Ethereum Foundation: Ketman project identifies 100 North Korean agents within six months

According to an ETH Rangers project recap report published by the Ethereum Foundation on April 17, 2026 (Thursday), within its six-month funding period the Ketman project funded by the Ethereum Foundation identified 100 North Korean IT workers using false identities to infiltrate Web3 organizations, and contacted roughly 53 crypto projects to warn them they may have hired active North Korean agents.

Identification results and reporting actions of the Ketman project

(Source: Ketman Project)

According to the Ethereum Foundation’s recap report, the ETH Rangers project launched in late 2024, aiming to provide funding for individuals working on public goods security within the ecosystem. One of the grant recipients used the funding to create the Ketman project, focusing on investigating “fake developers” in the cryptocurrency space, with an emphasis on identifying the identities of North Korean IT workers.

Within its six-month funding period, the Ketman project identified 100 North Korean IT workers working in Web3 organizations, and proactively contacted about 53 projects to warn them they may have already hired North Korean agents. The Ethereum Foundation noted in its report that it did not specify in detail the specific methods used to identify the North Korean agents.

Technical red flags: Identification criteria recorded on the Ketman project website

According to the Ketman project website, the project records the “strategies, behaviors, and patterns of action” adopted by North Korean agents. Specific technical red flags include:

· Repeatedly using the same avatar and profile metadata across multiple GitHub accounts

· Exposing email addresses that do not match the claimed identity when accidentally sharing a screen

· Default language settings (e.g., Russian) contradicting the nationality it claims

· Developing open-source tools and cooperating with Security Alliance industry framework

According to the Ethereum Foundation’s Thursday recap report, within its six-month funding period the Ketman project simultaneously developed an open-source detection tool to identify suspicious activity on the GitHub platform. The Ketman project also collaborated with the blockchain-focused nonprofit organization Security Alliance to jointly develop an industry standards framework for identifying North Korean IT workers.

Frequently asked questions

When did the Ethereum Foundation disclose the investigation results of the Ketman project?

According to a Cointelegraph report, the Ethereum Foundation published an ETH Rangers project recap on April 17, 2026 (Thursday), disclosing the specific results of the Ketman project in identifying 100 North Korean IT workers within its six-month funding period.

What specific results did the Ketman project achieve within its six-month funding period?

According to the Ethereum Foundation’s recap report, the Ketman project identified 100 North Korean IT workers working in Web3 organizations and contacted about 53 affected projects. It also developed an open-source GitHub detection tool and, together with Security Alliance, formulated an industry identification framework.

How does the Ketman project identify the identities of North Korean IT workers?

According to the Ketman project website, identification criteria include: repeatedly using avatars and metadata across multiple GitHub accounts; exposing email addresses that do not match when a screen is accidentally shared; and default language settings contradicting the claimed nationality. The Ethereum Foundation did not provide further details on the specific methods.