Consensys recently found that a software developer they hired under a false identity was linked to North Korea and had access to the core code of MetaMask, a popular crypto wallet. The developer, operating under the name "Tyler Knapp" and GitHub handle "imyugioh," contributed to key features connecting MetaMask users to third-party fiat payment systems.

The individual started working with Consensys on March 9 and remained inside the company's systems for about a month. Contributions ceased in April after Consensys revoked the consultant's access.

Swift Response and Investigation

Matt Corva, Consensys General Counsel, explained that the developer was introduced through a trusted third-party provider. Once the company identified the threat, they immediately cut off access, launched an internal probe, and paused all product releases until the investigation was complete. Staff were instructed not to communicate with the consultant and to keep the matter confidential.

Despite the breach, Consensys confirmed no user data was compromised, no malicious code was introduced, and user security remained intact. They also informed law enforcement and shared relevant information about the incident.

The company has since tightened hiring practices for engineers brought in via third-party services, applying the same standards used for direct hires. This incident highlights the challenge of detecting sophisticated nation-state threats before any harm reaches users.

North Korean nationals have a history of using fake identities to land remote software jobs at U.S. companies. These efforts help fund their government and give access to sensitive corporate data and systems. According to TRM Labs, groups linked to North Korea were behind approximately 66% of cryptocurrency thefts in the first half of 2026, stealing around $643 million.