Ethereum Foundation-Backed Ketman Project Identifies 100 Suspected DPRK Operatives in Web3

• An Ethereum Foundation-backed security project says it identified around 100 suspected DPRK IT workers embedded across crypto companies.
• The Ketman team said it contacted roughly 53 projects and is now helping firms use interview-stage honeypots to detect bad actors earlier.

The Ethereum Foundation is putting a spotlight on one of crypto’s less visible security risks: hostile actors getting hired before they ever need to hack anything.

According to information shared by @_FORAB, a recent Ethereum Foundation grant review highlighted Ketman, a project focused on identifying North Korean operatives infiltrating the crypto industry through fake developer identities. During its work, the team said it reached out to roughly 53 projects and uncovered around 100 active DPRK IT workers operating inside Web3 organizations.

The threat starts at hiring, not at the exploit

That is what makes this story more unsettling than a routine breach report. The issue is not only stolen keys or compromised smart contracts. It is recruitment.

Ketman says these operatives often use forged Japanese identification documents to secure remote engineering roles at crypto firms. Once inside, they can gain access to internal tooling, repositories, workflows and security procedures long before any attack becomes visible onchain.

For an industry built on distributed teams and fast hiring, that creates a different kind of vulnerability. Crypto companies tend to think about defense in terms of code audits and wallet security. Ketman’s work suggests the first line of defense may need to be much earlier, at the interview stage.

Honeypots move into the recruitment process

The project is now helping crypto teams build honeypots into hiring workflows to identify suspicious applicants before they are onboarded. That is a notable shift. It means some firms are starting to treat recruiting itself as an operational security layer, not just an HR function.

The broader message is fairly plain. North Korean-linked threats in crypto are no longer limited to external attacks. They are increasingly tied to infiltration, patience and access from within.

For the Ethereum Foundation, backing a project like Ketman also signals a wider understanding of ecosystem security. Protecting Web3 is not only about patching contracts after the fact. It is about knowing who is trying to get inside the company before the code is ever shipped.