Key Points
- An operative from North Korea operating under the alias Tyler Knapp gained access to MetaMask’s development environment via a third-party contractor arrangement
- The individual contributed to code for MetaMask’s fiat currency conversion systems over approximately 30 days
- Security teams at Consensys identified suspicious IP patterns and immediately revoked access and halted related deployments
- The company confirmed zero loss of user funds, customer data, or deployment of harmful code
- DPRK-linked hackers compromised Bybit for $1.5 billion in 2025 and accounted for over half of all cryptocurrency theft that year
An individual working on behalf of North Korea successfully embedded themselves within the development team at MetaMask, a leading cryptocurrency wallet platform, for approximately 30 days. Parent company Consensys has confirmed that no user assets or sensitive information were compromised during this period.
🚨METAMASK NEARLY GOT HACKED BY NORTH KOREA
Consensys unknowingly hired a North Korean developer using the alias “Tyler Knapp” who contributed to MetaMask’s core code for nearly a month.
The company detected the threat and revoked all access immediately.
Product releases were… pic.twitter.com/uTEmOFwIJo
— Coin Bureau (@coinbureau) July 19, 2026
Operating under the fabricated identity of Tyler Knapp, the operative did not join Consensys through direct employment channels. Rather, the individual was onboarded via an established third-party staffing agency that provided outsourced development resources, effectively circumventing conventional identity verification protocols.
Records on GitHub show the operative used the username imyugioh. Code commits attributed to this account span from March 9 through early April 2026, at which point Consensys terminated all system privileges.
The operative’s assigned responsibilities included development work on MetaMask’s fiat currency gateway infrastructure — the critical systems enabling users to convert traditional money into digital assets and vice versa. This represents one of the wallet’s most security-sensitive components.
Detection occurred when Consensys’s security infrastructure identified anomalous network traffic patterns and suspicious activity markers associated with the contractor’s account.
Consensys Response Protocol
Following threat confirmation, Consensys immediately terminated all system credentials and access points associated with the compromised contractor account. In April, General Counsel Matt Corva instructed development teams to freeze all feature releases that involved the operative’s contributions.
The organization promptly notified relevant law enforcement agencies and initiated an internal audit of its contractor authentication procedures.
According to Corva’s statement: “We discovered the threat and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security.”
Corva initially disclosed the breach internally to Consensys personnel before the information became public through Drop Site News reporting.
Broader North Korean Infiltration Campaign
This incident represents part of an established pattern rather than an isolated occurrence. North Korean operatives consistently masquerade as legitimate remote software developers to secure positions within cryptocurrency companies, subsequently attempting asset exfiltration or installing persistent access mechanisms.
A recent investigation conducted by one Ethereum-backed initiative uncovered approximately 100 individuals suspected of North Korean affiliation distributed across 53 different blockchain and cryptocurrency organizations.
Security research firm TRM Labs indicates that compromising developer credentials has become the primary attack vector for accessing withdrawal authorization systems within cryptocurrency platforms.
United States federal courts have prosecuted and imprisoned American citizens found guilty of facilitating schemes that helped North Korean technology workers falsify their geographic locations.
The financial implications are substantial. Federal investigators revealed that North Korean cyber operations extracted $1.5 billion from the Bybit platform during the previous year. According to TRM Labs analysis, North Korea-attributed attacks represented over half of the total $2.7 billion stolen through cryptocurrency exploits throughout 2025.
Several cryptocurrency organizations have begun establishing collaborative threat intelligence networks designed to identify these operatives during recruitment phases.
With over 30 million active users each month, MetaMask ranks among the cryptocurrency industry’s highest-value targets for malicious actors.
In response to the Tyler Knapp incident, Consensys has announced plans to overhaul its contractor verification and authentication procedures.





