Consensys, the creator of MetaMask, revealed that a North Korean developer worked undetected in its team for nearly a month. The developer, using the false identity Tyler Knapp, contributed core code impacting money transfers between cryptocurrency and cash.

Developer's Entry and Activities

The individual gained access through a contractor role, hired as a consultant rather than a full employee. Operating under the GitHub handle imyugioh, his code contributions spanned from March 9 until the company revoked access in April. Consensys confirmed no assets were stolen or user security compromised following a thorough investigation.

Security Measures and Industry Concerns

Upon discovery in April, Consensys instructed staff to pause all product releases and severed ties with the developer. The firm promptly alerted law enforcement and began reassessing its contractor vetting procedures. Intelligence firm TRM Labs highlighted that infiltrations via developer accounts are now the fastest path attackers use to access crypto firms' withdrawal systems.

Broader Context of North Korean Cyber Activity

This incident reflects a recurring tactic by North Korean operatives posing as remote engineers to infiltrate crypto projects, often starting with fake job offers or false recruiters. Recently, an Ethereum-funded project identified about 100 suspected North Korean IT workers embedded across 53 crypto initiatives. The FBI reported that North Korean hackers stole $1.5 billion from Bybit exchange last year, with TRM Labs estimating the country is responsible for over half of the $2.7 billion lost to crypto hacks in 2025.

Some firms have begun collaborating to share threat intelligence in an effort to detect these actors earlier. Consensys managed to identify this developer before any malicious code was deployed or assets misappropriated. The ongoing challenge remains whether other companies can spot such threats before their code reaches users.

Market response remained muted following the announcement.