Skip to main content

Ketman Project: How 100 North Korean Operatives Slipped Inside Web3

· 9 min read
Dora Noda
Dora Noda
Software Engineer

One hundred North Korean operatives. Fifty-three crypto projects. Six months of patient intelligence work — and the uncomfortable conclusion that the most dangerous DPRK attack on Web3 is not the next exploit, but the engineer who already merged code to your main branch last quarter.

That is the headline finding from the Ketman Project, an Ethereum Foundation-backed initiative running under the ETH Rangers security program. Its April 2026 disclosure does not describe a hack. It describes a workforce — a long-horizon labor pipeline that has been quietly funneling DPRK revenue out of crypto payrolls while planting the kind of insider access that makes events like the $1.5 billion Bybit heist possible in the first place.

For an industry conditioned to think of DPRK risk as something that happens at the multisig, this is a category shift. The threat is no longer just "they will break in." It is "they are already inside, and they wrote the build script."

From Smash-and-Grab to Salary

For years, the public face of North Korean crypto crime was the exploit: Ronin, Atomic Wallet, WazirX, and a long tail of bridge drains attributed to Lazarus Group. The numbers are staggering — Chainalysis tallied roughly $2.02 billion stolen by DPRK-linked actors in 2025 alone, a 51% year-over-year jump that pushed cumulative theft past $6.75 billion despite 74% fewer known attacks. Bigger payouts, fewer swings.

The Bybit incident in February 2025 — $1.5 billion in ETH, drained through a compromised Safe Wallet UI fed malicious JavaScript from a developer machine — was the clearest demonstration of where this is heading. It was not a smart contract bug. It was a supply chain compromise. Somebody, somewhere upstream, had access they were not supposed to have.

The Ketman Project's contribution is to map the labor side of that economy. Across a six-month investigation, it identified approximately 100 distinct DPRK IT workers operating inside Web3 organizations and notified about 53 affected projects. Many of these operatives had been embedded for months, in some cases years, holding positions that ranged from contractor engineering seats to community leads with elevated repository access.

If you assume a conservative $150,000 annual salary per operative, the wage flow alone is on the order of $15 million per year — a modest line item next to a single Lazarus heist, but a structurally different revenue stream. It is recurring. It is pre-funded by victim companies. And it pays for the access that makes the heists possible.

What Makes Ketman Different

Prior DPRK exposures in Web3 — Munchables ($62 million in 2024), Sushi-adjacent contractor incidents, the Axie Infinity / Ronin compromise — were largely reactive. A protocol got hit. Investigators followed the thread. A pattern emerged.

Ketman inverts the workflow. Rather than mapping a single incident back to one operative, the project mapped the operatives themselves and then walked forward to the projects they had touched. The methodology, while not fully public, draws from a stack of techniques the on-chain forensic community has been refining since the 2024 CrowdStrike DPRK report:

  • Linked wallet clustering. Salaries paid in stablecoins eventually consolidate. Once you find one wallet in a DPRK earnings cluster, you find the rest.
  • Commit-time-zone analysis. A developer claiming to live in Lisbon who only ever commits during Pyongyang business hours is, statistically speaking, not in Lisbon.
  • OPSEC pattern matching. Reused avatars across GitHub accounts, default Russian language settings on a "Japanese" engineer's IDE, accidental email leaks during screen shares — small slips that aggregate into high-confidence identification.
  • Identity document forensics. Ketman flagged forged Japanese IDs as a particularly common vector for remote engineering hires at crypto firms.

The result is something the FBI's 2024 IT-worker advisory and OFAC's March 2026 sanctions actions could not produce on their own: a list of people, currently employed, currently shipping code, who should not be.

The Supply Chain Is Now the Attack Surface

Here is the part that should keep CTOs awake. An operative on a payroll for nine months does not need to hack anything. They need to wait, and then merge.

The vectors are unspectacular and well-known to anyone who has read a post-mortem in the last three years:

  • An npm package quietly republished with a malicious post-install script.
  • A GitHub Action with permissions broader than anyone reviewed.
  • A Docker base image bumped to a version with one extra layer.
  • A "harmless" UI dependency that watches for a particular transaction shape and rewrites it.

