Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below.
But first... meet our STEM pioneer of the month!👩🔬
Polish cryptologist Marian Rejewski conducted the initial analysis that led to the exploitation of Nazi Germany's ENIGMA cypher machine.
DPRK roundup
Job scam developments
Researcher Heiner Garcia of Security Alliance (SEAL) released a report documenting the shift in North Korean operatives behavior from seeking direct employment in IT positions to recruiting collaborators through platforms such as Upwork, Freelancer, Fiverr, and GitHub. "Rather than isolated opportunism, the scope and consistency of the material suggest a coordinated, repeatable pattern: actors adapt their tactics rapidly, share operational playbooks, and deploy structured scripts for onboarding collaborators," shares Garcia.
This was followed up at Devconnect by another SEAL member, Pablo Sabbatella, who urged crypto companies to up their opsec game. He asserted that these companies are particularly inviting to DPRK threat actors, which account for 30-40% of its job applicants, and that 15-20% of crypto companies have already been infiltrated.
GhostCall and GhostHire
A recent Kaspersky investigation revealed GhostCall and GhostHire: complimentary campaigns, courtesy of the BlueNoroff APT group, targeting executives and developers, respectively.
Money laundering operations
The US Treasury Department targeted several North Korean bankers with sanctions this month for money laundering activities tied to a global crypto crime operation. All 53 of the associated wallets contained USTD that sources say was intended for the regime’s weapons program.
Concurrently, Europol and Eurojust dismantled a massive crypto money-laundering operation involving over 600 shell companies. At the recent Global Conference on Criminal Finances and Cryptoassets, Europol stated: “Law enforcement, private sector partners and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering. Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.”
Meanwhile…
Balancer exploit and Berachain halt
In early November it was reported that around $128 million in crypto was stolen from Balancer liquidity pools, which led Berachain to halt and fork its network. Later analysis revealed that a critical exploit in Balancer V2's rate provider mechanism, which amounted to a rounding error, was the root of the exploit. While fixes have since been implemented, the event has prompted discussions around the dangers of vibe coding and otherwise less-than-best practices.
Australian cybercrime portal used for crypto phishing
Scammers are abusing Australia's official ReportCyber portal to impersonate federal police and steal cryptocurrency. Because the system does not verify who is sending reports, criminals are able to send fake but legitimate-looking notices claiming the recipients' wallets have been flagged for suspicious activity.
Defcon pig butchering video drop
Erin West reminds us that we can all be susceptible to scammers and gives us a deeper look into the tragic world of pig butchering.
⚠️ Tales of caution ⚠️
Crypto users scammed by fake exploit
Summary
Lured by promises of quick and copious profits, users of swapzone.io are being tricked into running malicious JavaScript code directly in their browsers. Spoofed emails claim that a 0-day exploit can be manipulated into generating gains. Once executed, the code fetches a larger hidden program that manipulates what victims see on screen, inflating payout amounts by 37% or more and adding fake countdown timers to create urgency. Most critically, it hijacks the transaction process by silently replacing the recipient's wallet address with one controlled by the attackers.
How users can stay safe
Never paste code snippets into your browser's address bar from untrusted sources. Be skeptical of emails promising guaranteed profits or secret exploits, particularly those urging you to act quickly before patches are applied. Verify sender addresses carefully, and bookmark official DEX/CEX service websites to avoid clicking links in unsolicited emails.
Malicious wallet extension steals secret recovery phrases
Summary
Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” that was designed to steal users’ secret recovery phrases (SRPs, AKA seed phrases). Safery was uploaded to the Chrome Web Store on September 29 2025, but was removed after Socket’s report was published in mid November. The fake wallet contained a backdoor that exfiltrated SRPs by “encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet.”
How users can stay safe
Check wallet extension rankings and reviews carefully, as legitimate wallets typically have thousands of reviews and established reputations rather than appearing as newer entries. Research any wallet thoroughly by visiting the project's official website, social media channels, and community forums to confirm authenticity. Look for red flags like generic email addresses, vague privacy policies, or developers with no established history in the crypto space.
Old DarkComet spyware returns in fake bitcoin wallet apps
Summary
In other fake wallet news, a 16-year-old spyware tool called DarkComet RAT (short for remote access trojan) has been hidden inside fake Bitcoin wallet and trading applications. Point Wild's Lat61 Threat Intelligence Team discovered the latest version distributed as a compressed RAR file containing an executable named "94k BTC wallet.exe" that's packed using UPX compression to evade detection. Once targets run the disguised file, the RAT copies itself into hidden system folders and begins recording every keystroke, including passwords and private keys. The malware also includes features for file theft, webcam spying, and complete remote desktop control.
How users can stay safe
Download wallets and applications exclusively from official websites or verified app stores, never from third-party sites or unsolicited links. Be immediately suspicious of executable files that promise access to funds, as legitimate wallets don't tend to come pre-loaded. Avoid opening compressed RAR or ZIP files from unknown sources, especially those claiming to contain wallet software, since this is a common distribution method for malware.
Looking for more crypto security news? Head here to peruse previous editions of Luker's Security Reports, and get additional tips for how you can stay safe in the ecosystem.
