BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Altcoins

Consensys’ North Korea Hire Exposes a Payroll Loophole

Consensys confirms a North Korea-linked contractor held access to core MetaMask code for about one month before removal. No stolen assets or malicious code were found, but Consensys is now re

AnonymousCryptoCompass newsroom
July 18, 2026
5 min read
NEWS
Consensys’ North Korea Hire Exposes a Payroll Loophole
CryptoCompass editorial visual for altcoins coverage.
  • Consensys confirms a North Korea-linked contractor held access to core MetaMask code for about one month before removal.
  • No stolen assets or malicious code were found, but Consensys is now reassessing how it vets vendor-referred consultants.
  • U.S. Treasury data ties North Korean IT worker schemes to nearly $800 million in 2024 revenue for the regime’s weapons programs.
  • A separate Ethereum Foundation-backed probe already links roughly 100 suspected North Korean workers to 53 crypto projects.

Consensys, the firm behind the MetaMask wallet, has confirmed that a contractor tied to North Korea worked inside its codebase for about a month before the company caught him and cut his access in April. The consultant, using the alias “Tyler Knapp” and the GitHub handle “imyugioh,” was introduced through an outside staffing vendor and touched core mobile wallet code, including the segment that connects MetaMask users to third-party fiat conversion providers. Consensys says its review found no stolen funds, no planted backdoors and no harm to users, and that line has anchored most of the coverage so far. For that month, Consensys was, functionally, one payroll cycle away from paying wages that U.S. Treasury officials say routinely fund North Korea’s weapons programs, and that framing changes what this story is actually about.

DateEventMarch 9, 2026“Knapp” begins committing code to MetaMask’s mobile platform.April 2026Consensys flags the identity, revokes access, pauses releases, alerts law enforcement.OngoingConsensys extends direct-employee screening standards to vendor-referred contractors.

Why a Vendor Referral Skipped Consensys’ Own Bar

General counsel Matt Corva has said Knapp came through an existing relationship with a reputable third-party provider and was treated as a consultant rather than a direct hire. Direct employees clear a company’s own screening, while vendor-referred contractors often inherit the vendor’s screening instead, and few companies audit whether that bar matches their own. North Korean operatives have built a working playbook around exactly that gap, relying on forged identity documents, reused photographs of unrelated professionals, and resumes recycled across dozens of applications to slip past HR checks. Treasury’s March 2026 sanctions round named an entity managing overseas IT worker placements and a facilitator accused of converting roughly $2.5 million in worker wages into crypto, a paycheck routed through a middleman rather than malware routed through a repository.

Two Different Ways North Korea Extracts Money From Crypto

Most coverage of North Korea and crypto collapses into a single story, the exchange hack. Consensys fell into a quieter, less-discussed second channel instead.

ChannelScaleHacking and exploits76% of 2026 losses through April; over $6 billion attributed since 2017, per TRM Labs.Fraudulent remote employmentNearly $800 million generated in 2024 alone, per U.S. Treasury.

The Ketman Findings: Scale Beyond One Company

The Consensys case sits inside a larger dataset. A six-month investigation backed by the Ethereum Foundation’s ETH Rangers Program, published in April as the Ketman Project, identified around 100 suspected North Korean IT workers operating under false identities across 53 crypto and Web3 projects. Investigators traced at least three suspected operational clusters spanning 11 code repositories, where a combined 62 pull requests had already been merged before anyone flagged the activity. Some of the applicants behind those accounts used AI-generated profile photos, forged identity documents, and fabricated Japanese personas to clear standard screening. Security researcher Pablo Sabbatella, founder of Opsek and a Security Alliance member, has separately estimated that North Korean applicants make up 30% to 40% of the job applications some crypto firms receive, and warned at Devconnect Buenos Aires that operatives could already be embedded in as many as one-fifth of crypto companies industry-wide.

The Case for Each Side

Structural failure: letting an unverified identity write fiat-conversion code for a month shows that the vendor-referral hiring model common across Web3 assumes a level of trust it never actually verifies. Code review catches bugs, not a patient operative building a clean commit history before any attempt at exploitation.

System worked: Consensys caught the anomaly within weeks, froze releases, and found nothing missing or planted. Judged by the standard that actually protects users, that looks like the process functioning as designed, and the sanctions exposure, while real, is a procurement question rather than proof that MetaMask itself was ever close to being breached.

What Changes Now

Corva’s plan to extend direct-employee screening to every vendor-referred contractor will likely become the industry default rather than a Consensys-specific fix. Treasury is already moving against the facilitators who convert wages into crypto, having sanctioned new targets in both 2025 and 2026, and further rounds look probable given the pace. Ethereum Foundation-adjacent groups have shown they’ll keep publishing Ketman-style audits naming specific repositories, which puts pressure on projects to review their own contributor rosters before they’re the next one named.

  • U.S. Treasury (OFAC): fraudulent IT worker schemes generated close to $800 million in 2024 for weapons programs; Secretary Bessent said the regime “targets American companies through deceptive schemes carried out by its overseas IT operatives.”
  • TRM Labs: North Korea’s share of crypto hacking losses hit 76% through April 2026, with over $6 billion attributed since 2017.
  • Pablo Sabbatella, Opsek/Security Alliance: North Korean operatives may already be embedded in up to a fifth of crypto companies.

Consensys’ disclosure lands the same month Republicans have been briefing the White House on the CLARITY Act, the crypto market-structure bill. None of its current language addresses contractor or staffing-vendor screening, and this case is likely to surface as an argument for adding it.

The post Consensys’ North Korea Hire Exposes a Payroll Loophole appeared first on ETHNews.