Ethereum-Backed Ketman Flags Widespread North Korean Infiltration Across Crypto Hiring

A new investigation backed by the Ethereum Foundation has put fresh attention on a long-running security problem in crypto: North Korean operatives posing as legitimate remote developers. In a recent Ethereum Foundation ETH Rangers recap, the organization said one funded recipient used the stipend to build and scale Ketman, a threat-intelligence project focused on uncovering DPRK IT workers inside blockchain projects. The recap said the team reached out to roughly 53 projects and identified around 100 different DPRK IT workers operating within Web3 organizations.

The findings surfaced after crypto commentator Colin Wu highlighted the report on X, saying the review showed Ketman had uncovered about 100 North Korean hackers infiltrating crypto projects. Wu’s post also pointed to reporting that said the operatives commonly used forged Japanese identification to secure remote Web3 jobs, a detail that fits the pattern described in Ketman’s own report on freelance-platform infiltration.

Ketman’s public report, published on April 16, 2025, describes how the investigation began with a suspicious actor in a legitimate developer’s repository and expanded into a wider cluster tied to the onlyDust freelance ecosystem. The researchers wrote that they first noticed account-history manipulation, spam activity, suspicious identity changes, and several other red flags, then traced those accounts to a broader network of contributors working across multiple repositories. In the report, Ketman says that it discovered actors using multiple aliases, fake identities, and even fabricated documents as part of the hiring process.

Crypto Security Alert

One of the most striking parts of the Ketman write-up is the claim that some of the suspected actors presented themselves as Japanese, even though the researchers ultimately concluded they were connected to DPRK-linked activity. The report says one subject used multiple names and claimed to be Japanese, while the team also referenced a fake Japanese document used during its verification process. Ketman says this kind of identity laundering can help suspicious contributors build credibility, collect payments, and later use that experience to move into more sensitive roles.

The Ethereum Foundation’s recap framed this work as part of a broader security effort rather than a one-off investigation. Alongside the Ketman findings, the ETH Rangers summary said the overall program recovered or froze more than $5.8 million, documented more than 785 vulnerabilities, and identified approximately 100 state-sponsored operatives across the ecosystem. That context helps explain why the Foundation is treating this class of threat as a serious operational issue for Web3 teams, not just a niche research problem.

Ketman has also argued publicly that teams should verify remote workers more aggressively, including through video calls and closer scrutiny of inconsistencies in behavior or identity claims. In its report, the project says KYC documents alone are not enough and recommends verification steps that go beyond static paperwork. The warning lands in a year when U.S. authorities have continued to flag North Korean IT worker activity as an evolving threat, including data extortion and other forms of abuse tied to remote employment scams.

For crypto startups, the takeaway is uncomfortable but clear. North Korean-linked infiltration is no longer just a hacking problem at the network edge. It is also a hiring problem, a contractor-screening problem, and a trust problem inside teams that rely on remote collaboration. Ketman’s findings suggest that fake resumes, polished GitHub histories, and convincing interview personas can still slip through unless projects tighten the way they vet developers before giving them access to code, funds, or internal communications.