This month's Crypto Security Report

Each month, MetaMask security guru Luker reports on the latest crypto security risks and emerging threats that you need to know about. Dive into the action below. But first... 

Meet our featured STEM pioneer of the month!👩‍🔬

Dorothy Denning is a US-native infosec researcher who was inducted to the National Cyber Security Hall of Fame in 2012. She is known for formally defining lattice-based access control and contributing to intrusion detection systems modeling. 

MetaMask in the security ecosystem

Spy vs. spy: security in the age of AI

Hey, it’s me, Luker! Check out my talk from EthDenver, where I highlight how threat actors and security researchers are using AI in the ongoing arms race, and give personal and corporate safety pointers to keep in mind as we explore this emerging landscape together. Yes, I discuss OpenClaw. Snap snap to it. 

Ryan McPeck demos guardrails for AI agents that use MetaMask

Continuing down the AI path, Ryan joined the Ethereum Foundation to demonstrate safety guardrails when delegating advanced permissions (ERC-7715) to an agent that has access to Metamask Wallet using the Gator CLI. Go directly to 8:50 to check out his segment: The agentic tech stack: Give your agent a wallet.

Friends of the Fox

The DAO is back, baby, and it has a new mission

If you’re newer to the Ethereum ecosystem, you might know Griff Green as co-founder of charitable giving platform Giveth and Commons Stack, an open-source library for supporting governance of community-driven economies. But those of us who have been around for the last decade (and feel old writing that) know that he was a key figure in organizing the original DAO, as well as the recovery efforts following the DAO contract’s June 2016 hack. This was the famous hack that lead to Ethereum’s fork away from Ethereum Classic.

Now, years later, the recovery fund still holds about $200 million in ETH that was never claimed. Griff has announced that, in cooperation with the Trillion Dollar Security initiative, the DAO is relaunching with the goal of supporting the Ethereum security sector. Prominent figures Vitalik Buterin, ZisK's Jordi Baylina, and SEAL 911’s Taylor Monahan and pcaversaccio are among the named curators for this effort. Supporting SEAL 911 is its first order of business, and the news follows an announcement from early February that the Ethereum Foundation would be sponsoring “a security engineer whose sole mission is working with the SEAL Intel team to track and neutralize drainers targeting Ethereum users.”

Script kiddie’s hubris leaves him exposed to sleuthing by ZachXBT

ZachXBT puts these baddies on blast, who were showing off millions in ill-gotten gains during a posturing match they refer to as a "band for band" or b4b. Unfortunately for the threat actor known as John (Lick), the bragging left him vulnerable to Zach tracing a good deal of the funds back to possible thefts from the US government, which could be used as evidence in a future criminal case to land him in the slammer.

Meanwhile…

Vitalik shares thoughts on security’s purpose and AI safety

Ethereum creator Vitalik Buterin put it simply: “The goal is to minimize the divergence between the user's intent, and the actual behavior of the system.” However, he also pointed out that because user intent is often quite complex, perfect security is actually impossible. His post went on to say that the best solutions work when users express their intentions in multiple ways that all agree. No single check is going to be proficient. Therefore, a layered approach is necessary to catch vulnerabilities and attack vectors.

Having explained this foundation of his premise (in many more words than I have here), Vitalik then stated his position that LLMs can provide a useful additional layer for approximating intent for security, but should never be used as the sole line of defense. His timely words come as the use of AI has exploded, both when writing code and auditing it. The technology is also imperfect and its efficacy should not be taken for granted.

The double-edged OpenClaw

There has been a lot of hype around OpenClaw (formerly Moltbot, formerly Clawdbot), the open-source, self-hosted, largely-autonomous personal assistant agent that runs on one’s local environment. Its power over LLM tools was meant to revolutionize how agents can be used to run tasks that include managing email, updating social media accounts, writing code, and managing IoT devices. Some have even been experimenting with OpenClaw’s access to crypto wallets, which tend to not go well. A huge part of the OpenClaw ecosystem is “skills,” which are markdown-based instruction files that are sometimes packaged with executable scripts.

News around the tool, which was released in November, has exploded over the past month and includes many security concerns. In order for OpenClaw to function properly, it needs access to highly-sensitive data. If you’re going to experiment with it, make sure you’re taking safety precautions and never run it on a machine that has access to corporate credentials.

Here’s a sampling of scary stories about Open Claw hacks, that hopefully inspire prudence:

• These third-party skills are being used to distribute advanced threats, which include distributing malware and stealing crypto.

• VirusTotal found skills that include reverse shells, semantic worms, and cognitive rootkits.

• An OpenClaw bug enables one-click remote code execution

• Operators can leak control panels via exposed mDNS traffic

• OpenClaw agent goes rogue on email inbox

• ClawJacked vulnerability in OpenClaw could let websites hijack AI agents

Tales of caution

Supply chains under attack as malicious packages target crypto credentials

Malicious dependencies continue to be a concern for web3 developers. Early February saw compromised npm and Python Package Index (PyPi) packages that targeted the dYdX decentralized exchange, delivering wallet stealers and RAT malware. The Hacker News reports that the hostile versions of these packages were published using legitimate credentials, likely pointing to developer account compromise.

Later in the month, The Hacker News linked the malicious packages across npm and PyPI to a “fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.” 

Additionally, an active "Shai-Hulud-like" supply chain worm campaign dubbed by Socket as SANDWORM_MODE was discovered harvesting credentials and stealing crypto keys, while propagating through stolen npm and GitHub identities. The payload also includes a dead switch (aka kill switch) that "triggers home directory wiping when the malware simultaneously loses access to GitHub for exfiltration and npm for propagation or operation," according to Socket.

Coinbase is the latest to be breached by third-party support vector (again)

Coinbase recently disclosed that a data breach from December 2025 was caused by a support contractor's improper access of customer data, which was discovered after the "Scattered Lapsus Hunters" threat group posted screenshots of the Coinbase support panel to Telegram. This event is reportedly not related to the similar TaskUs insider breach that affected Coinbase just over a year ago.

Stories like these highlight the growing trend of attackers targeting third-party Business Process Outsourcing (BPO) companies through a combination of bribery and social engineering. Scattered  Laspus Hunters also claimed to have bribed an insider at CrowdStrike last November, and another threat group, Scattered Spider, was linked to a compromise of the BPO Cognizant which was sued by Clorox last July.

Scam Sniffer notes signature phishing and address poisoning trends

According to Scam Sniffer, signature phishing attacks surged by 207% in January, draining $6.27 million from 4,700 wallets. Users are tricked into signing seemingly benign off-chain messages that actually authorize unlimited token and NFT transfers. While it should be noted that 65% of these losses were attributed to two wallets and overall phishing losses were down in 2025 from 2024, it’s never a good time to let your guard down.

The other common tactic highlighted by the security research group as a concern for holders is address poisoning, where attackers send tiny "dust" transactions from lookalike addresses so that victims accidentally copy and send funds to the wrong address later. Reported by Decrypt, "tactics like address poisoning have become more attractive following Ethereum’s Fusaka upgrade, which sharply reduced transaction fees." Blockchain researcher Andrey Sergeenkov noted a distinct uptick in new address creation, a significant number of which receiving less than $1 in stablecoins upon creation.

That's all she wrote this month. See you in April, no fooling. 

Looking for more crypto security news, novel threats, and emerging risks to watch out for? Head here to peruse previous editions of MetaMask's Crypto Security Reports, and get extra tips for how you can stay safe across the ecosystem.