Ethereum Foundation-Backed Program Reveals 100 North Korea

An Ethereum Foundation-backed security initiative disclosed on April 16, 2026 that a stipend-funded project identified about 100 North Korean IT workers embedded in Web3 organizations and warned roughly 53 affected projects, according to the Ethereum Foundation’s ETH Rangers recap. The disclosure matters beyond Ethereum. It gives the crypto industry a rare quantified look at infiltration risk just as U.S. authorities and blockchain investigators keep tying DPRK-linked operators to remote-worker fraud, data theft, sanctions evasion, and multibillion-dollar crypto crime.

ETH Rangers Crosses From Grant Program to Counterintelligence Case

The headline number is stark. Around 100 suspected DPRK IT workers. About 53 projects contacted. All of it was published by the Ethereum Foundation on April 16, 2026, in its recap of the ETH Rangers program launched in late 2024 with Secureum, The Red Guild, and Security Alliance, or SEAL, to fund public-goods security work in the Ethereum ecosystem. One recipient used that stipend to build the Ketman Project, which the foundation said focused on discovering and expelling North Korean IT workers operating under fake identities. That is not a vague warning. It is a measured operational result with a count, a time window, and a remediation trail.

What competitors mostly emphasized was the raw “100 operatives” figure. The more important angle is the conversion rate. If Ketman identified around 100 workers and reached out to approximately 53 projects during a six-month period, that implies a project-alert ratio of 0.53 and an average of 16.7 identified operatives per month. Put differently, the program surfaced roughly one potentially compromised project every 3.4 days over six months. That cadence suggests industrialized infiltration, not isolated fraud. It also lines up with U.S. government warnings that North Korean remote IT workers use fraudulent identities, U.S.-based facilitators, device farms, and remote-access tooling to bypass hiring controls.

I’ve covered enough crypto security cycles to know when a number changes the frame. This one does. Security stories usually arrive after a hack, after funds move, after mixers light up. Here, the useful signal appears earlier in the kill chain: hiring. That is where the Ketman result stands out. It turns infiltration into a measurable pre-breach indicator, something many firms still treat as an HR issue instead of a treasury and protocol-security risk.

Why Hiring Fraud Became a Direct Crypto Security Threat

The FBI said in its 2025 alert that North Korean IT workers pose a threat to U.S. businesses and use U.S.-based individuals to receive company devices, helping them evade geographic and identity controls. The Justice Department went further, saying these workers have posed as legitimate remote staff, exfiltrated sensitive company data, and in some cases earned up to $300,000 annually per worker, generating hundreds of millions of dollars collectively for the regime and entities tied to weapons programs. That matters because crypto firms often combine remote engineering, privileged infrastructure access, and fast-moving treasury operations in the same workflow. One bad hire can become an access broker.

Chainalysis gives the financial backdrop. North Korea-linked hackers stole $1.34 billion across 47 incidents in 2024, up from about $660.5 million across 20 incidents in 2023, a 102.88% increase in value. Chainalysis also said 2024 total crypto theft reached roughly $2.2 billion, which means DPRK-linked actors accounted for about 60.9% of all stolen value that year. In a separate 2026 report, the firm said North Korean hackers stole at least $2.02 billion in 2025, up another 51% year over year, and noted that expanded reliance on IT worker infiltration likely helped accelerate initial access and lateral movement at exchanges, custodians, and Web3 firms. That’s the bridge between fake resumes and nine-figure losses.

100 Workers Identified While the State-Backed Theft Machine Keeps Scaling

There is a second divergence here. Public discussion still focuses on Lazarus-style smash-and-grab hacks, while the data points to a blended model: insider access, social engineering, and then theft. CoinDesk reported in October 2024 that U.S. authorities had already intensified warnings about DPRK IT workers infiltrating crypto employers, and that in some cases reporting linked heists directly to suspected DPRK workers on payrolls. The Block had earlier cited U.N. Security Council figures saying more than 4,000 North Koreans had been hired by Western technology firms. The Ethereum Foundation disclosure does not prove every identified worker led to a theft event, but it does show the pipeline is active inside Web3 right now.

Another undercovered point: sanctions and law enforcement are moving closer to the crypto rails used by these networks. Chainalysis said OFAC’s March 2026 action designated 21 cryptocurrency addresses across multiple blockchains tied to DPRK IT worker schemes. The FBI’s wanted notice says the State Department’s Rewards for Justice program is offering up to $5 million for information that disrupts financial mechanisms supporting North Korea, including worker exportation and cyber activity. That raises the compliance cost for any firm that misses these red flags. It is no longer just a security failure. It can become a sanctions exposure problem too.

Can Crypto Firms Contain the Threat Before It Becomes the Next Breach?

The answer depends on whether firms treat identity verification, endpoint control, and privilege segmentation as core security infrastructure. The Ethereum Foundation’s recap did not detail Ketman’s detection methods, and that omission is understandable. Publishing tradecraft would reduce its usefulness. But the disclosed output is enough to support one conclusion: the industry has a measurable insider-risk problem. Data verification is strong on the central claim. Cointelegraph’s April 2026 report matches the Ethereum Foundation’s figures of around 100 DPRK IT workers and roughly 53 projects contacted, with the foundation blog serving as the primary source. Variance: effectively zero on the headline numbers.

The broader significance is bigger than Ethereum. If one foundation-backed stipend project can surface 100 suspected operatives in six months, the true addressable problem across exchanges, infrastructure providers, market makers, and protocol teams is likely larger. That is an inference, not a disclosed total. Still, it is a reasonable one when placed beside FBI alerts, DOJ enforcement, OFAC sanctions, and Chainalysis estimates showing DPRK-linked actors remain the dominant nation-state threat in crypto. The industry keeps talking about smart-contract risk. Fair enough. But the more uncomfortable truth is that some of the next breaches may start in the interview process.