Ethereum-Backed ETH Rangers Program Exposes 100 DPRK Operatives in Web3

Highlights:

• ETH Rangers researchers found around 100 DPRK-linked operatives working inside Web3 teams under fake identities.
• The program helped recover or freeze $5.8 million and supported more than 36 incident responses.
• Ethereum said decentralized security efforts also exposed hiring risks many crypto teams had overlooked.

The Ethereum Foundation-backed ETH Rangers Program has uncovered a serious security threat inside the crypto industry. Over a six-month investigation, independent security researchers identified around 100 North Korean state-backed operatives, also known as DPRK agents, working inside Web3 companies under false identities. The findings, published on Thursday, show how coordinated, decentralized security efforts can help defend the Ethereum ecosystem against increasingly sophisticated threats.

The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more.

A decentralized defence for a decentralized network.

Read the full recap 👇

— EF Ecosystem Support Program (@EF_ESP) April 16, 2026

The program began two years ago with support from Secureum, The Red Guild, and the Security Alliance (SEAL). It gave stipends to 17 independent researchers working on public goods security. Over time, their work helped recover or freeze more than $5.8 million in funds. 

The program also reported or recorded over 785 vulnerabilities and client bugs. In addition, it helped identify about 100 state-sponsored operatives. Its threat awareness content received more than 209,000 views. More than 800 teams joined security challenges and investigations. It also supported over 36 incident responses.

ETH Rangers Program Uncovers DPRK Workers in Crypto Teams

The DPRK-linked cases came from one funded initiative called the Ketman Project. According to Ethereum, the project focused on finding and removing North Korean IT workers who had entered blockchain teams using fake identities. During the stipend period, the team contacted about 53 crypto projects and identified around 100 DPRK-linked IT workers active across Web3 organizations.

The group also published reports on ketman.org about fake freelancer tactics, account takeovers, and DPRK-Russia links. The Ethereum Foundation said these reports brought in more than 3,300 active users and 6,200 page views. The team also built and open-sourced gh-fake-analyzer, a tool that scans GitHub profiles for suspicious patterns.

The project also helped write the DPRK IT Workers Framework with the Security Alliance. The foundation said the industry now uses this framework as a key reference. It also said the team shared data with the Lazarus.group threat intelligence effort, and researchers later presented that work at DEF CON.

Another recipient, Nick Bax, also worked on DPRK-related cases through SEAL 911 incident response and threat intelligence efforts. Ethereum said he helped identify and alert more than 30 teams that they had hired DPRK IT workers. The foundation also said these efforts helped coordinate the freezing of mid-six-figure funds paid to those workers.

In addition, Bax supported more than 36 SEAL 911 incident tickets. This included work linked to the Loopscale exploit response, which later helped recover $5.8 million.

Program Covered Far More Than One Threat

The ETH Rangers Program did not focus only on DPRK-related investigations. Other recipients also worked on smart contract security research, workshops, open-source tools, bug education, and incident reviews. For example, DeFiHackLabs expanded its incident explorer to include more than 620 proof-of-concept exploits.

At the same time, Guild Audits trained researchers who later reported more than 110 vulnerabilities across major audit contest platforms.

Ethereum said the full results show that decentralized systems need decentralized defense. This idea appears throughout the recap. Instead of depending only on core developers or large firms, the foundation supported independent researchers, investigators, and educators across the ecosystem. In this case, that approach seems to have helped expose a hiring threat that many crypto teams may not have fully understood before.