MetaMask Code Reached by DPRK-Linked Consultant Before Consensys Cut Access
A North Korea-linked consultant accessed core MetaMask infrastructure for up to six weeks before Consensys terminated access and launched a full security review.
Consensys halted product releases after discovering that a software consultant it had onboarded through a third-party provider was linked to North Korea – a breach of perimeter that lasted roughly one month and reached code central to the MetaMask platform before the company terminated access and launched a full internal investigation.
One Month of Access to Core MetaMask Infrastructure
According to investigative reporting by Drop Site News, the consultant operated under the alias “Tyler Knapp” and used the GitHub handle “imyugioh.” Public GitHub records reviewed by Drop Site show he began contributing code on March 9 before his access was terminated in April – a window of approximately four to six weeks.

The work was not peripheral. Internal messages obtained by Drop Site confirmed that Knapp contributed to core MetaMask platform code, including sections that connect users with third-party fiat payment providers – infrastructure that sits at the intersection of user wallets and real-money flows.
Consensys general counsel Matt Corva told Drop Site that an established third-party service provider introduced Knapp to the company, and that Consensys treated him as a consultant rather than a direct employee.
Corva stated in a formal response: “Very quickly after being introduced, we discovered the threat, followed our security protocols, immediately terminated any access and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security.”
The company suspended product releases during the investigation and instructed staff to avoid contact with the consultant, per the Drop Site report. Consensys also notified law enforcement and provided information about the incident, according to internal communications reviewed by Drop Site.
No Losses Confirmed, but the Attack Surface Was Real
The investigation found no evidence of stolen assets, exposed user data, malicious code insertion, or user harm. That outcome matters, but it does not eliminate the structural concern. TRM Labs has documented that developer environments are among the fastest paths to systems holding private keys or controlling crypto withdrawal approvals – access that, in the wrong hands, can translate directly into protocol-level theft.
Consensys did not publicly explain how it established the consultant’s ties to the Democratic People’s Republic of Korea, a gap the primary reporting acknowledges. Even so, the company confirmed it is now reassessing how it outsources engineering and development work – a signal that it regards the screening failure as systemic rather than incidental.
The incident adds pressure to an Ethereum ecosystem already navigating structural trust questions. The Ethereum Foundation’s recent restructuring has itself drawn scrutiny over governance and personnel decisions, and incidents like this one compound the challenge of maintaining confidence in core infrastructure providers across the ecosystem.

Broader DPRK Infiltration Extends Well Beyond Consensys
The Consensys incident is not isolated. A six-month investigation supported by the Ethereum Foundation’s ETH Rangers Program shows that hiring fraud linked to North Korea has extended across crypto and Web3 projects, according to an ETH Rangers recap published in April.
That ETH Rangers recap reports that investigators traced suspected activity across multiple code repositories, including instances where projects had merged pull requests before the activity was detected. The recap also says some applicants used generated profile pictures, forged identity documents and false Japanese identities to pass screening checks.
At Devconnect Buenos Aires in November, Pablo Sabbatella, founder of Opsek and a Security Alliance member, warned that North Korean workers could be embedded in as many as one in five crypto companies. Sabbatella also estimated that North Korean applicants account for roughly 30% to 40% of job applications received by crypto firms.
The financial stakes are commensurate. TRM Labs estimated that North Korea was responsible for 64% of the total value stolen in crypto hacks during 2025, with total losses exceeding $2.7 billion. The single largest event was the February 2025 theft of approximately $1.5 billion from Bybit, attributed by the FBI to North Korea’s TraderTraitor group, which dispersed the stolen assets across thousands of blockchain addresses to obstruct tracing.
Regulatory and Compliance Exposure Remains Open
Even where no user funds were lost, granting system access to a DPRK-linked individual carries potential sanctions exposure under U.S. law – a dimension the primary reporting does not fully resolve. Consensys confirmed it notified law enforcement, which suggests the company is not treating the incident as purely an internal matter, though no enforcement action has been publicly indicated.
The broader pattern – of North Korean operatives using forged credentials to gain salaried access to crypto infrastructure – sits at the intersection of hiring fraud, sanctions compliance, and supply-chain security. For firms operating under U.S. jurisdiction, vendor due diligence for remote engineering contractors is no longer a box-checking exercise. Operational failures in this space, as other firms have discovered, can trigger regulatory scrutiny independent of whether any assets were actually stolen, a dynamic also visible in the compliance failures that have driven exchange shutdowns and frozen withdrawals across the industry.
More than 30 exchanges and decentralized finance protocols now participate in TRM Labs’ Beacon Network, which shares rapid alerts when North Korea-linked funds reach member platforms. Threat-intel sharing of this kind addresses the laundering side of the problem; the hiring-fraud vector requires a parallel investment in pre-access verification that the industry has been slower to standardize.
What Consensys Does Next Will Set a Reference Point
Consensys has committed to reviewing its contractor screening process and its broader approach to outsourcing engineering work. The specifics of that review – whether it extends to video-verified KYC for external contributors, tighter permissioning on repositories accessed by contractors, or mandatory reproducible builds for wallet releases – have not been publicly detailed.
Given that MetaMask is a widely used browser wallet for Ethereum users, the standard Consensys adopts for third-party contributor access will function as a de facto benchmark for the wider ecosystem. Other core infrastructure providers touching wallet code, bridge contracts, or key-management systems face the same exposure profile, and the Ketman Project’s findings suggest many have already been penetrated without detection. Governance and security challenges of this scale require coordination at the ecosystem level, as the ongoing debates over Ethereum validator reward structures also illustrate – individual firm-level responses are necessary but not sufficient.

The market will eventually be forced to price the systemic risk embedded in crypto’s reliance on globally distributed, pseudonymous contractor networks – and the Consensys incident has moved that reckoning meaningfully closer.
Follow CoinNews on X and Telegram for ongoing coverage of crypto security, regulatory developments, and Ethereum ecosystem updates.