Ketman Project Identifies 100 North Korean IT Workers Embedded in Crypto Infrastructure

The Ethereum Foundation-funded Ketman Project has identified approximately 100 suspected North Korean IT workers operating across 53 distinct crypto projects. This discovery, detailed in an ETH Rangers Program recap published on April 16, highlights a significant security vulnerability within the decentralized development ecosystem. These workers have successfully integrated themselves into various project teams by utilizing falsified identities and credentials to bypass standard hiring protocols.

Infiltration Tactics and Project Exposure

The investigation reveals that these individuals are not merely passive participants but are actively embedded in the technical pipelines of the affected protocols. By securing roles as developers or contributors, these workers gain access to sensitive codebases and administrative privileges. This level of access creates a direct path for the insertion of malicious code or the exfiltration of project funds. The scale of the infiltration, spanning 53 projects, suggests a coordinated effort to compromise the integrity of decentralized infrastructure from within.

This development raises immediate concerns regarding the vetting processes employed by decentralized autonomous organizations and open-source foundations. When developers are hired based on pseudonymous contributions or remote-only verification, the risk of state-sponsored actors infiltrating the supply chain increases. The Ketman Project findings indicate that these workers often maintain high levels of technical proficiency, allowing them to blend into legitimate development cycles without triggering standard security alerts.

Liquidity and Operational Risks for Protocols

The presence of state-sponsored IT workers within crypto projects poses a severe threat to both liquidity and operational stability. If these individuals hold administrative keys or influence over smart contract upgrades, they possess the capability to initiate unauthorized withdrawals or drain treasury assets. The broader context of crypto asset thefts reaching $3.4 billion in 2025 as state-sponsored activity dominates underscores the financial stakes involved in these security breaches. Projects that unknowingly employ these workers face potential regulatory scrutiny and the risk of catastrophic loss of user funds.

For the broader ecosystem, this exposure necessitates a fundamental shift in how project teams verify the identities of their contributors. Reliance on decentralized reputation systems has proven insufficient against actors capable of fabricating long-term employment histories and technical portfolios. The immediate impact is a heightened state of audit requirements for any project that has recently onboarded remote developers without rigorous, multi-factor identity verification.

As the industry grapples with these findings, the next concrete marker will be the disclosure of the specific projects affected by this infiltration. Affected teams must now decide whether to perform emergency code audits or initiate full-scale migrations to new smart contract instances to purge potential backdoors. The industry will also look for updated guidance from major foundations on how to standardize identity verification for remote contributors without compromising the ethos of open-source development. Investors should monitor project-specific announcements regarding security audits and personnel changes in the coming weeks.