Ethereum Foundation Security Project Exposes Hundreds of North Korean IT Personnel Infiltrating Web3 Companies
This content has been translated by AI
Summary
BroadChain learned that at 05:00 on April 19, according to CryptoNews, the Ketman Project, supported by the Ethereum Foundation's security project ETH Rangers, identified approximately 100 North Korean IT personnel using forged identities who have infiltrated Web3 companies after a six-month investigation. This is one of the most detailed public statistics on North Korean internal infiltration in this field to date. The threat pattern has shifted: North Korea's state-level crypto operations have moved from remote attacks and exchange hacks to the 2025 model—coordinated human infiltration, where personnel pass through HR screening, access internal codebases, and remain dormant within product teams for months.
According to BroadChain, at 05:00 on April 19, CryptoNews reported that the Ketman Project, supported by the Ethereum Foundation's security initiative ETH Rangers, has identified approximately 100 North Korean IT personnel using forged identities who have infiltrated Web3 companies after a six-month investigation. This is one of the most detailed public accounts of North Korean infiltration in the field to date. The threat model has shifted: North Korea's state-level crypto operations have moved from remote attacks and exchange hacks to the 2025 model—coordinated human infiltration, where personnel pass through HR screenings, access internal codebases, and remain embedded in product teams for months before detection. Key data shows: Approximately 100 North Korean IT personnel have been identified; the investigation was conducted by the Ketman Project with support from ETH Rangers; the ETH Rangers project has funded 17 independent researchers, recovered or frozen $5.8 million in stolen funds, tracked over 785 vulnerabilities, and handled 36 security incidents; North Korea stole $2.02 billion in 2025, a 51% increase from 2024, with cumulative thefts reaching $6.75 billion; on April 1, 2026, North Korea-linked attackers executed a $285 million exploit on Drift Protocol, the largest DeFi hack of the year; exchange Stabble issued a withdrawal alert after its leadership team was infiltrated by North Korean IT personnel. The ETH Rangers project launched in late 2024, with open-source outcomes including a DeFi incident analysis platform, a GitHub suspicious account detector, and a client-side DoS testing framework. Identifying the hundred personnel involves matching forged identities with known North Korean operational patterns, falling under intelligence work. North Korean IT personnel infiltration serves multiple purposes: generating revenue for the regime through legitimate salaries, collecting intelligence on protocols and codebases, and pre-positioning for future attacks.