Ethereum Foundation flags about 100 suspected state-backed hackers, including North Korean operators

The Ethereum Foundation has published a recap of its ETH Rangers security initiative, saying researchers involved in a six-month funding program identified roughly 100 suspected state-sponsored cyber actors, including North Korean operatives active across multiple Web3 projects. According to the report, work was accelerated through efforts such as the "Ketman Project." Researchers sent warnings to about 53 blockchain projects after uncovering tactics that relied on fabricated identities to enter development teams and take on roles tied to technical work and fund transfers. The Foundation said associated funds totaling hundreds of thousands of dollars have been frozen. The security team has incorporated the findings into its Lazarus Group threat analysis framework and presented the intelligence at industry forums including DEF CON, underscoring that state-backed cyberattacks continue to reach into cryptocurrency infrastructure. Overall, the program led to the freezing or recovery of more than $5.8 million, the reporting or documentation of over 785 vulnerabilities, and responses to 36 security incidents. The Foundation said the results point to Ethereum's security challenge shifting from isolated exploit events to broader, system-level risks involving state actors. The report also highlights North Korea-linked activity that allegedly uses "remote IT workers" to infiltrate projects, with attack paths ranging from account takeovers and freelancing-platform penetration to fund-movement operations. The Foundation called these groups a top defense priority and said protecting decentralized networks requires "decentralized defense," pledging continued support for security research, threat intelligence, and talent development amid intensifying state-sponsored threats.