North Korea has been quietly planting IT workers inside crypto companies. Now, one Ethereum-backed investigation just blew their cover wide open.
The Ketman Project, funded through the Ethereum Foundation’s ETH Rangers Program, identified about 100 suspected North Korean operatives working across 53 crypto projects. The findings came from a six-month investigation specifically designed to find and remove DPRK agents who had slipped into Web3 organizations using fake identities.
The scale of the infiltration is genuinely alarming.
Fake Japanese Developers and Forged KYC Documents
Here’s how the scheme worked. North Korean operatives posed as Japanese developers on OnlyDust, a Web3 freelance platform. They built convincing cover stories using AI-generated profile photos, invented Japanese names like “Hiroto Iwaki” and “Motoki Masuo,” and submitted forged identity documents to pass verification checks.
The deception unraveled during a video call. When investigators asked one suspect to introduce himself in Japanese, he quietly removed his headset and ended the call. That moment confirmed what the team had suspected.
Ketman traced at least three distinct actor clusters across 11 code repositories. Before anyone noticed, 62 pull requests had already been merged into live projects. That means North Korean-written code was sitting inside real crypto products, potentially for weeks or months.
Why Supply Chain Access Is the Real Danger
Getting hired as a developer isn’t the end goal. It’s the starting point.
Security researchers consistently warn that DPRK IT worker infiltration often serves as reconnaissance for larger supply chain attacks. Once an operative gains trusted access to a codebase, coordinated hacking teams can exploit that foothold to inject malicious code, steal private keys, or drain funds at scale. North Korean hackers have stolen billions in crypto assets using exactly these kinds of tactics over recent years.
So the real risk isn’t just one bad developer on a team. It’s the access that developer quietly accumulates over time.
Open-Source Tools Built to Fight Back
Ketman didn’t just expose operatives. The project built tools and frameworks other teams can use right now.
One standout contribution is gh-fake-analyzer, an open-source GitHub profile analysis tool now available on PyPI. It helps teams spot suspicious patterns in developer profiles before granting repository access. Think of it as a background check for your codebase contributors.
The project also co-authored the DPRK IT Workers Framework alongside the Security Alliance, known as SEAL. That document has quickly become a standard industry reference for crypto security teams trying to screen for state-sponsored infiltration.
Both resources are freely available, which matters a lot. Smaller Web3 projects with limited security budgets can use the same detection methods that caught 100 operatives during this investigation.
What the ETH Rangers Program Delivered
The ETH Rangers Program launched in late 2024 alongside Secureum, The Red Guild, and SEAL. It funded 17 stipend recipients in total, and Ketman was one of the most impactful.
The combined results across the program are worth noting. Participants recovered over $5.8 million in funds, reported 785 vulnerabilities, and handled 36 separate incident responses. That’s a meaningful return on what amounts to a relatively modest research funding commitment.
Ketman’s piece of that picture, catching 100 operatives across 53 projects, represents one of the most concrete and publicly documented wins against DPRK infiltration in the crypto space.
Fake Identities Are Getting Harder to Spot
The methods these operatives used weren’t sloppy. AI-generated photos are increasingly convincing. Forged identity documents passed initial KYC checks. Fabricated developer histories looked legitimate at first glance.
That’s what makes this threat particularly tricky for hiring teams. Traditional vetting processes weren’t built to catch state-sponsored actors with sophisticated cover stories. A video call in the target language, it turns out, still catches people off guard.
For Web3 projects that rely heavily on remote freelance contributors, this investigation should prompt a serious review of how candidates get verified and how repository access gets managed. The gh-fake-analyzer tool gives teams a practical starting point.
The crypto industry has spent years hardening smart contracts and auditing protocols. Now it’s becoming clear that the humans writing the code need just as much scrutiny as the code itself.