TLDR
- A North Korean hacker using the fake name Tyler Knapp infiltrated MetaMask through a contractor hiring process
- He worked on the wallet’s fiat on- and off-ramp feature for about one month
- Consensys detected him through unusual IP activity and suspended all his product launches
- No funds or data were lost, and no malicious code was deployed
- North Korean hackers stole over $1.5 billion from Bybit in 2025 and took more than half of all crypto hacked that year
A North Korean hacker spent roughly a month working inside MetaMask, one of the world’s most used crypto wallets. The company, Consensys, says no funds or data were lost.
🚨METAMASK NEARLY GOT HACKED BY NORTH KOREA
Consensys unknowingly hired a North Korean developer using the alias “Tyler Knapp” who contributed to MetaMask’s core code for nearly a month.
The company detected the threat and revoked all access immediately.
Product releases were… pic.twitter.com/uTEmOFwIJo
— Coin Bureau (@coinbureau) July 19, 2026
The hacker used the fake name Tyler Knapp. He was not hired directly by Consensys. Instead, he came in through a long-term human resources vendor as an outsourced contractor, bypassing standard background checks.
On GitHub, he used the handle imyugioh. His code contributions ran from March 9 through April 2026, when Consensys cut off his access.
He worked on the wallet’s fiat on- and off-ramp feature — the part that moves money between crypto and regular currency. That is a sensitive part of the codebase.
Consensys detected him through unusual IP activity and behavioral signals flagged by the company’s security monitoring tools.
What Consensys Did
Once the threat was identified, Consensys revoked all access permissions linked to the worker. General counsel Matt Corva told staff in April to halt all product releases the contractor had been involved with.
The firm also alerted law enforcement and began reviewing its contractor vetting process.
Corva confirmed: “We discovered the threat and launched a comprehensive investigation that confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security.”
The incident was first publicly disclosed by Corva himself to staff before being reported by Drop Site News.
A Wider North Korean Pattern
This was not a one-off event. North Korean workers routinely pose as software engineers to win remote jobs at crypto firms, then attempt to steal assets or plant backdoors.
One Ethereum-funded project recently identified 100 suspected North Korean IT workers spread across 53 separate crypto projects.
Intelligence firm TRM Labs says developer access is now the fastest route attackers use to reach the systems that approve crypto withdrawals.
US courts have already jailed Americans convicted of helping North Korean workers appear to be locally based.
The financial stakes are large. The FBI said North Korean hackers stole $1.5 billion from the Bybit exchange last year. TRM Labs reported the country was responsible for more than half of the $2.7 billion lost to crypto hacks in 2025.
Some crypto firms are now sharing threat intelligence with each other to catch these workers earlier in the hiring process.
MetaMask has more than 30 million monthly active users, making it one of the most targeted wallets in the industry.
Consensys says it is reviewing how it screens contractors going forward following the Tyler Knapp incident.
Stop guessing and start investing with confidence. KnockoutStocks gives you the AI insights, market intelligence, and stock research you need to spot opportunities, cut through the noise, and make smarter investment decisions — all in one powerful platform.
Sign up today and get 50% OFF full access to our premium stock picks.
Simply use coupon code SPECIAL50 at checkout to claim your exclusive discount.






Be the first to comment