Key Points
- An operative from North Korea operating under the false identity Tyler Knapp gained access to MetaMask via a staffing contractor
- The individual contributed code to the wallet’s fiat payment integration system for approximately 30 days
- Security teams identified the threat through anomalous IP patterns and immediately revoked all access
- Consensys confirmed zero loss of user assets or sensitive information, with no malicious code executed
- North Korean cyber operations resulted in over $1.5 billion stolen from Bybit exchange in 2025, accounting for more than half of all cryptocurrency theft that year
An operative from North Korea successfully embedded himself within MetaMask’s development team for approximately 30 days, working on one of the cryptocurrency industry’s most widely adopted wallet platforms. According to parent company Consensys, the breach resulted in zero compromise of user assets or sensitive data.
šØMETAMASK NEARLY GOT HACKED BY NORTH KOREA
Consensys unknowingly hired a North Korean developer using the alias “Tyler Knapp” who contributed to MetaMask’s core code for nearly a month.
The company detected the threat and revoked all access immediately.
Product releases were⦠pic.twitter.com/uTEmOFwIJo
ā Coin Bureau (@coinbureau) July 19, 2026
Operating under the fabricated identity of Tyler Knapp, the individual never underwent direct employment with Consensys. Rather, he entered through an established third-party staffing provider, effectively circumventing the company’s traditional verification procedures.
Under the GitHub username imyugioh, his development activity spanned from March 9 until early April 2026, at which point Consensys terminated all his system privileges.
His assignments centered on the wallet’s fiat currency integration systemāthe critical infrastructure enabling conversions between traditional money and digital assets. This represents one of the application’s most security-sensitive components.
The discovery came after Consensys’s security infrastructure detected irregular IP address patterns and suspicious behavioral markers.
Response Protocol
Following threat identification, Consensys immediately terminated all system access associated with the contractor. In April, General Counsel Matt Corva instructed teams to freeze all feature deployments connected to the individual’s work.
The organization subsequently notified appropriate law enforcement agencies and initiated a comprehensive review of its third-party vetting procedures.
Corva stated: “We discovered the threat and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security.”
The breach came to public attention after Corva’s internal communication to employees, subsequently covered by Drop Site News.
Escalating North Korean Cyber Campaign
This incident represents part of a broader pattern. North Korean operatives consistently masquerade as remote software developers to secure positions at cryptocurrency companies, subsequently attempting asset theft or system compromise.
A recent investigation by an Ethereum-supported initiative uncovered approximately 100 suspected North Korean IT personnel distributed among 53 different cryptocurrency ventures.
According to intelligence provider TRM Labs, developer credentials have emerged as the primary vector attackers exploit to access withdrawal authorization systems.
Federal prosecutors have successfully convicted American citizens for facilitating North Korean workers’ efforts to falsify domestic employment status.
The financial impact remains substantial. Federal investigators confirmed North Korean threat actors extracted $1.5 billion from the Bybit platform in the previous year. TRM Labs analysis indicates the nation accounted for over half the $2.7 billion in cryptocurrency theft during 2025.
Several cryptocurrency organizations have begun collaborative threat intelligence sharing initiatives to identify these operatives during recruitment phases.
MetaMask serves over 30 million active users monthly, positioning it among the industry’s most attractive targets.
Consensys has announced plans to strengthen its contractor screening methodology in response to the Tyler Knapp incident.


