Consensys unknowingly onboarded a North Korean-linked developer who accessed its systems for a month before discovery. The company found no asset theft or malicious code. The incident mirrors a broader pattern of state-backed infiltration targeting crypto developers.
Blockchain software company Consensys unknowingly hired a developer linked to North Korea who had access to its systems for about one month before the threat was discovered, the company said.
"Knapp was introduced to us through an existing relationship with a reputable third-party service provider and collaborated with Consensys as a consultant," Matt Corva, general counsel at Consensys, said. "He was never hired as a Consensys employee."
The developer, operating under the alias Tyler Knapp, was onboarded earlier this year before the company identified the threat, suspended product releases and launched a comprehensive investigation. Consensys confirmed there was no misappropriation of assets or data, no malicious code deployed, and no impact to user safety and security, according to Corva. The incident was first reported by Drop Site News.
The infiltration follows a broader pattern of North Korean state-backed hackers targeting digital asset companies through fake employment schemes. The so-called Contagious Interview campaign, ongoing since at least December 2022, has used trojanized coding assessments distributed via platforms like Slack to deploy malware, according to Elastic Security Labs. In one variant documented in May 2026, threat actors embedded malicious code inside SVG image files of country flags using steganography, concealing base64-encoded payload fragments across HTML comments. The assembled malware, known as OtterCookie, harvests browser credentials, cryptocurrency wallet data, and files from AI coding tools including Claude, Cursor and Gemini extensions.
North Korean hacking groups have stolen more than $1.5 billion in cryptocurrency since 2023, according to Chainalysis data, with losses from DPRK-linked hacks rising 51% year-over-year in 2025. The groups have increasingly shifted from direct exchange breaches to social engineering campaigns targeting individual developers as a vector for supply chain attacks.
Consensys, the developer behind the MetaMask wallet — which serves more than 30 million monthly active users — and the Infura blockchain infrastructure platform, said it will reevaluate its practices for outsourcing engineering and development work. The company did not disclose the name of the third-party service provider that introduced Knapp.
The incident shows the difficulty crypto companies face in vetting remote developers, particularly as North Korean operatives become more sophisticated in mimicking legitimate job candidates. For Consensys, the breach — even without confirmed data loss — risks eroding trust among institutional clients who rely on its infrastructure for custody and staking services. The company's pledge to overhaul outsourcing protocols suggests the industry's standard background checks may be insufficient against state-backed infiltration campaigns.
This article is for informational purposes only and does not constitute investment advice.