The Ethereum Foundation warns of North Korean agents in 53 crypto projects

The threat is no longer theoretical. The Ethereum Foundation claims to have helped identify about 100 IT workers linked to North Korea in 53 crypto projects in just six months, through its ETH Rangers program. This figure is striking because it shows that infiltration is no longer limited to spectacular hacks. It also involves hired profiles, integrated, then left as close as possible to sensitive accesses.

An alert that goes beyond a simple news item

The signal sent by the Ethereum Foundation is clear: the risk also comes from within. In its report published on April 16, it explains that the Ketman Project, supported by the ETH Rangers program, contacted about 53 projects and identified around 100 active DPRK operators in Web3 organizations. This is no longer a blind spot. It is an ecosystem problem.

This detail changes the reading of the subject. For a long time, the crypto industry mainly looked at smart contract flaws, compromised keys, and unsecured bridges. But here, the entry point is human. One infiltrates a team, gains their trust, then gets closer to critical permissions. The front line moves away from pure code to advance towards recruitment, operations, and governance.

The most troubling part for the sector is here. This mechanism seems banal at first. A credible freelancer, a competent developer, a fake recruiter, a well-polished identity. Then the matter scales up. Chainalysis also notes that North Korea now obtains larger thefts with fewer incidents, notably by integrating IT workers into crypto companies or by using sophisticated impersonations.

The real danger is human before it is technical

The 2025 figures set the scene. According to Chainalysis, over 3.4 billion dollars were stolen in the crypto ecosystem over the year, including 2.02 billion attributed to North Korean actors, up 51% year-over-year. More importantly, these groups reportedly accounted for 76% of recorded service compromises. We are no longer talking about just one actor among others. We are talking about the sector’s main state risk.

The model is known, but growing more refined. The U.S. Treasury explains that these teams rely on fake documents, stolen identities, and fabricated personas to obtain real positions, while the regime collects most of the generated revenues. Some operations go further and also introduce malware or serve to exfiltrate sensitive data. The pay slip then becomes an access lever.

The Drift case revived this fear at a bad time. Chainalysis estimates that the 285 million dollar hack suffered by the crypto protocol Solana on April 1, 2026, shows signals compatible with DPRK actors, after an operation prepared for months and supported by social engineering. Even with attribution still ongoing, the message is brutal: human compromise can precede financial damage by far.