Ethereum Foundation-funded Ketman Project IDs 100 DPRK IT workers

A project funded through the Ethereum Foundation’s ETH Rangers stipend program has uncovered roughly 100 North Korean (DPRK) IT workers operating within Web3 organizations and notified about 53 projects of potential DPRK operatives. The foundation published a recap of the six‑month program on April 16, 2026, summarizing outputs from 17 stipend recipients.

According to the Ethereum Foundation’s recap, the ETH Rangers cohort collectively helped recover or freeze more than $5.8 million, reported or cataloged over 785 vulnerabilities and proof‑of‑concepts, and handled 36+ incident responses. The Ketman Project specifically reached out to approximately 53 projects, identified around 100 DPRK IT workers, published investigative pieces that attracted over 3,300 active users and 6,200 page views, and open‑sourced a GitHub profile analysis tool (gh‑fake‑analyzer). Ketman also co‑authored a DPRK IT Workers Framework with the Security Alliance (SEAL) and contributed data to broader threat intelligence efforts.

The foundation highlighted individual contributions as well: security researcher Nick Bax assisted with SEAL 911 incident responses, helped notify more than 30 teams of suspected DPRK hires, coordinated freezing of mid‑six‑figure sums, and played a role in returning roughly $5.8 million in the Loopscale incident. These operational outcomes illustrate that grant‑funded public‑goods security work produced measurable recoveries and mitigations during the program period.

Contextual data from blockchain analytics firms underlines the scale of the threat. Chainalysis reported that DPRK‑linked actors were responsible for roughly $2.02 billion in crypto theft in 2025, making state‑linked cyber activity a dominant driver of yearly losses. The Ethereum Foundation’s findings reinforce that the risk landscape extends beyond code vulnerabilities to include human‑facing attack surfaces such as fake developer personas, recruitment channels and repository account behavior.

For the market and security community, the ETH Rangers recap demonstrates the value of coordinated, grant‑backed security initiatives: open‑source detection tools, community incident response, and industry frameworks can multiply defensive effects across many teams. Continued investment in operational security and adoption of standardized screening frameworks may reduce exploit windows and support long‑term resilience in the Ethereum ecosystem and wider crypto markets.