North Korean Developer Accessed MetaMask Ethereum Wallet Code for a Month

ETH

ETH/USDT

$1,841.56
+1.87%
24h Volume

$5,459,386,143.31

24h H/L

$1,856.17 / $1,806.79

Change: $49.38 (2.73%)

Long/Short
67.0%
Long: 67.0%Short: 33.0%
Funding Rate

+0.0029%

Longs pay

Data provided by COINOTAG DATALive data
Ethereum
Ethereum
Daily

$1,843.01

0.06%

Volume (24h): -

Resistance Levels
Resistance 3$1,985.30
Resistance 2$1,915.28
Resistance 1$1,873.21
Price$1,843.01
Support 1$1,840.39
Support 2$1,738.66
Support 3$1,615.03
Pivot (PP):$1,838.69
Trend:Uptrend
RSI (14):56.9
(12:20 PM UTC)
4 min read
1372 views
0 comments
AI SummaryAI
  • Consensys onboarded a North Korea-linked developer using the alias “Tyler Knapp,” who worked on MetaMask's core code from March 9, 2026 until access was cut in April.
  • The Ketman Project identified roughly 100 North Korea-linked IT workers embedded across 53 crypto and Web3 projects, with 62 pull requests merged across 11 repositories.
  • The U.S. DOJ sentenced two U.S. nationals to 108 and 92 months for a scheme using 80+ stolen identities at over 100 companies, generating $5M+ for Pyongyang.
  • North Korea-linked groups accounted for 64% of crypto hack value in 2025, with cumulative theft exceeding $6 billion since 2017.

This summary was AI-generated, AI-reviewed and published under COINOTAG editorial oversight.

Crypto News

Consensys, the software firm behind the MetaMask crypto wallet, mistakenly onboarded a developer tied to North Korea who worked on the tool's core code for roughly one month before the threat was detected. Operating under the alias “Tyler Knapp” and the GitHub handle “imyugioh,” the individual was brought in as a consultant through a long-standing third-party staffing provider rather than direct hiring, according to the company's own account. Code contributions began on March 9, 2026, and stopped abruptly in April, when Consensys cut off system access. The firm has since referred the matter to law enforcement and is reviewing its outsourced-hiring controls to prevent a repeat.

Internal Slack messages reviewed after the discovery indicated the operative touched code connected to MetaMask's core fiat on- and off-ramp database, the layer that converts digital assets to government currencies through external payment providers, plus the mobile wallet repository. Consensys legal counsel Matt Kurva said a subsequent investigation found no misappropriation of assets or data, no malicious code pushed to production, and no impact on user safety. In April, Kurva issued a company-wide alert ordering all product releases suspended pending the probe and instructing staff not to contact the individual — a signal the firm was managing disclosure well before the story surfaced.

The episode is not isolated. Findings tied to the Ethereum Foundation's six-month “ETH Rangers” support program, published in an official blog recap on April 16, 2026, show the same infiltration pattern spreading across the sector. The Ketman Project, a research group backed by that program, said it identified roughly 100 North Korea-linked IT workers embedded in 53 crypto and Web3 projects. The scale underscores how deeply state-directed operatives have penetrated the altcoin and decentralized-application ecosystem, targeting engineering roles that offer direct access to sensitive codebases, payment rails and internal infrastructure across dozens of protocols.

A separate Ketman Project report detailed how these operatives posed as Japanese developers on Web3 freelance platforms. Investigators documented workers using AI-generated profile photos and forged Japanese identity documents while cycling through multiple Japanese names. One video showed a candidate asked to introduce himself in Japanese on a verification call removing his headset and leaving the room. The analysis found at least three account clusters active across 11 code repositories, with 62 pull requests — proposed code changes — merged before detection. The findings expose how identity fraud and infrastructure such as 0x-style tooling and open-source contribution channels are exploited to gain trusted developer status.

Enforcement is tightening in parallel. On April 15, 2026, the U.S. Department of Justice announced that two U.S. nationals were sentenced for facilitating North Korea's fraudulent remote-worker scheme, receiving prison terms of 108 months and 92 months. Prosecutors said the pair helped North Korean IT workers pose as Americans to secure remote jobs, using more than 80 stolen U.S. identities to place operatives at over 100 companies, including Fortune 500 firms. The scheme generated more than $5 million in illicit revenue for entities linked to Pyongyang. The case falls under the DOJ's “DPRK RevGen: Domestic Enabler Initiative,” which continues to pursue related facilitators.

The financial stakes for the broader market are widening. Blockchain-analytics data shows North Korea-linked groups accounted for a rising share of global crypto hack losses — climbing from under 10% in 2020–2021 to 22% in 2022, 37% in 2023, 39% in 2024, and reaching 64% in 2025. Cumulative theft attributed to these groups since 2017 now exceeds $6 billion, with the 2025 surge driven largely by a single major February exploit. The trajectory reflects how insider infiltration and direct hacks increasingly converge, pressuring wallet providers, exchanges and DeFi platforms such as Aave to harden both code review and hiring pipelines.

Read together, these six developments trace one arc: state-directed infiltration has become a structural risk to the entire Ethereum-centric software supply chain, from wallet cores to freelance marketplaces. Our reading of the primary record — the company's own disclosure, the DOJ sentencing, and the Ethereum Foundation's program recap — is that the threat has shifted from opportunistic external hacks toward embedded insider access. Against COINOTAG's aggregate market data, the timing compounds fragility: the Fear & Greed Index sits at 25 (Extreme Fear), Bitcoin dominance holds at 69.8%, and total crypto market capitalization stands near $1.84 trillion. In a risk-off tape, security failures amplify capital flight far more than they would in bullish conditions.

COINOTAG does not provide financial advisory services. This content is for informational purposes only and should not be considered investment advice. Cryptocurrency investments involve high risk.

Add COINOTAG as a Preferred Source

Add COINOTAG to your preferred sources in Google News and Search to see our coverage first.

Add on Google
James Mitchell

James Mitchell

COINOTAG author

View all posts
AI-AssistedSenior Technical Analyst·James Mitchell is a senior technical analyst with over six years of dedicated cryptocurrency market analysis experience.

AI-generated, AI-reviewed, under COINOTAG editorial oversight.

Comments

Comments