Consensys halts releases after North Korea-linked developer gains access
Consensys has temporarily halted product releases after a North Korea-linked consultant gained access to its systems for about one month.
- Consensys halted product releases after a North Korea-linked consultant accessed its systems for one month.
- An internal investigation found no stolen assets, exposed data, malicious code, or user harm.
- Consensys will review contractor screening as North Korean operatives increasingly target crypto firms.
Drop Site News reported that the developer joined the Ethereum software company under the alias “Tyler Knapp” and used the GitHub handle “imyugioh.” Public GitHub records reviewed by the outlet showed that the consultant began contributing code on March 9 before his access ended in April.
Internal messages obtained by Drop Site showed that Knapp worked on core MetaMask platform code, including sections used to connect crypto users with third-party fiat payment providers. Consensys suspended product releases during its investigation and instructed staff to avoid contact with the consultant, according to the report.
Consensys general counsel Matt Corva told Drop Site that an established third-party service provider introduced Knapp to the company. Corva stressed that Consensys treated him as a consultant rather than a direct employee.
“Very quickly after being introduced, we discovered the threat, followed our security protocols, immediately terminated any access and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security.”
Although Consensys disclosed no financial losses, Corva said in a statement that the company would reassess how it outsources engineering and development work. The firm also notified law enforcement and provided information about the incident, according to internal communications reviewed by Drop Site.
Consensys found no loss of user assets
Consensys’ investigation found no evidence that the consultant stole company data or digital assets, inserted harmful code, or compromised users, according to Corva. The company did not publicly explain how it established the developer’s alleged ties to the Democratic People’s Republic of Korea.
Even without a confirmed loss, developer access can expose sensitive infrastructure. According to TRM Labs, developer environments have become one of the quickest paths for attackers seeking access to systems that hold private keys or approve crypto withdrawals.
A six-month investigation supported by the Ethereum Foundation’s ETH Rangers Program shows that the hiring threat extends beyond Consensys. The Ketman Project identified about 100 suspected North Korean IT workers using false identities across 53 crypto and Web3 projects, according to an ETH Rangers recap published in April.
Ketman investigators also traced at least three suspected groups across 11 code repositories, where projects had merged 62 pull requests before detecting the activity. The project reported that some applicants used generated profile pictures, forged identity documents and false Japanese identities to pass screening checks.
North Korea remains crypto’s largest hacking threat
North Korea-linked groups have repeatedly used fake identities and remote engineering jobs to gain entry to technology companies. As crypto.news reported in November, Opsek founder and Security Alliance member Pablo Sabbatella warned at Devconnect Buenos Aires that North Korean workers could be embedded in as many as one-fifth of crypto companies.
Sabbatella also estimated that North Korean applicants account for roughly 30% to 40% of job applications received by crypto firms, suggesting that employment fraud is not limited to isolated cases.
Crypto companies face added risk because employees and contractors can receive access to code, wallets and transaction systems. TRM Labs estimated that North Korea was responsible for 64% of the value stolen in crypto hacks during 2025, when total losses exceeded $2.7 billion. TRM Labs
One attack accounted for much of the damage. The FBI attributed the February 2025 theft of about $1.5 billion from Bybit to North Korea’s TraderTraitor group, which dispersed the assets across thousands of blockchain addresses. FBI
TRM Labs reported that more than 30 exchanges and decentralized finance protocols now share rapid alerts through its Beacon Network when North Korea-linked funds reach participating platforms. For Consensys, the consultant’s removal prevented any known user loss, but the incident has prompted a review of the company’s third-party hiring controls.