The Bybit attack was the proof-of-concept at scale: a compromised developer environment, an injected payload in a wallet UI, signers approving what looked like a legitimate transaction. Whether that specific compromise originated with a DPRK insider or an externally phished contractor is debated, but the architecture of the attack — patient, upstream, and triggered only at the moment of maximum value — is the playbook Ketman's findings imply at industry scale.

When you employ an operative for a year, you are not paying them $150K. You are paying them for one click, six months from now, on a transaction worth ten thousand times that.

Why the Ethereum Foundation Funded Offense

The most striking institutional signal in the Ketman disclosure is not the headcount. It is the funder.

The Ethereum Foundation has historically directed grant money toward protocol research, client diversity, public goods, and developer tooling. Bankrolling what is effectively an offensive intelligence operation — funded researchers identifying named individuals tied to a sanctioned state, then warning private companies — is a notable widening of the "public good" definition.

ETH Rangers, the broader program Ketman sits inside, reports the kind of metrics you would expect from a security firm rather than a foundation: 17 funded researchers, $5.8 million in exploited funds recovered or frozen, 785+ vulnerabilities traced, 36 incident responses. That is a security operations center disguised as a grant program.

The implication is that the foundation now treats defensive infosec as analogous to client diversity — a coordination problem that no individual protocol can solve, and one that the broader ecosystem has to fund whether or not it shows up in a roadmap. Given that DPRK actors have stolen more than $6.75 billion cumulatively and continue to compound, that framing is hard to argue with.

What Protocols Should Operationalize Now

If you run, fund, or contribute to a Web3 project, the Ketman disclosure converts a vague threat into an immediate operational checklist. None of these are exotic. The scandal is that they are not already universal.

Know Your Employee, not just Know Your Customer. Sanctions screening at the wallet layer is table stakes. Sanctions screening at the payroll layer — running every contractor payment address through OFAC-clustered lists — is not, and should be. The 45-day post-theft laundering cycle DPRK consistently uses means that even after-the-fact wallet matches have value.

Verify identity with friction, especially for remote hires. Live video interviews using multiple communication channels. Document scrutiny that assumes Japanese, Korean, and Eastern European IDs are the most likely targets for forgery. Active probing for AI-enabled deepfake artifacts during calls. The "Kim Jong Un test" — asking direct questions about the DPRK regime that an actual operative will visibly struggle to answer on camera — has a higher hit rate than it should.

Treat your CI/CD pipeline like your treasury. Code-signing for releases. Reproducible builds. Mandatory two-person review for any change to GitHub Actions, deploy scripts, or dependency manifests. Pin versions. Audit transitive dependencies. The Bybit attack happened because somebody, somewhere, had write access to a UI that signers trusted.

Air-gap administrative key operations. If a single compromised developer laptop can produce a $1.5 billion loss, the threat model is wrong. Hardware-isolated signing flows, blind-signing detection, and pre-signing transaction simulation are not paranoia — they are the cost of doing business at scale.

Assume the bad actor is already inside. The Ketman finding is that for at least 53 projects, this was true. Defense in depth means designing as if every commit could be hostile and every contractor could be a front, then making that assumption survivable rather than catastrophic.

The Quiet War Is the Real War

Sanctions enforcement chases the loud events. OFAC's March 2026 designations of six individuals and two entities tied to DPRK IT-worker fraud — schemes that generated nearly $800 million for the regime in 2024 alone — were a meaningful step. So were the $5.8 million in funds ETH Rangers helped recover. Both are necessary.

But the Ketman Project's contribution is to insist that the louder events — the Bybits, the Roninss, the Munchables — are downstream of a quieter one. The infiltration is the campaign. The exploit is just when it pays out.

For Web3, that means the security perimeter has moved. It is no longer at the contract boundary or the wallet UI. It is at the job application, the GitHub commit, the npm publish. And the cost of pretending otherwise is now denominated in billions per year.

The protocols that survive the next decade will be the ones that internalize a hard truth: in an industry where code is money and remote work is the default, your hiring funnel is your attack surface.

BlockEden.xyz operates production-grade RPC and indexing infrastructure for Sui, Aptos, Ethereum, Solana, and a dozen other chains — the kind of infrastructure where supply-chain integrity, signed releases, and isolated key operations are not optional. Explore our API marketplace to build on infrastructure designed for the threat model the industry actually faces.

Share on Twitter