Ethereum Foundation uncovers 100 DPRK IT workers in crypto

The Ethereum Foundation said a six-month program known as ETH Rangers identified more than 100 Democratic People’s Republic of Korea (DPRK) IT workers embedded in 53 separate crypto projects, recovered roughly $5.8 million in stolen funds and reported more than 785 security vulnerabilities.

The Swiss nonprofit published a blog post on April 16, 2026, describing the effort and saying it triggered dozens of incident responses and helped freeze assets linked to malicious accounts. The program partnered with blockchain security groups and ran coordinated research and disclosures across the ecosystem.

Research financed by the foundation and led in part by the Ketman Project found DPRK-linked personnel working on or contracted to about 53 distinct crypto projects. The Ketman Project and an organization called the Security Alliance (SEAL) developed a framework to identify suspected operatives and notify affected teams.

Independent blockchain investigator Nick Bax reported that he alerted more than 30 teams about suspected DPRK workers on their payrolls and assisted in freezing hundreds of thousands of dollars tied to those accounts. The foundation said multiple projects mounted incident responses to remediate exposed weaknesses after being notified.

The ETH Rangers tally included about $5.8 million recovered, more than 785 reported vulnerabilities and identification of over 100 DPRK operatives. The foundation said the program has concluded and published a recap of its methods and outcomes, along with vulnerability reports and remediation guidance for affected projects.

The findings follow wider activity attributed to DPRK cyber actors. Security firm Chainalysis reported North Korean hackers stole about $2 billion in cryptocurrency in 2025. This year, a Solana-based decentralized exchange disclosed a $285 million theft that investigators linked to a months-long social engineering operation attributed to DPRK actors.

U.S. law enforcement has pursued networks that helped DPRK operatives pose as Americans to win jobs and contractor roles. The Justice Department said two U.S. nationals pleaded guilty to wire fraud and money-laundering conspiracy charges for helping DPRK workers infiltrate roughly 100 companies; each received a prison sentence of at least seven years. Authorities said the pair received about $700,000 for their roles and noted eight other defendants indicted in the scheme remain at large.

United Nations and U.S. government reporting has documented North Korea’s overseas IT deployments. A 2023 U.N. report estimated the DPRK had sent between 3,000 and 10,000 IT workers abroad, and a more recent count tied to the State Department placed as many as 1,500 in China with plans for additional placements in Russia.

Project teams and security researchers involved in ETH Rangers said the work exposed both technical flaws and personnel-based risks inside decentralized software projects and that coordinated disclosures and freezing actions enabled several recoveries and remediation efforts.