Ketman Project Uncovers Roughly 100 Alleged DPRK IT Workers Lurking in 53 Crypto Projects CATEGORY: Industry News

The Ethereum Foundation-backed Ketman Project has flagged approximately 100 suspected North Korean IT workers shilling their skills across 53 cryptocurrency projects, according to an ETH Rangers Program recap published on April 16. The six-month operation, funded through stipends from the ETH Rangers Program, was laser-focused on sniffing out and booting DPRK operatives who'd slipped into Web3 organizations behind elaborate fake personas. Think of it as on-chain Know Your Customer—except these customers definitely didn't pass KYC.

One Ketman deep-dive exposed how DPRK-linked actors masqueraded as Japanese developers on the Web3 freelance platform OnlyDust, armed with AI-generated profile pics, invented monikers like "Hiroto Iwaki" and "Motoki Masuo," and forged Japanese identity documents during verification. The plot thickened when investigators caught one suspect red-handed during a video call—who, when asked to introduce himself in Japanese, yanked off his headset and rage-quit the call. The team traced at least three actor clusters across 11 repositories, where 62 pull requests had already been merged before the reckoning arrived.

Beyond individual investigations, Ketman cooked up gh-fake-analyzer, an open-source GitHub profile analysis tool now live on PyPI. The project also teamed up with the Security Alliance (SEAL) to pen the DPRK IT Workers Framework, which has since become the industry's go-to handbook for spotting and handling suspected North Korean operatives in the crypto space.

The ETH Rangers Program, which launched in late 2024 alongside Secureum, The Red Guild, and SEAL, handed out stipends to 17 recipients total. When the community tallied up the results, the consolidated wins included over $5.8 million in recovered funds, 785 reported vulnerabilities, and 36 incident responses handled. Not bad for a six-month degen detox program.

Security researchers keep sounding the alarm that these IT worker infiltrations aren't just annoying—they're often reconnaissance missions for larger supply chain attacks orchestrated by DPRK hacking crews. So while these fake developers were busy reviewing code, they might have been planting backdoors that make your DeFi protocol's TVL look like a farewell gift to bad actors.