Crypto Security Report: April 2023

Featuring the scam-as-a-service that stole $27 million, MetaMask, OpenSea, and Blockaid's new transaction security feature, the multichain drainer targeting longtime crypto users, and Etherscan's move to curb address poisoning.

5 minutes
Crypto Security Report: April 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

This month, we launched a new transaction-security feature with OpenSea and Blockaid that has already blocked more than 4,000 risky transactions. Elsewhere, a scam-as-a-service called Venom Drainer stole $27 million from about 15,000 people, and our researchers Taylor Monahan and Harry Denley began investigating a separate campaign draining longtime crypto users. Etherscan also changed a setting to help curb address-poisoning scams. The full breakdown is below, but first...

Michael Faraday (1791–1867) was a largely self-taught English scientist whose experiments laid the foundations of electromagnetism—including electromagnetic induction—and electrochemistry, where his laws of electrolysis still bear his name. His insistence on careful, repeatable experiment over assumption is the same evidence-first discipline that sound security research relies on.

Endo renames importHook and works through mobile BigInt and SES compatibility

Endo's exitModuleImportHook was renamed to importHook and awaits merging in the compartment-mapper. SES 0.18.3+ now includes the previously mentioned React Native Android JSC fix for the nonstandard AsyncGenerator and AsyncFunctionPrototype. The team also completed an exploration of BigInt compatibility with MetaMask Mobile libraries to determine the best path forward: the big-integer shim does not yet fully support @ethereumjs/util, react-native-v8 is fully compatible but has a blocking performance issue, and Hermes provides a working BigInt implementation but presents other compatibility issues and lacks the "with" statement that SES needs. Various TypeErrors with SES 0.18.3+ under investigation on React Native 0.71.6 are moving the team closer to locking down MetaMask mobile, which is being upgraded from 0.66.5, including React Native 0.72.0-rc1.

LavaMoat's ScorchWrap plugin bundles real dependencies, and Yarn Berry support begins

The LavaMoat team had representation at the React Native London meetup and Node Congress Berlin in April 2023,with a video of a talk by Zbigniew Tenerowicz expected the following month. The previous approach to secure bundling worked, but its limitations were pronunced  enough that the team moved from a loader to a plugin and found a better stage in the bundling process for wrapping each module. The plugin proof of concept, codenamed ScorchWrap, can create a basic bundle with real dependencies regardless of code type (CommonJS, ESM, or built TypeScript); further work is needed for compatibility with other plugins and large-scale testing. The team also kicked off early research into SES compatibility with Hermes, began Yarn Berry (3+) support for @lavamoat/allow-scripts, and has presentations underway on React Native's new architecture and locking it down.

MetaMask, OpenSea, and Blockaid launch transaction security that blocks 4,000+ risky transactions

In April 2023, we teamed up with OpenSea and Blockaid on an experimental, opt-in transaction-security feature that flags known scams before users approve them — and it had already blocked 4,000+ risky transactions. OpenSea supplies its scam blocklist and Blockaid analyzes malicious behavior in real time, with more security work on the way.

Gal Weizman finds a stored XSS in Snyk Advisor (CVE-2023-1767)

MetaMask Security's Gal Weizman documented his investigation in "CVE-2023-1767 — Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score." As he summarized it, a stored XSS in Snyk Advisor let him fabricate the health score granted to packages under his control, making a "malicious" package appear healthy, popular, and legitimate—something an attacker could have used to convince others to install an actual malicious npm packag

Venom Drainer replaces Monkey Drainer, draining $27 million from about 15,000 victims

Monkey Drainer may be history, but Venom Drainer took its place almost overnight. According to a report from Scam Sniffer in early April 2023, the Venom Drainer scam-as-a-service drained $27 million from roughly 15,000 victims—with the top five victims alone losing $14 million—across about 530 phishing sites targeting around 170 brands.

A multichain drainer campaign targets longtime crypto users

Mid-month, MetaMask Security’s Taylor Monahan and Harry Denley launched an extensive probe after discovering a multichain offensive targeting people who had been active in the crypto ecosystem for years, many of them well versed in personal security. The Secret Recovery Phrases involved controlled keys created between 2014 and 2022, and the investigation was still ongoing. “Since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains. It's rekt my friends & OGs who are reasonably secure. No one knows how.,” shared Monahan.

Etherscan hides zero-value transfers to curb address poisoning

CoinDesk reported that "Etherscan Reconfigures Blockchain Explorer Settings to Filter Out Potential Scams." The explorer now hides zero-value token transfer displays by default, a setting aimed at preventing address poisoning—where attackers send virtually valueless tokens to a wallet to bait the user into later copying and sending funds to a scam address.

Fake Uniswap "hack" phishing tricks users into a fake Revoke.cash

Scammers botted the #UniswapHack and #UniswapExploit hashtags to make them trend, then used the fake "hack" to push users toward a counterfeit version of Revoke.cash. As Hayden Adams and Evan Van Ness pointed out on April 15, 2023, Uniswap had not been hacked, reminding users stay calm and avoid acting in a panic.

Google search ad phishing has stolen $4 million

A Scam Sniffer report documented Google search ad phishing that resulted in $4 million stolen. Google search ad phishing is a scam where fraudsters pay for sponsored results that mimic real crypto brands, sending users to lookalike sites that steal their wallet credentials or funds. These scams are a recurring threat, so double-check URLs, rely on bookmarks where possible, skip sponsored search results, and consider an ad blocker to reduce exposure.


MetaMask's April 2023 Crypto Security Report covered the launch of an experimental MetaMask, OpenSea, and Blockaid transaction security feature, the Venom Drainer scam-as-a-service that stole $27 million from about 15,000 victims, and an ongoing investigation into a multichain drainer campaign targeting longtime crypto users. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Leer todos los artículos