Ethereum Foundation Exposes 100 Crypto Companies Hacked by North Korean Operators

Key receivers

Six-month investigation identifies 100 North Korean agents working in cryptocurrency companies Ethereum Foundation-backed research exposes clandestine developer network in blockchain industry DPRK-linked hackers found working under false identities in Web3 development teams Blockchain firms face high security risks from state-backed crypto operators Strategic, long-term North Korean sector presence exposed.

A comprehensive security investigation sponsored by the Ethereum Foundation found a major breach involving undercover agents embedded in Web3 organizations. The extensive six-month investigation successfully identified 100 individuals with ties to North Korea working in cryptocurrency development groups. These revelations highlight the growing challenge of operational security across the Ethereum network.

Systematic research uncovers the pervasive network of Web3 intrusions.

The Ethereum Foundation supported this comprehensive security review through the ETH Rangers program, which began in late 2024. This initiative provides funding to independent security researchers dedicated to enhancing ecosystem protection through targeted public infrastructure projects. So, one receiver established the Ketman Project to monitor particularly questionable developer behavior.

The Kateman project focuses its efforts on exposing rogue developers who use multiple layers of fake identities embedded within Web3 companies. During a six-month investigation, researchers successfully identified 100 North Korean-linked individuals currently working in cryptocurrency organizations. The investigative team found 53 different blockchain projects that may unwittingly employ these hidden operators.

The foundation said these findings reveal significant operational security vulnerabilities affecting Ethereum-based development infrastructure. Researchers have developed an open source detection platform designed to identify suspicious patterns in GitHub contributor activity. This program represents an extended commitment to strengthen security measures across the wider ecosystem.

Extended North Korean operations have been linked to massive cryptocurrency thefts.

Investigative evidence shows that North Korean-linked developers have held active roles in cryptocurrency development groups spanning several years. These operators are involved in project development and hide their true identity behind credible technical contributions. Security analysts have linked several operations to the Alazarus group, a state-sponsored cybercriminal organization.

Industry reports estimate that North Korean-linked entities have successfully stolen nearly $7 billion from stolen cryptocurrency platforms since 2017. These criminal acts include major security breaches, including the Ronin Bridge deal and the WazirX security incident. The amount of financial damage reflects coordinated and sustained cyber warfare operations.

Cybersecurity professionals often demonstrate legitimate blockchain development expertise, even if these embedded developers work under fictitious identities. Many decentralized financial protocols in the ecosystem have historically relied on such contributions. This infiltration problem extends beyond individual isolated situations to underlying infrastructure vulnerabilities.

Direct deception techniques enable long-term successful infiltration.

Researchers have discovered that many infiltration strategies rely on unsophisticated but highly effective deception techniques. These approaches include formal job applications, professional LinkedIn networking, and remote interview processes designed to establish credibility within development teams. With these methods, operators successfully integrate themselves into regular development activities.

The Kateman project documented frequent red flags in developer accounts and system interactions. These warning indicators include reused profile pictures, conflicting language configuration settings, and the inadvertent exposure of unrelated email accounts. Exceptions often occur during screen sharing sessions or when examining code repository activity histories.

The research initiative partnered with the Security Alliance to establish a comprehensive framework for finding suspected developer participants. This collaborative effort has improved threat detection capabilities through integrated information sharing across the cryptocurrency industry. Blockchain organizations now have enhanced resources to reduce exposure to hidden security threats.