CYNTRI AIAutonomous DeFi
🔍SEARCH
THE BODY COUNT
HACK DATABASE·🔓

A North Korean Operative Wrote Code Inside MetaMask for a Month Before Anyone Noticed

He called himself Tyler Knapp. He came recommended through a trusted contractor. For about a month he wrote core code for MetaMask - the wallet 30 million people use - including the features that move money between crypto and cash. Then Consensys realized who he actually worked for: North Korea.

S
SYNTH·Hack Database
A North Korean Operative Wrote Code Inside MetaMask for a Month Before Anyone Noticed - CMZ investigation
Consensys hired a North Korea-linked developer who wrote MetaMask code for a month before capture.

The scariest crypto attack of the season did not involve a smart contract, a phishing link, or a stolen key. It involved a resume. A developer named Tyler Knapp got hired, badged in, and spent about a month writing code for one of the most widely used crypto wallets on Earth. He did his job. He committed code. And the whole time, according to the company that hired him, he was working for North Korea.

The company is Consensys, the firm behind MetaMask - the browser and mobile wallet that tens of millions of people use as their front door to Ethereum and DeFi. On July 17, 2026, the investigative outlet Drop Site News reported, based on internal Slack communications and public GitHub records, that Consensys had inadvertently hired a software developer linked to the DPRK. The developer used the alias "Tyler Knapp" and the GitHub handle "imyugioh." He was brought in not off the street but through an existing relationship with a third-party service provider Consensys already trusted, and he worked as a consultant rather than a full employee.

None of which changed what he could touch.

CyntriAI
PREDICTIVE DEFI
Stop chasing yields across five chains.
Cyntri AI agents predict, execute, and rebalance your DeFi positions using advanced predictive models.
ETHSOLARBBASEOP
Read the Whitepaper
cyntriai.org
A Cyntri AI Project

According to the internal messages, Knapp began contributing code on March 9, 2026, and worked inside the development environment for roughly one month before his access was cut in April. In that window he did not get handed busywork on the margins. He worked on MetaMask's core platform code, and specifically on the parts that connect crypto users with third-party fiat payment providers - the on-ramp and off-ramp features that convert between cryptocurrency and actual cash. His public GitHub profile also shows contributions to MetaMask's mobile wallet. For a state whose hacking apparatus exists to move stolen crypto into usable money, a seat at the crypto-to-fiat plumbing of a 30-million-user wallet is not a random assignment. It is the exact room you would want to be in.

Consensys's account is that the system worked. General Counsel Matt Corva said Knapp was introduced through a reputable provider, that the company discovered the threat "very quickly," followed its security protocols, immediately terminated all access, and launched a comprehensive investigation. That investigation, Corva says, confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety. Consensys notified law enforcement and handed over everything it had. When the threat was found, Corva instructed staff to suspend product releases and to avoid contact with the consultant while the review ran.

Take the company at its word that nothing was stolen. The story is still alarming, and here is why. "Very quickly" was a month. For roughly thirty days, a DPRK-linked operative had commit access to the core of a wallet that guards billions in user funds, and the discovery came after the fact, not before the hire. Corva pointedly did not explain how Consensys determined the consultant was tied to North Korea, or what tipped them off. The defense is real - no proven damage - but it describes catching the intruder inside the house, not stopping him at the door.

And this is the part that makes it bigger than one company's bad month. Consensys is not a careless startup. It is a top-tier crypto firm that has hired investment banks for a planned IPO, with real security teams and real protocols. If a North Korean operative can get through its contractor pipeline and into core wallet code, the pipeline is the vulnerability, and every serious crypto company shares it. This is not a story about one guy named Knapp. It is a story about a hiring supply chain that treats a referral from a trusted vendor as a safe input, when that is exactly the channel a state actor learns to game.

The context around it is not subtle. North Korea has made crypto theft a national industry. In 2026 alone, DPRK-linked hackers accounted for an estimated $577 million in stolen crypto - roughly 76% of everything stolen from the ecosystem in the first half of the year, largely through two attacks. And the fake-IT-worker playbook, in which North Korean nationals pose as remote engineers to get inside Western software companies, has become one of Pyongyang's favored methods precisely because it does not require breaking anything. It requires being hired. US agencies have warned about it repeatedly. Consensys just became the highest-profile crypto name to confirm it happened to them.

MetaMask's users were not harmed, as far as anyone can show. That is the good news, and it is genuine. But the mechanism is the warning. The wallet was not hacked from outside. Its maker opened the door, checked the reference, and let the threat sit at the keyboard for a month. The next company it happens to may not catch it in thirty days, and may not be able to say afterward that nothing was taken.

The Aftermath

Consensys said its investigation found no theft of assets or data, no malicious code, and no impact to MetaMask users, and that it had notified law enforcement and reviewed how it hires engineers through outside providers. The company did not disclose how it identified the developer's North Korea link. The incident became the highest-profile confirmed case of the DPRK 'fake IT worker' playbook reaching the core of a major crypto product, reinforcing warnings from US agencies that North Korean operatives routinely pose as remote engineers to infiltrate Western software firms. It landed amid a year in which DPRK-linked hackers accounted for an estimated $577 million - about 76% - of crypto stolen in the first half of 2026, and intensified scrutiny of contractor and referral pipelines as a security blind spot across the industry.

LESSONS LEARNED

!The most dangerous access is the kind you grant on purpose. MetaMask was not breached from outside - its maker hired the threat, checked the reference, and gave it commit access to core code. A trusted-vendor referral is exactly the channel a state actor learns to exploit.
!'We caught it quickly' can still mean a month inside core systems. Detection after the hire is not prevention at the door. For thirty days a DPRK-linked developer touched the crypto-to-fiat plumbing of a 30-million-user wallet before anyone flagged it.
!The fake-IT-worker playbook scales because it breaks nothing. North Korea does not need a zero-day when it can get hired. Every serious crypto company shares the same contractor-pipeline vulnerability, and Consensys getting caught out proves reputation and resources are not immunity.

COMMENTS

CMZ
END OF FILE
Filed under Hack Database