The Ketman Project, funded by the Ethereum Foundation, has identified 100 North Korean IT workers who infiltrated Web3 companies. The project alerted approximately 53 projects employing these operatives.
The Ethereum Foundation's ETH Rangers program, launched in late 2024, provided stipends for public goods security work. One recipient used these funds to establish the Ketman Project, focusing on identifying "fake developers" and operatives from North Korea within the cryptocurrency space.
During its six-month operation, the Ketman Project discovered 100 North Korean IT workers operating within Web3 organizations. This effort is described by the Ethereum Foundation as addressing a critical operational security threat to the Ethereum ecosystem.
While details on identification methods were not fully disclosed, the Ketman Project's website outlines tactics used by operatives. These include technical red flags like reusing avatars and profile metadata across multiple GitHub accounts, revealing unlinked emails, and using default language settings that contradict their claimed nationality.
The Ketman Project also developed an open-source tool for detecting suspicious GitHub activity and collaborated on a framework for identifying DPRK IT workers with the Security Alliance.