The Ethereum Foundation and its partners have published the closing report for ETH Rangers, a six-month security program that backed independent researchers working across the Ethereum ecosystem.
The report, published on Thursday, said the program launched in late 2024 with Secureum, The Red Guild, and the Security Alliance, or SEAL. It aimed to fund public security work and support people already helping improve Ethereum’s safety. The report said 17 stipend recipients took part in the effort.
The report put one figure at the center of its release. Across recipient initiatives, ETH Rangers said it identified about 100 state-backed operatives across Web3 teams.
In the Ketman Project section, the report said one recipient reached about 53 projects and found around 100 DPRK IT workers operating under fake identities inside blockchain organizations. The report tied that work to one of the main operational risks facing the Ethereum ecosystem.
Report centers on DPRK worker cases
The DPRK section of the recap focused on the Ketman Project, which used its stipend to investigate North Korean IT workers posing as legitimate contributors. According to the report, the team published research on account takeovers, freelance platform infiltration, and DPRK-Russia links.
It also built an open-source GitHub profile analysis tool and helped produce a framework with SEAL that the report described as a standard reference for the wider industry.
The ETH Rangers recap did not frame that work as a one-off effort. It said the recipient also contributed data to the Lazarus.group threat intelligence project and that some of the work was presented at DEF CON.
In a separate section, the report said Nick Bax worked on DPRK threat mitigation, helped notify more than 30 teams that they had employed DPRK IT workers, and assisted in freezing mid-six-figure sums tied to those workers.
Funds recovered and bugs reported
Beyond the DPRK findings, the report described a broad set of security results across the Ethereum ecosystem.
ETH Rangers helped recover or freeze more than $5.8 million, documented or reported more than 785 vulnerabilities, client bugs, and proof-of-concept exploits, handled more than 36 incident responses, and produced more than seven open-source tools, frameworks, or implementations.
It also said the work reached more than 209,000 users through threat awareness and investigative content.
Some of the detail came from direct incident work. The report said Nick Bax supported more than 36 SEAL 911 tickets, including help on the Loopscale exploit response that led to the return of $5.8 million.
It also said he disclosed a homoglyph attack used by the “ELUSIVE COMET” group to bypass Zoom’s suspicious name detection, which was later patched.
In the foundation’s wording, the program showed that “securing a decentralized network requires a decentralized defense.”
Education and tooling remained part of the program
The report also showed that ETH Rangers was not only about threat hunting. It said DeFiHackLabs built an incident explorer covering more than 620 proof-of-concept exploits and ran a summer contest for new submissions.
Moreover, the group also worked with the wider community on training sessions, talks, and a Web3 security challenge linked to HITCON CTF, which involved 717 teams. The foundation said that work turned one stipend into education that reached hundreds of researchers.
Other recipients focused on training and technical tools. Guild Audits ran bootcamps across Africa, Asia, Europe, and the Americas, and the report said students later reported more than 110 vulnerabilities across major audit contest platforms.
The report also said Guild Audits hosted Africa’s first Web3 Security Summit in November 2025. In another track, Runtime Verification’s Palina Tolmach improved the Kontrol formal verification tool, while a separate research team tested all five major Ethereum execution clients and found 14 bugs tied to message-flooding denial-of-service attacks.
Related Ethereum Foundation moves
The ETH Rangers report lands during a busy stretch for the Ethereum Foundation. On April 14, the foundation launched a $1 million audit subsidy initiative for Ethereum builders. The program, run with Areta and supported by more than 20 audit firms, can cover part of audit costs for selected projects.
The foundation has also made other changes in 2026. In February, it said it had begun staking about 70,000 ETH from its treasury, with rewards going back to the treasury.
On April 9, it also said it would convert 5,000 ETH into stablecoins through CoW Swap’s TWAP feature to fund research and development, grants, and donations.
At the organizational level, the foundation said in February that Tomasz Stańczak would step down as co-executive director and that Bastian Aue would take the interim role alongside Hsiao-Wei Wang.
On April 16, Josh Stark also said he would leave the foundation at the end of April after five years, writing that he had decided in early March to “pass the torch.”