July 18, 2026 ChainGPT

Consensys Halts Releases After Alleged North Korea-Linked Contractor Accessed MetaMask

Consensys Halts Releases After Alleged North Korea-Linked Contractor Accessed MetaMask
Consensys paused product releases after a consultant with alleged North Korea ties gained access to core systems, the company confirmed following an internal probe. What happened - Drop Site News reported the contractor joined Consensys under the alias “Tyler Knapp” and used the GitHub handle “imyugioh,” contributing code beginning March 9. Access ended in April. - Internal messages reviewed by the outlet show the consultant worked on critical MetaMask code, including modules that connect users to third-party fiat payment providers. - In response, Consensys suspended product releases, instructed staff not to engage with the consultant, terminated his access and launched an investigation. Consensys’ response - General counsel Matt Corva told Drop Site that an established third‑party service provider introduced the consultant and that he was treated as an external contractor rather than an employee. - The company says its investigation found no evidence of data or asset theft, no malicious code was deployed, and no user accounts were compromised. Consensys notified law enforcement and is re-evaluating how it outsources engineering work. - The firm has not publicly explained how it linked the developer to the Democratic People’s Republic of Korea. Why developer access matters - Security firms say developer environments are among the fastest ways attackers can reach systems that manage private keys or approve withdrawals. Even without confirmed losses, access to source code and build systems can expose sensitive infrastructure. - TRM Labs has warned that such vectors are increasingly exploited, and in 2025 attributed a large share of crypto theft to North Korea-linked activity. Broader context: hiring fraud in crypto - A six‑month investigation supported by the Ethereum Foundation’s ETH Rangers Program — the Ketman Project — flagged roughly 100 suspected North Korean IT workers using false identities across 53 crypto and Web3 projects. The team found at least 62 merged pull requests across 11 repositories before the suspicious activity was detected. - Investigators reported use of generated profile pictures, forged documents and fake Japanese identities to pass screenings. - Security experts have repeatedly warned that North Korea-linked actors use fake identities and remote engineering roles to infiltrate tech firms. At Devconnect, security figures estimated that such applicants may constitute a large share of job applications to crypto companies. The stakes and recent incidents - TRM Labs estimated North Korea-linked groups were responsible for about 64% of the value lost in crypto hacks in 2025, when total losses exceeded $2.7 billion. One major operation — the FBI-tracked theft of roughly $1.5 billion from Bybit in February 2025 — was attributed to the TraderTraitor group. - Industry responses include shared alerting networks: more than 30 exchanges and DeFi projects now exchange rapid alerts when suspected North Korea–linked funds appear, via TRM’s Beacon Network. Bottom line Consensys says the contractor’s removal prevented any known user harm, but the episode has prompted an immediate review of third‑party hiring and access controls. The incident underscores a growing industry-wide problem: remote engineering hires can be an attractive entry point for sophisticated nation‑linked threat actors, and tighter vetting and monitoring of external contributors is becoming essential. Read more AI-generated news on: undefined/news