The Ethereum Foundation exposed 100 IT workers linked to the Democratic People’s Republic of Korea (DPRK) and embedded in approximately 53 crypto projects.
Ethereum Foundation Improves Its Security With Detective Program
North Korean crypto secret agents aren’t resting, so the Ethereum Foundation decided it was time to put on the detective hat to hunt them down before they too become victims of them, just like Drift Protocol was earlier this month. So, yesterday afternoon, the Foundation announced on an official blog the breathtaking results obtained by the ETH Rangers program (and yes, everything about North Korean hackers inevitably sounds straight out of an RPG or an action movie).
The ETH Rangers program is complete and the results speak for themselves: over $5.8 million recovered, over 785 vulnerabilities reported, over 100 DPRK agents identified, and much more.
A decentralized defense for a decentralized network.
Read the full recap 👇
– EF Ecosystem Support Program (@EF_ESP) April 16, 2026
According to the blog post, the Ethereum Foundation has partnered with Secureum, The Red Guild and Security Alliance (SEAL) in late 2024 to roll out the said program. The initiative offered stipends to individuals performing public asset security work in the Ethereum ecosystem.
Related reading: Is blockchain South Korea’s new tax weapon – a blow to privacy?
The program’s mission was to support independent security initiatives that strengthen the overall robustness of Ethereum, while highlighting and rewarding contributors with a proven track record of high-impact security work for the broader network.
After six months, the results of the program speak for themselves.
The DPRK crypto-infiltration saga, Parth who even matters at this point
The ETH Rangers program has funded several crypto-security projects, but Project Ketman was the one “focused on discovering and expelling North Korean (DPRK) computer scientists who infiltrated blockchain projects under false identities,” according to the blog.
During the six-month investigation, they contacted approximately 53 different projects and discovered approximately 100 DPRK IT officers embedded within Web3 organizations.
Their findings were shared in a series of detailed reports on ketman.org, which attracted more than 3,300 active users and 6,200 page views, and explored themes such as account takeover techniques, infiltration of independent platforms, and emerging ties between the DPRK and Russia. They also created and open sourced gh‑fake‑analyzer, a GitHub profile analysis tool designed to flag suspicious activity patterns, now available through PyPI.
Additionally, they co-authored the DPRK IT Workers Framework with SEAL, a document that quickly became a go-to reference for the industry, and contributed crucial data to the Lazarus.group threat intelligence project, with their work highlighted in a presentation at DEF CON.
Overall results of the Ethereum program
The work produced by the 17 grant recipients covers everything from vulnerability research and security tools to education, threat intelligence and practical incident response.
According to the Ethereum Foundation, more than $5.8 million in funds have been recovered or frozen, while more than 785 vulnerabilities, client bugs, and proof-of-concept exploits have been reported or documented. The program also identified approximately 100 DPRK state-sponsored agents embedded in multiple teams, and its threat intelligence and investigative content reached more than 209,000 viewers and users.
On the manufacturer side, more than 800 teams participated in sponsored safety challenges and surveys, supported by more than 80 workshops, conferences and technical or educational resources. The initiative has coordinated responses to more than 36 security incidents and led to the creation or enhancement of at least seven open source repositories, frameworks, and tool implementations that further strengthen the ecosystem.
The saga continues
DPRK-related hacks continue to be a serious problem within the crypto community. Recently, major actors have been less lenient and more active in trying to uncover and stop their threat.
Recall that after the April 1 $285 million attack on Drift Protocol was attributed to UNC4736, a North Korea-aligned and state-sponsored hacking group, crypto detective ZachXBT discovered an internal North Korean payment server linked to more than 390 accounts, chat logs, and transaction histories.
A few weeks ago, some crypto builders admitted on the social network
Investing in visible and transparent security collaborations (like EF’s support of ETH Rangers/Ketman/SEAL) may merit a premium in risk models, while protocols with opaque teams and loose recruiting are increasingly “major risk” candidates.
At the moment of writing, ETH trades for around $2,300 on the daily chart. Source: ETHUSD on Tradingview.
Cover image of Perplexity. ETHUSD chart from Tradingview.
Editorial process as Bitcoinist focuses on providing thoroughly researched, accurate and unbiased content. We follow strict sourcing standards and every page undergoes careful review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
