ConsenSys Engages North Korean Consultant, Raises Cybersecurity Concerns

By Patricia Miller

2 min read

ConsenSys added a North Korean consultant, exposing critical MetaMask code, prompting a review of cybersecurity practices.

ConsenSys, the company known for its developments in Ethereum and MetaMask, inadvertently engaged a North Korean national as a developer consultant. This individual, who went by the alias “Tyler Knapp,” was introduced through a supposedly credible third-party service provider, ultimately gaining access to the core code of one of the most widely used cryptocurrency wallets. Their access initiated on March 9, specifically allowing control over functionalities vital for conversions between cryptocurrencies and traditional fiat currencies.

What details led to the revelation of this incident? In April 2026, ConsenSys General Counsel Matt Corva issued an internal alert that prompted an immediate investigation. It was quickly confirmed that the consultant had connections to North Korea’s regime. Fortunately, ConsenSys reported that there was no compromise of data, no introduction of malicious code, and no adverse effects for users throughout this engagement. Following this discovery of the true identity of the individual, law enforcement was alerted. In response, ConsenSys is now reviewing and strengthening its protocols regarding third-party vendor practices to minimize the risk of similar occurrences in the future.

Why is this issue significant? The threat posed by North Korean IT operatives infiltrating Western technology firms, especially in the cryptocurrency sector, has risen sharply. Reports suggest these operatives fabricate convincing identities to secure remote contractor roles, funneling their earnings back to the regime to support its programs. U.S. agencies such as the FBI, Department of Justice, and Treasury Department have consistently warned businesses about the risks associated with hiring personnel linked to North Korea.

MetaMask serves a critical role as one of the leading crypto wallets globally, acting as an interface through which millions interact with decentralized applications. Its core codebase, particularly the segments that manage crypto-to-fiat conversions, constitutes a highly sensitive area that remains vulnerable to exploitation. This particular operative maintained access for around a month before the internal alert was raised, highlighting the ongoing challenges companies face in ensuring cybersecurity. Past incidents have demonstrated that operatives can remain in positions for much longer—sometimes extending for years—before detection occurs.

Important Notice And Disclaimer

This article does not provide any financial advice and is not a recommendation to deal in any securities or product. Investments may fall in value and an investor may lose some or all of their investment. Past performance is not an indicator of future performance.