Ethereum-backed probe found 100 DPRK operatives in crypto firms after a six-month ETH Rangers-supported investigation.
Investigators working with an Ethereum-supported security program have identified about 100 suspected North Korean operatives inside crypto firms.
The six-month inquiry was carried out by the Ketman Project under ETH Rangers. Analysts said the workers used false identities and moved through normal hiring processes.
The findings have raised new concerns about insider access across the Web3 sector.
ETH-Backed Probe Finds Wide Infiltration Across Web3
The Ketman Project said it spent six months tracking suspected DPRK-linked IT workers.
During that period, researchers identified about 100 people inside Web3 firms.
They were said to use fake names and altered work histories. This made them harder to detect during hiring.
At the same time, the probe showed that the method was organized and sustained. These workers were not tied to one firm alone.
Instead, they appeared across different crypto companies and teams. That gave the findings wider weight.
Ethereum Foundation-Backed Program Exposes 100 North Korea Operatives Infiltrating Crypto Firms
The Ketman Project, operating under the Ethereum Foundation’s ETH Rangers security program, has in the latest Ethereum news, identified approximately 100 North Korea Crypto IT…
— MartyParty (@martypartymusic) April 18, 2026
The research was backed by ETH Rangers, a security program linked to the Ethereum Foundation.
The broader program funded 17 independent researchers. It also traced more than 785 vulnerabilities across the sector. In addition, it handled 36 incident responses.
ETH Rangers also said it helped recover or freeze $5.8 million in exploited funds. Those figures placed the latest probe within a larger security effort.
Because of that, the findings drew attention beyond one investigation. They also added pressure on firms to review internal risks.
Hiring Channels Become A New Risk Area for Crypto Firms
In earlier years, North Korea-linked crypto activity often focused on outside attacks. Exchange hacks and technical exploits were common methods.
Now, the pattern appears to be changing. More actors are seeking jobs inside firms.
Once hired, workers can gain access to internal tools and shared systems. They may also reach code repositories and product workflows.
As a result, they can stay inside a company for months. That can make detection slower and more difficult.
This shift creates a different problem for security teams. Firewalls and wallet controls may block outside attacks, but not insider misuse.
Because of that, hiring checks now matter more. Access controls also become more important after onboarding.
One public example involved crypto exchange Stabble. The company issued a withdrawal alert after a DPRK IT worker entered its leadership team.
That case showed that the risk may reach senior roles. It also showed how trust inside a firm can be misused.
Read Also:
Ethereum NFT Platform Shutdown Sparks “Art Will Disappear” Fears
Larger Theft Figures Add Pressure Across The Sector
The data tied to DPRK-linked crypto crime remains large. According to the provided figures, $2.02 billion was stolen in 2025 alone.
That was a 51% rise from 2024. It also pushed the total to $6.75 billion.
Another case added to those concerns in 2026. DPRK-linked attackers were said to have executed a $285 million exploit on Drift Protocol on April 1.
The stolen funds are still being tracked, according to the provided material. The attack was described as the largest DeFi hack of the year.
Because of these cases, crypto firms may face more scrutiny. Hiring standards, identity checks, and remote work reviews are likely to get closer attention.
Firms may also tighten access to wallets and code systems. At the same time, regulators may watch employment practices more closely.
Source: https://www.livebitcoinnews.com/ethereum-backed-probe-uncovers-100-dprk-operatives-in-crypto-firms/