors, representing nearly half of all funds stolen from the industry that year.
Remote IT work represents a lower-risk, steadier income stream compared to high-profile exchange hacks. A skilled developer earning $5,000–$10,000 per month across multiple pseudonymous contracts can funnel tens of thousands of dollars annually back to Pyongyang with minimal exposure. Multiply that across 100 workers and the aggregate becomes a meaningful revenue line for a sanctioned state.
Beyond the financial motive, embedded developers have access. They can review internal codebases, observe security architectures, and in some cases push commits directly to production repositories. The 2023 Euler Finance hack and several DeFi protocol exploits have been linked, at least partially, to insider knowledge suggesting advance familiarity with contract logic.
The Ketman Project’s work is notable precisely because the threat is often invisible until damage is done. Most affected projects likely had no reason to suspect their remote contractors — many DPRK operatives present convincing LinkedIn histories, communicate professionally in English, and deliver competent work product.
What This Means for Traders
For retail traders and DeFi users, the implications are concrete and immediate. If even one of the 53 flagged projects contains a developer who inserted a subtle vulnerability — a malformed access control, a misconfigured oracle dependency — funds in associated protocols could be at risk.
Traders should treat this news as a prompt to review exposure to smaller or newer DeFi protocols where due diligence on the development team may be limited. Larger, audited, and institutionally backed platforms maintain more rigorous contributor vetting processes, making insider compromise harder to execute at scale.
The disclosure also raises longer-term questions for the industry around identity verification for open-source contributors and DAO-employed contractors. Several crypto projects operate with fully pseudonymous teams as a philosophical stance — a posture the Ketman Project findings suggest carries measurable, quantifiable security risk.
For centralized exchanges and regulated platforms, the risk profile is different but not zero. KYC processes reduce but do not eliminate the possibility of DPRK-linked individuals operating in support roles.
The Ethereum Foundation’s decision to fund this kind of adversarial intelligence work signals a maturing security posture for the broader ecosystem. Identifying and disclosing threats before exploitation occurs is a qualitatively different mode of defense than post-mortem analysis after funds are lost.
Traders looking for an established, regulated platform with institutional-grade security practices can consider OKX, one of the largest exchanges by volume, accessible through Cex101.
