North Korean Developer Worked On MetaMask Code For 1 Month Undetected

North Korean Developer Worked On MetaMask Code For 1 Month Undetected

A North Korean-linked developer worked on MetaMask code for about a month before Consensys identified the contractor, revoked access and reported no loss of assets or data.

Key Points:

  • The developer used a false identity and entered Consensys through a third-party provider.
  • His work included core wallet code and features connecting crypto with fiat payment services.
  • Consensys halted releases, contacted law enforcement and began reviewing contractor controls.

MetaMask Infiltration

The consultant used the name Tyler Knapp and the GitHub handle “imyugioh” after arriving through a contractor already used by Consensys. His public contributions ran from Mar. 9 until April, giving him about one month inside the wallet’s development environment.

Internal messages showed that Knapp worked on MetaMask’s core platform and parts of its mobile wallet, including code supporting crypto-to-fiat conversions through outside payment providers. When the company detected the threat, general counsel Matt Corva instructed staff to suspend product releases and avoid contact with the consultant. Consensys then terminated his access.

“We discovered the threat … and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security,” Corva said. The company notified law enforcement and reviewed its vetting of outsourced engineers.

Also Read: Executives Warn Six Agencies Missed The GENIUS Act's Rule Deadline

Crypto Hiring Risks

The case highlights how developer accounts can expose source code and transaction-signing systems without requiring attackers to breach a company from outside.

TRM Labs has warned that compromised development environments can offer a direct route toward infrastructure used to authorize transfers.

The incident follows a broader campaign in which North Korean workers have used false identities to secure remote technology jobs. An Ethereum (ETH)-funded program said it identified about 100 suspected operatives across 53 crypto projects in six months. U.S. courts have also sentenced Americans who helped such workers appear to be based locally.

The financial risk remains substantial. The FBI attributed the 2025 theft of about $1.5 billion from Bybit to North Korean hackers, while industry estimates linked the country to more than half of global crypto theft losses that year.

North Korean operations have increasingly combined fake recruitment, remote employment and conventional hacking rather than relying on a single entry method. Consensys stopped this contractor before finding damage, but the episode extends a pattern that has pushed crypto firms to tighten identity checks and share threat intelligence.

Read Next: Trezor Rebuts ZachXBT's Claim That Wallets Are Complete Garbage

Disclaimer and Risk Warning: The information provided in this article is for educational and informational purposes only and is based on the author's opinion. It does not constitute financial, investment, legal, or tax advice. Cryptocurrency assets are highly volatile and subject to high risk, including the risk of losing all or a substantial amount of your investment. Trading or holding crypto assets may not be suitable for all investors. The views expressed in this article are solely those of the author(s) and do not represent the official policy or position of Yellow, its founders, or its executives. Always conduct your own thorough research (D.Y.O.R.) and consult a licensed financial professional before making any investment decision.
Latest News
Show All News
North Korean Developer Worked On MetaMask Code For 1 Month Undetected | Yellow