The Ethereum Foundation has revealed the results of a six-month security initiative that uncovered a significant infiltration of North Korean IT workers into the cryptocurrency ecosystem. The foundation's ETH Rangers Program identified approximately 100 IT workers with connections to the Democratic People's Republic of Korea (DPRK) operating within 53 different cryptocurrency projects.
The program, which concluded recently, was established to address emerging threats within the Ethereum ecosystem. Beyond exposing the DPRK operatives, the initiative led to the detection of over 785 vulnerabilities and prompted dozens of incident responses. The foundation reported that these efforts resulted in the recovery of more than $5.8 million in cryptocurrency that had been obtained by bad actors.
The investigation was spearheaded by the Ketman Project, which collaborated with the Security Alliance (SEAL) to co-author a framework for identifying DPRK workers. Blockchain sleuth Nick Bax, who benefited from the program, identified and notified more than 30 teams that had DPRK workers on their payroll, helping to freeze hundreds of thousands of dollars in crypto.
This discovery comes amid a record-breaking period for North Korean crypto theft. According to blockchain security firm Chainalysis, North Korean hackers stole approximately $2 billion worth of cryptocurrency in 2025, marking a 51% increase from the previous year. A United Nations report from 2023 estimated that the DPRK has dispatched between 3,000 and 10,000 IT workers overseas, with recent U.S. State Department numbers indicating as many as 1,500 were located in China, with plans to send more to Russia.
The Ethereum Foundation stated that "this work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today." The revelations follow recent high-profile hacks, including the $285 million theft from Solana-based Drift Protocol this month, which was determined to be a months-long social engineering hack masterminded by North Korean hackers.
In a related development, the U.S. Justice Department reported that two U.S. nationals who helped DPRK workers pose as Americans to gain access to 100 companies were sentenced to at least seven years in prison each after pleading guilty to wire fraud and money-laundering conspiracy charges. The individuals received $700,000 for their roles in funneling millions of dollars from victimized U.S. companies overseas. Eight other defendants indicted in connection with the scheme remain at large.
