Table of Contents
Summary of the ETH Rangers Program and Its Impact on Web3 Security
The Ethereum Foundation has launched an initiative called the ETH Rangers Program, which has significantly bolstered security within Web3 organisations by identifying and removing over 100 North Korean operatives. This six-month programme, in collaboration with security firms such as Secureum, The Red Guild, and Security Alliance (SEAL), has also recovered or frozen assets amounting to over US$5.8 million (approximately AU$8.08 million) while uncovering nearly 800 security vulnerabilities.
Key Achievements of the ETH Rangers Program
- Asset Recovery: The programme successfully facilitated the return or freezing of more than US$5.8 million, safeguarding assets that were likely part of illicit activities.
- Vulnerability Identification: A total of 785 security vulnerabilities were reported, highlighting the systemic risks within the Web3 ecosystem.
- Identification of Threat Actors: Through collaborations, 100 North Korean operatives were identified working under false identities across roughly 53 blockchain projects.
One of the most notable outcomes was the establishment of the Ketman Project, which enabled the detection of North Korean IT personnel infiltrating blockchain projects. This initiative is publicly accessible through its dedicated website, ketman.org, which provides details and transparency about the identified operatives. Additionally, a GitHub tool named gh-fake-analyzer was developed to help recognise suspicious activities attributable to North Korean operatives.
Participants in the programme, like Nick Bax, made significant contributions, logging over 36 SEAL 911 tickets. Notably, one of these cases helped retrieve US$5.8 million from a security breach linked to Loopscale.
Another significant feature of the programme was the creation of an incident explorer by SunSec and the DeFiHackLabs community, where users can examine and analyse more than 620 DeFi security incidents, complete with proof-of-concept exploits and root cause analyses.
Ongoing Threat from North Korean IT Workers
Despite these advancements, the issue of North Korean IT operatives infiltrating global markets under false pretences remains prevalent. A 2023 United Nations report estimated between 3,000 to 10,000 North Korean IT personnel operating overseas, underscoring the ongoing risks associated with these clandestine activities. Additional research from the US Department of State indicated that around 1,500 North Korean IT workers are currently based in China, with plans for an alarming expansion involving up to 40,000 workers heading to Russia.
Notably, Chainalysis has reported a sharp uptick in cryptocurrency thefts attributed to North Korea, totalling US$2.02 billion (AU$2.83 billion) in 2025—a 51% increase from the previous year. This brings the total stolen cryptocurrency to roughly US$6.75 billion (AU$9.45 billion). Analysts have noted a shift in tactics, with North Korean hackers focusing on embedding agents within crypto projects and leveraging social engineering to execute successful breaches, rather than simply targeting numerous individual wallets.
Conclusion
The Ethereum Foundation’s ETH Rangers Program marks a significant leap forward in mitigating threats from North Korean operatives within the Web3 sphere. By recovering substantial sums, exposing vulnerabilities, and assisting organisations in navigating these challenges, the initiative promises to enhance security measures in an industry increasingly under threat from sophisticated cybercriminals. As the landscape evolves, ongoing vigilance and innovative security strategies will be crucial to safeguarding the integrity of the blockchain ecosystem.
