Ethereum Foundation-backed initiative uncovers 100 North Korean operatives in cryptocurrency sector
Through funding from the Ethereum Foundation, the Ketman Project successfully tracked down 100 IT workers from North Korea and notified approximately 53 cryptocurrency projects about DPRK agents in their workforce.
According to the Ethereum Foundation, it provided financial support for a half-year initiative that successfully uncovered 100 operatives from North Korea who had penetrated Web3 organizations using fabricated identities.
In a Thursday announcement, the foundation published an overview of its ETH Rangers program, which commenced in the latter part of 2024 to offer "stipends for individuals doing public goods security work" across the ecosystem.
Among the beneficiaries was one who utilized the funding to establish the Ketman Project with a primary focus on investigating "fake developers" who had embedded themselves in the cryptocurrency space, with particular emphasis on agents from the People's Republic of Korea.
Throughout the duration of the six-month funding period, the Ketman Project successfully pinpointed "100 different DPRK IT workers operating within Web3 organizations" and made contact with approximately 53 projects to warn them regarding the potential employment of active DPRK operatives.
"This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today,"
the Ethereum Foundation said.
Operatives from North Korea have been a persistent problem for the cryptocurrency industry, resulting in the theft of billions of dollars worth of digital assets throughout recent years. Among the most notorious hacking collectives originating from North Korea is the entity identified as the Lazarus Group.
The Ethereum Foundation refrained from providing specific details regarding the methodology employed by the Ketman Project to successfully identify the DPRK operatives. That said, the project's official website features a comprehensive collection of articles that outline the various "tactics, behaviors and operational patterns" these operatives commonly utilize.
These indicators encompass technical warning signs including the practice of reusing avatars and profile metadata across numerous GitHub accounts, inadvertently exposing unlinked email addresses when accidentally sharing screens, and showing default language settings, like Russian, that are inconsistent with their purported nationality.
In addition to uncovering North Korean operatives, the Ketman Project has also created an open-source detection tool designed to identify suspicious GitHub activity and collaborated on authoring an industry-standard framework for identifying DPRK IT workers in partnership with blockchain-focused nonprofit organization the Security Alliance.