TL;DR
- Ethereum Foundation-backed program uncovered ~100 suspected DPRK-affiliated operatives in 53 crypto projects
- The program also mapped over 785 vulnerabilities and security flaws across the Web3 ecosystem
- North Korean IT workers use fake identities to infiltrate crypto companies and finance the regime's weapons of mass destruction program
- Findings from the program confirm a growing pattern of state-sponsored infiltration via ordinary hiring channels
Hundreds of DPRK Agents Discovered in Crypto Industry
A security program linked to the Ethereum Foundation has uncovered a significant extent of North Korean infiltration in the crypto industry. According to Decrypt, the so-called ETH Rangers Program identified approximately 100 suspected operatives with ties to the Democratic People's Republic of Korea (DPRK), spread across 53 different Web3 projects over a six-month period.
The program is described as an Ethereum-backed security initiative, and its findings represent one of the most extensive documented cases of state-sponsored infiltration in the crypto sector through ordinary employment channels.
How the Infiltration Occurs
North Korean IT workers use fake identities, forged credentials, and sophisticated digital aliases to secure positions in crypto companies globally. The motive is well-documented: the proceeds are channeled back to the North Korean regime and used, among other things, to finance the country's nuclear weapons program, according to U.S. authorities.
The hacker group Lazarus Group, linked to the DPRK, is already well-known in the crypto community for spectacular theft operations. However, the IT worker scheme represents a more low-profile, but potentially equally damaging approach — where agents work their way into projects from within over time.
Ethereum Foundation with Previous DPRK Exposure
This is not the first time the Ethereum world has come under scrutiny in connection with North Korea. In 2019, Virgil Griffith — then special projects director at the Ethereum Foundation — traveled to Pyongyang to give a lecture on blockchain technology. U.S. authorities believed the information he shared could help the regime circumvent sanctions and launder money.
In April 2022, Griffith was sentenced to 63 months in prison and fined $100,000. The FBI stated at the time that no one can be allowed to circumvent sanctions, as the consequences of North Korea gaining access to funding and technology pose a global threat.
Ethereum co-founder Vitalik Buterin defended Griffith, arguing that the intention was not to help the regime circumvent sanctions, but to educate about Ethereum in general. The Ethereum Foundation clarified that they had not funded the trip.
Vulnerabilities and Funds Recovered
Beyond identifying the suspected North Korean actors, the ETH Rangers Program, according to Decrypt, cataloged over 785 security vulnerabilities, including client errors and proof-of-concept exploits. Additionally, it is stated that the program helped recover or freeze funds totaling over $5.8 million.
The findings underscore a broader concern: state-sponsored threat actors are no longer just targeting crypto exchanges and protocols with technical attacks, but are actively working to embed their own personnel within projects.
Industry Response and the Way Forward
Security experts and industry players have long warned that hiring processes in the crypto sector are an underestimated attack surface. Many Web3 projects operate with distributed teams and hire freelancers globally, making background checks challenging.
The Ethereum Foundation's Privacy and Scaling Explorations (PSE) team has been working on over 50 open-source projects in privacy and scalability since 2018. The ETH Rangers initiative shows that the security focus extends beyond technical code — it is now also about who is actually building the protocols.
It is worth noting that the extent of the revelations is currently based on the Ethereum Foundation's own reports and Decrypt as a source. Independent verification of all individual cases is not publicly available as of today.
