North Korea’s Crypto Hack Network Faces Major Crackdown

Security sleuthing funded through the Ethereum Foundation has led to the recovery or freezing of over US$5.8 million (AU$8.08 million) in stolen assets, uncovered almost 800 security vulnerabilities, and identified over 100 North Korean operatives working inside Web3 organisations.

The program, known as the ETH Rangers Program, ran for 6 months and funded the work of 17 independent investigators in a partnership between the Ethereum Foundation, Secureum, The Red Guild and Security Alliance (SEAL). 

During the 6-month program, one of the funded investigators built and scaled a system, known as the Ketman Project, designed to identify and expel North Korean IT workers who had infiltrated blockchain projects under fake identities.

The Ketman Project identified over 100 North Korean IT workers working inside approximately 53 projects within Web3 organisations. The project published its findings on a public website, ketman.org. 

The project also developed and open-sourced a GitHub profile analyser known as gh-fake-analyzer designed to aid in identifying suspicious activity associated with North Korean operatives, and co-authored the DPRK IT Workers Framework with SEAL, which is now widely used across the Web3 industry.

Another participant in the program, Nick Bax, logged more than 36 SEAL 911 tickets, one of which included assisting with the Loopscale exploit, resulting in the return of US$5.8 million. He was also part of a security team which identified and notified over 30 organisations employing North Korean IT workers and aided in freezing funds received by those workers in the range of several hundreds of thousands of dollars.

Another notable outcome from the ETH Rangers Program included the creation of an incident explorer built by SunSec and the DeFiHackLabs community, which allows users to search for and analyse over 620 DeFi security incidents with proof-of-concept (PoC) exploits and root cause analysis.

Related: Ethereum Foundation Launches $1M Audit Fund to Boost Blockchain Security

Fake North Korean IT Workers a Significant Issue

The issue of North Korean IT workers assuming fake identities and securing work inside organisations has been an issue for several years.

In 2023, a report from the United Nations found that somewhere between 3,000 and 10,000 North Korean IT operatives were working overseas. Research published by the US Department of State in January suggests this problem is continuing to spread, finding that up to 1,500 North Korean IT workers are currently located in China. It also uncovered North Korean plans to send up to 40,000 workers, including many IT workers to Russia, and that North Korean IT workers are active in a number of other countries, including Laos, Cambodia and Nigeria.

Meanwhile, blockchain security firm Chainalysis published findings in December that North Korean hackers had stolen US$2.02 billion (AUD$2.83 billion) in cryptocurrency throughout 2025, a 51% increase over the previous year. This brought the total amount of crypto stolen by North Korea to US$6.75 billion (AUD$9.45 billion).

Related: North Korean Fake Dev Ring Nets Millions as Crypto Firms Face Rising Insider Threat

Chainalysis also found that North Korea is now “achieving larger thefts with fewer incidents,” by focussing on embedding IT workers inside crypto projects, or using sophisticated social engineering operations to breach security, rather than attacking a large number of individual wallets.