Summary
ETH Rangers is a 6-month Ethereum security program run jointly by the Ethereum Foundation (EF), Secureum, Red Guild, and SEAL (Security Alliance). Seventeen recipients were selected for the inaugural cohort. Aggregate outcomes: $5.8M in user funds recovered or frozen, 785 vulnerabilities identified, ~100 DPRK IT worker infiltrations identified, 209,000 media views, and 800+ teams engaged. The program represents the EF’s shift toward proactive security infrastructure investment rather than reactive incident response.
Program Structure
- Duration: 6 months
- Partners: Ethereum Foundation (funding + coordination), Secureum (audit education), Red Guild (red-team), SEAL (Security Alliance, incident response)
- Recipients: 17 security researchers and teams
- Scope: protocol security, DeFi security, supply chain threats, and community education
Key Projects and Outcomes
DeFiHackLabs
- Maintained and expanded the DeFiHackLabs repository: 620+ proof-of-concept (PoC) exploits for historical DeFi hacks, including the full technical reproduction of each attack
- Launched Incident Explorer: a web platform indexing all historical DeFi incidents with searchable technical breakdowns, enabling faster incident response and security research
- Impact: security researchers can now reproduce and study any of 620+ historical attacks in a standardized environment, dramatically lowering the barrier to DeFi security research
Ketman Project (DPRK IT Worker Infiltration)
- Identified approximately ~100 DPRK (North Korean) IT workers who had infiltrated blockchain companies posing as legitimate developers
- Created gh-fake-analyzer: an open-source tool that analyzes GitHub profiles for indicators of DPRK IT worker activity (commit patterns, account age, language anomalies, infrastructure associations)
- Published the DPRK IT Workers Framework: a detection and response playbook for companies to identify and remove infiltrators
- Impact: DPRK IT workers represent a significant supply chain security threat — compromised developers with commit access can insert malicious code into protocols, wallets, and infrastructure
Nick Bax (SEAL 911 + Incident Response)
- Led the Loopscale $5.8M recovery: coordinated the on-chain negotiation and recovery of funds lost in a Loopscale protocol exploit, the full amount recovered or frozen
- Active member of SEAL 911: the 24/7 emergency response hotline for DeFi protocols under active attack
- Produced a high-visibility educational video on fake VC scams targeting crypto founders: 200,000+ views
- Ongoing DPRK-specific research for SEAL: documenting North Korean state actor tactics in crypto
Guild Audits (Africa Web3 Security)
- Conducted audits identifying 110+ vulnerabilities across multiple protocols
- Organized the first Africa-specific Web3 Security Summit, establishing a regional security community
- Partnership with local developer education programs to build regional security talent
Aggregate Statistics
| Metric | Value |
|---|---|
| Funds recovered / frozen | $5.8M |
| Vulnerabilities identified | 785 |
| DPRK IT workers identified | ~100 |
| Media views | 209,000 |
| Teams engaged | 800+ |
| PoC exploits in DeFiHackLabs | 620+ |
DPRK IT Worker Threat
The DPRK IT worker infiltration emerged as the most novel and systemic threat documented by the program:
Nature of threat: North Korean state-sponsored IT workers apply for development jobs at blockchain companies with fabricated identities. Once hired, they:
- Insert supply chain backdoors in protocol code
- Exfiltrate intellectual property and architectural diagrams
- Position themselves for larger attacks (waiting for a high-value opportunity)
- Send income back to North Korea’s weapons program
Detection tools:
gh-fake-analyzer: automated GitHub analysis; flags suspicious patterns- DPRK IT Workers Framework: organizational playbook with interview red flags, background check procedures, and technical indicators
Scale: ~100 identified workers represents a significant known sample; actual scale likely larger. Multiple major blockchain protocols confirmed DPRK IT worker presence after the framework was published.
Relationship to MEV and Protocol Security
The ETH Rangers program is primarily a DeFi security initiative, but intersects with the MEV ecosystem:
- Builder/relay security: builders and relays are high-value targets for supply chain attacks. A compromised builder codebase could extract user funds rather than MEV, or selectively censor transactions
- Encrypted mempool security: the threshold keyper committee in LUCID is a high-value target; compromised keyholders could decrypt transactions early and front-run
- Bridge security: bridges are historically the highest-value DeFi hack targets (>$2B lost to bridge hacks 2021-2024); the PoC repository accelerates security research here
Open Questions
❓ Will the ETH Rangers program run a second cohort? (No announcement as of April 2026)
❓ How many of the 785 vulnerabilities were disclosed and patched vs. still unpatched?
❓ What percentage of blockchain companies unknowingly employ DPRK IT workers?
Clear Signing Initiative (1TS, May 2026)
The EF Trillion Dollar Security (1TS) Initiative launched the Clear Signing open standard on 2026-05-12, with a working group spanning wallet vendors, security firms, and the EF. Goal: end “blind signing” — the structural flaw where users approve transactions whose contents they cannot meaningfully read. Cited as the final step in many major exploits (Bybit hack mentioned explicitly), where the bug isn’t in code but in user approval.
Stack
- ERC-7730 — open format for human-readable, structured transaction descriptors. Originated by Ledger, now multi-party.
- Registry — descriptors are stored and distributed off-chain, alongside transactions (not embedded), so that existing apps can be retrofitted without contract changes. Independent reviews + attestations verify accuracy; wallets choose which sources to trust.
- Tooling — Rust + TypeScript libraries funded through 1TS; landing page clearsigning.org.
- 1TS as credibly neutral steward of the registry infrastructure.
Coalition (May 2026 launch)
EF (1TS), Ledger (originator), ZKnox, Sourcify, Cyfrin, Zama, WalletConnect, Fireblocks, Trezor, Keycard, MetaMask, Argot, plus independent contributors.
Why this matters for MEV
- Wallet-level mitigation of approval-phishing: complements LUCID/encrypted-mempool (which prevents content-based MEV) by attacking the user-side attack surface — drainer scams, malicious approvals, fake-VC phishing (cf. DeFiHackLabs / Bax findings above).
- Aligns with the same “default-fee” critique driving the wallet priority-fee work: defaults are pricing decisions, and approval UIs are security decisions.
Timeline
2025— ETH Rangers program begins (6-month cohort)2026-04-16— Program recap published by Ethereum Foundation2026-05-12— Clear Signing standard (ERC-7730 + registry) launched by EF 1TS
See Also
- Ethereum Protocol Roadmap 2026 — EF priorities including security investment
- MEV Supply Chain: Searchers, Builders, Relays, and Validators — Ecosystem actors vulnerable to supply chain attacks