The Ketman project operates as part of the Ethereum Foundation’s ETH Rangers security initiative, where it has discovered around 100 coins. Information technology in North Korea Activists working inside Web3.
They are not outside hackers breaking in, they are insiders, employees working from within the organizations infrastructure.
These findings, which emerged from a six-month investigation, changed the discourse. In the past, North Korea’s involvement in cryptocurrencies was simply a matter of launching a cyberattack, attacking exchanges through breaches, phishing campaigns, and exploitation. The report discusses a more covert and calculated type of threat, one that is potentially more dangerous in the long term.
These agents are hired by exercising normal hiring procedures, rather than breaking and entering. Candidates undergo interviews, join teams and receive appropriate access to internal systems. This changes the threat a lot.
Ethereum Foundation-backed software reveals 100 North Korean clients infiltrated cryptocurrency companies
In the latest Ethereum news, Project Ketman, which operates under the Ethereum Foundation’s ETH Rangers security program, has identified nearly 100 cryptocurrency IT units in North Korea…
– Marty Party (@martypartymusic) April 18, 2026
From hacking to human infiltration
Unbelievable how tactics have evolved. North Korea’s cyber operations previously focused on rapid, large-scale attacks; Dramatic hacks and instant money theft. The new system of movement is a more silent, more systematic way of working.
Agents appear to be using false identities in order to take jobs at Web3 organizations. After gaining acceptance, they take a passive stance, observing process flows, mapping the systems architecture, and learning about the processes. They will delay their actions until the timing is finally right. Sometimes, clients are involved for months without being detected.
This method is to hack circuits around legacy security controls. There are no immediate accidents or unusual feats to set off alarms, the scene is familiar and ordinary.
Therefore, the problem goes beyond cybersecurity. This includes employment policies, internal trust mechanisms, and robust employment verification processes. This trend is expected to grow through 2025 and into 2026, as coordinated attacks directly targeting the workforce become more common than traditional external cyberattacks.
The size of the problem
This is a huge operation. The identification of approximately 100 activists represents a very large degree of coordinated activity. More broadly, the effects of North Korea-related activity on the cryptocurrency ecosystem are dire.
North Korea-linked schemes allegedly stole about $2.02 billion from the cryptocurrency industry in 2025, a 51% increase from those numbers in 2024, bringing the total to nearly $6.75 billion in total.
It’s not just a matter of a data breach, it’s a systemic security vulnerability.
This was followed up with significant actions from the ETH Rangers Initiative. It said it supported 17 independent researchers, recovered or froze approximately $5.8 million in illicit funds, identified more than 785 vulnerabilities and handled 36 incident response cases.
These efforts show that the Treasury Department is also aware of the enormous amount of anti-financial activity that continues even as surveillance continues.
Recent cases and real life impact
This threat is tangible. The depth of this matter is evident in some recent events.
Among the most notable cases is the exchange Stabble, which issued a withdrawal warning after discovering a North Korea-linked client in its senior leadership. Not only was it involved in a technical breach, it also delved into strategic decision-making and political decision-making on sensitive financial operations.
This also includes the Drift Protocol exploit on April 1, 2026, where North Korean threat actors carried out a $285 million hack, the largest DeFi exploit in 2026 so far. Investigations are still ongoing into what happened with the money after that.
Together, these events highlight a pattern of illicit activity: inside-out exploitation.
Because these agents are real employees, the line between friend and foe becomes blurred, making preventative and reactive action more difficult.
What this clearly means for cryptocurrency companies: This has forced cryptocurrency companies to re-evaluate aspects of their internal operations. Security now expands beyond code and digital assets, to the people who operate them.
Hiring practices will be scrutinized now more than ever. More comprehensive background checks, more stringent identity verification, and ongoing behavioral analysis could become the norm, not out of inflexibility on policy, but reactionary in the face of creeping threats.
Trust dynamics also face challenges. While Web3 is built on the basic principles of openness and decentralization, this infiltration brings with it some contradictions. As we move into a more complex field, balancing transparency with protective controls becomes more difficult.
Regulatory bodies may intensify oversight. The involvement of state individuals in cryptocurrency companies may increase compliance requirements, including with respect to employment practices and internal governance. At the same time, security teams must adapt. Compared to a legion with valid credentials, regular defenses in the perimeter were no longer enough. It’s more about anomaly detection, in-depth internal auditing, and multi-layered security architectures.
An inflection point for the industry
This moment represents a major inflection point, not because insider threats are nothing new, but because of the unprecedented clarity and scale we now see so clearly.
Cryptocurrency companies can no longer treat insider threats as niche issues. Risk management strategies lie at the core.
But this does not mean a complete collapse of the system. Instead, it points to the growing importance of the cryptocurrency sector and the increasing level of interest it is attracting from distinct nation-state players.
But it is clear that the threat has risen somewhat.
The industry will continue to face challenges in balancing openness and security. Companies that succeed in achieving this balance are in a position to emerge stronger. Those who fail may measure weaknesses that were not previously considered.
There is one fact at the moment that cannot be denied: the biggest risks in the cryptocurrency space have left their perimeter. They reside more and more inside, silent, devastated, and waiting.
Disclosure: This is not trading or investment advice. Always do your research before purchasing any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash To stay up to date on the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
