Ethereum Foundation program identifies DPRK-linked workers, recovers $5.8 million

Van Thanh Le

•

Apr 16 2026

2 hours ago3 minutes read

Six-month ETH Rangers effort tied insider-threat findings to fund freezes and security reports

TL;DR

Ethereum Foundation-backed ETH Rangers Program said it recovered or froze more than $5.8 million, reported more than 785 vulnerabilities, and identified more than 100 suspected DPRK-linked operatives.
The effort ran for six months and linked suspected DPRK-linked IT workers to about 53 crypto projects, while supporting more than 36 incident responses.
Broader U.S. enforcement and North Korea-linked crypto crime figures, including about $2 billion stolen in 2025 and prison sentences for two U.S. nationals.

We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!

Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.

Start Trading on COIN360 Today!

The Ethereum Foundation-backed ETH Rangers Program said on April 16, 2026, that a six-month security effort had recovered or frozen more than $5.8 million, reported more than 785 vulnerabilities, and identified more than 100 suspected DPRK-linked operatives working across crypto teams, according to details cited in the provided reporting.

tweet_2044784830412386421_20260417_052327_via_10015_io.webp

The program was described as a partnership-backed security initiative focused on funding independent security research, incident response, and broader ecosystem defense across Ethereum and related Web3 projects. The work went beyond static audits and included live threat detection, coordinated mitigation, open-source tool development, and research frameworks aimed at improving security operations across Ethereum-based applications.

Measure	Figure	What it referred to
Program duration	Six months	Length of the ETH Rangers security effort
Recovered or frozen funds	More than $5.8 million	Funds tied to the program’s security work
Vulnerabilities and related findings	More than 785	Vulnerabilities, client bugs, and proof-of-concept exploits surfaced or cataloged
Suspected DPRK-linked operatives	More than 100	Workers identified under false or disguised identities
Crypto projects affected	About 53	Projects across which suspected workers were detected
Incident responses	More than 36	Security responses supported during the effort

Ethereum Foundation summarized the results in a statement quoted in the reporting: “The ETH Rangers Program has wrapped up and the results speak for themselves: $5.8M+ recovered, 785+ vulnerabilities reported, 100+ DPRK operatives identified, and so much more,” followed by the line, “A decentralized defence for a decentralized network.”

Insider threat findings became a central part of the operation

One of the program’s most significant findings involved suspected DPRK-linked IT workers embedded in crypto teams under false identities. Those detections were tied to roughly 53 crypto projects, and some investigations led directly to frozen funds, showing that the operation produced not only security intelligence but also concrete disruption of suspected illicit activity inside active Web3 environments.

The Ketman Project was described as a key contributor to those detections and as a co-author, with the Security Alliance, of a framework for identifying DPRK workers. Ethereum Foundation said of that work, “This work directly addresses one of the most pressing operational security threats facing the Ethereum ecosystem today.”

Nick Bax was also cited in the reporting as a contributor to the effort. According to reports, Bax identified and notified more than 30 teams that DPRK workers were on their payroll and helped freeze hundreds of thousands of dollars in crypto paid to those workers.

The threat is an insider-access problem as much as a hacking problem, with state-linked actors seeking positions inside Web3 firms through hiring channels rather than relying only on conventional exploits. That finding sat alongside the program’s broader technical work, which included vulnerability discovery, incident response, and security tooling.

Wider enforcement and North Korea-linked crypto activity

North Korean-linked hackers were reported to have stolen about $2 billion worth of crypto in 2025, a figure described as a record and a 51% increase from the previous year.

According to a 2023 United Nations report, North Korea had sent between 3,000 and 10,000 IT workers overseas. More recent figures published alongside the U.S. State Department indicate that as many as 1,500 were in China, with plans to send more to Russia.

The concern around social engineering is also linked to the theft of $285 million from Drift Protocol, saying the Solana-based exchange concluded it had been hit by a months-long social engineering operation orchestrated by North Korean hackers.

U.S. enforcement developments were reported alongside those findings. The Justice Department said two U.S. nationals who helped DPRK workers pose as Americans to gain access to 100 companies were sentenced to at least seven years in prison after pleading guilty to wire fraud and money-laundering conspiracy charges. Authorities also said the two received $700,000 for helping funnel millions of dollars from victimized U.S. companies overseas, while eight defendants indicted in connection with the same scheme remained at large.

FAQ

What did the ETH Rangers Program say it achieved?

It said it recovered or froze over $5.8 million and reported over 785 vulnerabilities.

How many suspected DPRK-linked operatives were identified?

More than 100, according to the figures cited in the reporting.

How many crypto projects were linked to those findings?

About 53 crypto projects were cited.

What did the Justice Department say about the U.S. case?

Two U.S. nationals were sentenced, and eight indicted defendants remained at large.

This article has been refined and enhanced by ChatGPT.