North Korean Developer Worked on MetaMask Code for a Month
Consensys said no assets or data were misused, but the incident highlights how exposed contractor workflows and code access can be at wallets like MetaMask. The FBI and TRM Labs have also warned about North Korean social engineering.

Key Takeaways
- Consensys removed a North Korean developer from the MetaMask team after he had access to the code for about a month.
- He worked through a contractor setup under a fake name, and no misuse of assets or data was found.
- The case shows how sensitive development environments and contractor screening are in the crypto sector.
Consensys said it removed a North Korean developer from the MetaMask team after he had access to the code for roughly a month at the popular crypto wallet. The company said he was working under a fake name, and while it found no evidence that assets or data were misused, the episode underscores how exposed crypto development environments can be.
Access Through a Contractor
The developer was brought in through a contractor arrangement rather than as a full-time employee. On GitHub, he used the name imyugioh, while internally he was known as Tyler Knapp. From March 9 through April, he contributed code for parts of the wallet, including code tied to moving funds between crypto and cash.
After Consensys realized what had happened, it immediately cut off his access. General counsel Matt Corva also told employees in April that all product releases needed to be paused and that they should not have any contact with the man. The company reported the matter to authorities and is now reviewing how it screens contractors.
A Bigger Pattern From North Korea
The incident fits a wider pattern of North Korean groups posing as remote developers to gain access to crypto companies. Cybersecurity firms are seeing this kind of social engineering more often, sometimes with AI-assisted tactics such as fake job applications or manipulated coding tasks. The FBI has also warned about fake IT workers who used American companies to steal crypto.
For the crypto industry, the main takeaway is that attacks like this are not limited to exchanges or wallets. They also target the software supply chain behind them. TRM Labs says developer environments are now one of the quickest ways into systems that approve withdrawals. That makes employee and contractor screening an increasingly important part of security at major crypto platforms.
Why This Matters for Europe
For European crypto users, the case matters because many wallets and apps rely on international development teams and outside contractors. If a company like Consensys can be compromised, even briefly, it shows that security is about more than wallets and keys. It also depends on who can access code and release processes. In a market where trust is a major part of the infrastructure, that is a warning sign European providers cannot ignore.