Consensys halts release after North Korea-linked developer gains access

Consensys temporarily suspended product releases after a North Korean-linked consultant gained access to its systems for about a month.
Summary
- Consensys halted product releases after an expert linked to North Korea accessed its systems for one month.
- An internal investigation found no stolen property, exposed data, malicious code, or user harm.
- Consensys will review contractor inspections as North Korean operatives increasingly target crypto firms.
Drop Site News reported that the developer joined the Ethereum software company under the name “Tyler Knapp” and used the GitHub handle “imyugioh.” Public GitHub records reviewed by the outlet showed that the consultant began contributing code on March 9 before his access ended in April.
Internal messages obtained by Drop Site indicated that Knapp worked with the code of the main MetaMask platform, including sections used to connect crypto users with third-party fiat payment providers. Consensys suspended production during the investigation and instructed employees to avoid contact with the technician, according to the report.
Consensys general counsel Matt Corva told The Drop Site that an established third-party service provider introduced Knapp to the company. Corva insisted that Consensys treated him as a consultant rather than a direct employee.
“Immediately after launch, we discovered the threat, followed our security policies, immediately terminated any access and launched a thorough investigation to ensure there was no misuse of assets or data, no malicious code was installed, and no impact on user safety and security.”
Although Consensys did not disclose financial losses, Corva said in a statement that the company will also review how it outsources engineering and development work. The firm also notified law enforcement and provided details about the incident, according to internal communications reviewed by Drop Site.
Consistency did not detect the loss of the user’s property
Consensys’ investigation found no evidence that the hacker stole company data or digital assets, installed malicious code, or compromised users, according to Corva. The company has not publicly explained how it established the alleged engineering relationship with the Democratic People’s Republic of Korea.
Even without guaranteed losses, engineer access can expose critical infrastructure. According to TRM Labs, developer environments have become one of the fastest routes for attackers seeking access to systems that hold private keys or authorize crypto withdrawals.
A six-month investigation supported by the Ethereum Foundation’s ETH Rangers Program shows that the recruitment threat extends beyond Consensys. The Ketman Project identified nearly 100 suspected North Korean IT workers using fake identities across 53 crypto and Web3 projects, according to an ETH Rangers report published in April.
Ketman investigators also tracked down at least three groups of suspects across 11 codebases, where the projects included 62 pull requests before getting the job done. The project reported that some applicants used fabricated profile pictures, fake IDs and fake Japanese IDs to pass the exam.
North Korea remains a major crypto hacking threat
Groups linked to North Korea have repeatedly used fake identities and remote engineering operations to gain access to technology companies. As crypto.news reported in November, Opsek founder and Security Alliance member Pablo Sabbatella warned at Devconnect Buenos Aires that North Korean workers could be included in as many companies as a fifth of crypto.
Sabbatella also estimated that North Korean applicants account for approximately 30% to 40% of job applications received by crypto firms, suggesting that job fraud is not limited to isolated cases.
Crypto companies face additional risk because employees and contractors can access codes, wallets and transaction systems. TRM Labs estimates that North Korea was responsible for 64% of the value stolen in crypto hacks during 2025, when the total loss exceeds $2.7 billion. TRM Labs
One attack dealt a lot of damage. The FBI said that in February 2025 the theft of 1.5 billion dollars from Bybit went to the North Korean group TraderTraitor, which distributed assets to thousands of blockchain addresses. The FBI
TRM Labs reported that more than 30 exchanges and extended financial agreements now share instant alerts through its Beacon Network when currencies linked to North Korea reach participating platforms. For Consensys, the removal of the consultant prevented any known user losses, but the incident prompted a review of the third-party’s hiring controls.



