How Are North Korean IT Workers Infiltrating Web3 Organizations?
Ketman — a project backed by the Ethereum Foundation — identified 100 North Korean IT workers embedded within Web3 organizations over a six-month period, issuing security alerts to approximately 53 affected projects. The scale of this finding points to a systematic, long-term infiltration strategy: North Korean operatives fabricate identities and credentials to join crypto projects as developers or external contributors, gaining access to codebases, treasury operations, and sensitive internal data.
How Does Ketman Detect Concealed North Korean Developers?
A core output of the Ketman project is an open-source toolset designed to identify suspicious GitHub activity. By analyzing code commit patterns, account behavioral signatures, and contributor network relationships, the tool flags accounts whose activity closely matches known behavioral profiles associated with North Korean IT personnel. This enables project teams to detect and address insider threats before they translate into tangible security or financial losses.
Building an Industry Framework With Security Alliance
Beyond tooling, Ketman has collaborated with Security Alliance to develop an industry-wide identification framework, giving Web3 organizations a reusable methodology for personnel security assessment. The release of this framework represents a meaningful shift in how the crypto industry approaches insider threats — elevating personnel vetting from an afterthought to a structured, repeatable security discipline.
Why Are Web3 Projects Particularly Vulnerable to This Type of Infiltration?
The structural characteristics of Web3 development — remote collaboration, pseudonymous contribution, and rapid onboarding — create conditions that are highly favorable for identity fabrication. Unlike traditional financial institutions with rigorous KYC processes, many crypto projects apply minimal identity verification to contributors. North Korea has systematically exploited this gap, placing technical personnel across global Web3 projects to generate income for the regime and lay the groundwork for future exploits or code-level compromises.
On-Chain Monitoring as a Complementary Layer of Defense
Personnel infiltration and on-chain financial risk are closely linked — once an insider gains sufficient access, anomalous fund movements tend to follow. For Web3 projects, maintaining real-time monitoring of on-chain transaction anomalies, permission changes, and large fund flows is a necessary complement to personnel security controls. Trustformer KYT delivers professional on-chain transaction risk monitoring, detecting interactions with high-risk addresses and flagging abnormal operations in real time — helping project teams respond before insider threats become material losses and building a more complete Web3 security posture.