Colorful source code displayed on a computer screen.

Consensys Brought In a North Korean-Linked Developer. GitHub Shows 20 Merged MetaMask Commits

July 18, 2026 10:22 am Comments

Consensys says a software consultant linked to North Korea made it into MetaMask development work through one of the company’s outside service providers.

The public trail is short, but it is concrete. A GitHub account tied to the consultant by Drop Site News authored 20 commits that were merged into public MetaMask repositories from early March into early April.

That count requires some discipline. It documents a month of accepted engineering contributions; it does not prove that malicious code shipped, or that the consultant reached private keys, wallet secrets or production funds.

Drop Site News reported on July 17 that the consultant used the alias “Tyler Knapp” and the GitHub handle “imyugioh.” Consensys told the outlet that the person was introduced through an existing relationship with a reputable third-party service provider and was never a company employee.

Internal communications obtained by Drop Site indicated that the consultant worked on core MetaMask platform code and functions involving conversion between cryptocurrency and fiat through outside payment providers. The publication also connected the account to work on MetaMask’s mobile wallet.

Consensys halted product releases during its April investigation and instructed employees not to interact with the individual, according to the report. The company then terminated the consultant’s access and notified law enforcement.

General Counsel Matt Corva said Consensys’s investigation found no theft of assets or data, no deployment of malicious code and no effect on user safety or security. He also said the company reviewed how it uses third-party engineering services and extended its hiring standards into those vendor relationships.

Those are Consensys’s conclusions. The company has not published a forensic report showing the consultant’s exact permissions, the duration of the release freeze or the technical evidence behind its North Korea finding.

The provider’s identity and the consultant’s real identity and location also remain undisclosed. Drop Site reported that Corva did not explain how the company established the connection to North Korea.

GitHub provides the clearest independent view of the public coding activity. Its commit search returns 20 merged changes authored by “imyugioh” across the MetaMask organization.

Fourteen appear in the MetaMask mobile repository and six in MetaMask’s core repository. The earliest was merged on March 5, while the final one was merged on April 5.

The visible titles show routine work concentrated around MetaMask’s “Ramps” infrastructure. The changes addressed payment providers, token identifiers, quote fetching, order refreshes, transaction details, navigation and mobile-interface behavior.

A merged commit shows that a change landed in a repository branch. It does not establish that every change reached a production release, and the public record does not reveal whether the account could enter private repositories, access internal infrastructure or handle cryptographic material.

Still, 20 accepted changes in roughly one month is substantial participation. The account was contributing to the ordinary machinery people use when buying or selling crypto through MetaMask, rather than sitting outside the project with a single drive-by patch.

The GitHub history also sharpens the timeline. Contributions were already being merged several days before the March 9 start date cited in Drop Site’s account, making “early March through early April” the safer description of the public activity.

The vendor route closely matches a weakness the FBI has warned companies about for years. Its May 2024 advisory said outsourcing IT work can create additional exposure because the customer company is removed from direct hiring.

The bureau described North Korean workers using false identities, U.S.-based facilitators and remotely accessed company laptops to appear local. Facilitators have also created job accounts, attended interviews, established financial accounts and formed front businesses offering contract technical labor.

The FBI advised companies to verify remote-worker identities throughout employment, watch for unusual remote connections and audit third-party staffing firms. It specifically urged businesses to ensure vendors use robust hiring practices and flag changes in addresses or payment platforms.

The advisory does not prove that the same methods were used at Consensys. It does show that a trusted contractor pipeline is a known point of entry, especially when the company receiving the work assumes its vendor has already handled identity verification.

An April 2026 case from the Justice Department shows how large these operations have become. Two U.S. facilitators were sentenced to 108 and 92 months in prison for helping North Korean IT workers obtain jobs at more than 100 companies.

That scheme used the stolen identities of at least 80 Americans and generated more than $5 million for North Korea, according to the department. The facilitators hosted company laptops and enabled overseas workers to reach them remotely through specialized hardware.

Federal prosecutors said the workers obtained access to sensitive employer data and source code, including controlled defense information. Victim companies also incurred at least $3 million in legal, remediation and other costs.

That prosecution was separate from the Consensys incident and does not identify the MetaMask consultant. It does, however, explain why an ordinary-looking month of software work can trigger a company-wide release freeze once the worker’s identity comes into doubt.

Consensys deserves credit for stopping releases, cutting access and bringing in law enforcement once its controls detected the problem. Its statement that no assets or data were taken and no malicious code was deployed is meaningful, especially for a wallet used across the Ethereum ecosystem.

The uncomfortable part came earlier. A person the company later identified as North Korean-linked passed through a vendor relationship and accumulated a visible body of merged work before being removed.

Crypto companies spend heavily defending contracts, bridges and private keys. The Consensys episode shows that supplier identity and contractor access deserve the same level of suspicion.

Users have no public evidence that their wallets or funds were compromised here. They do have a fair reason to expect more detail about how the account got through, what it could reach and which controls finally caught it.

The merged code is visible. The access behind it is still mostly a black box.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.