The Ethereum Foundation just proved that decentralized infrastructure needs centralized vetting, and the results are uglier than anyone expected.
The Summary
- The Ketman Project, funded by an Ethereum Foundation stipend, identified 100 North Korean IT workers embedded across 53 crypto projects during a six-month program.
- This isn't about ideology. It's about Web3's hiring practices creating a vulnerability that nation-states are actively exploiting.
- The discovery will likely trigger stricter compliance requirements, turning crypto's "anyone can build" ethos into "anyone we can verify can build."
The Signal
The Ketman Project ran for six months on Ethereum Foundation funding and surfaced a problem the industry has been quietly ignoring: remote-first hiring in crypto created the perfect attack surface for sanctioned regimes. The numbers tell the story. 100 operatives across 53 projects means nearly two DPRK workers per compromised company on average. That's not random penetration. That's systematic infiltration.
The mechanics here matter. North Korean IT workers don't show up to Zoom calls waving flags. They use stolen identities, VPNs routing through China or Southeast Asia, and fabricated work histories. The Ketman Project alerted the 53 projects directly, which means most of these companies had no idea they were paying developers whose salaries fund missile programs.
"53 projects employing DPRK operatives means the hiring surface area in Web3 is orders of magnitude larger than traditional tech's."
This isn't a crypto-specific vulnerability, but crypto made it worse. The industry's obsession with pseudonymity, remote work, and "code is law" created an environment where asking too many questions about who's building your protocol feels ideologically suspect. Traditional tech companies have compliance teams, background checks, and physical offices. Web3 has GitHub handles and Discord usernames.
The timing matters too. Six months of detective work to find 100 people suggests the real number is higher. The Ketman Project caught the operatives they could verify. How many more are still embedded? How many projects didn't get the call?
Key operational details:
- Average of 1.9 DPRK workers per compromised project
- Detection required six months of dedicated investigation
- Projects were notified directly, not publicly named
- Funding came from an Ethereum Foundation stipend, not a formal security initiative
The regulatory implications are immediate. Crypto firms already operate in a compliance gray zone. This discovery hands regulators a ready-made argument for Know Your Developer frameworks. Expect calls for contractor verification systems, mandatory identity checks for GitHub contributors, and background screening requirements that would make traditional tech's HR departments look loose by comparison.
The Implication
If you're hiring developers for a Web3 project right now, assume your applicant pool includes at least one person you can't legally pay. The era of "permissionless building" is colliding with the reality of nation-state actors using your job postings as funding mechanisms. The Ketman Project just made vetting non-negotiable.
Watch for two second-order effects. First, decentralized projects will start centralizing hiring practices, complete with compliance infrastructure that looks identical to Web2. Second, the tools that caught these 100 operatives will become table stakes. If you're launching a protocol and you don't have a process for verifying who's writing your smart contracts, you're the next case study.