Crypto Security Report: December 2022

Featuring the Lazarus Group's new AppleJeus malware in fake crypto apps, a social engineering scam netting 14 Bored Apes worth $1.07 million, LavaMoat's bin confusion mitigation, and a year-end wrap covering PhishFort takedowns and the MobyMask launch.

4 minutes
Crypto Security Report: December 2022

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

December 2022 saw LavaMoat release its bin confusion mitigation behind an experimental flag, Endo's compartment-mapper bundler pass an initial CommonJS proof of concept, and the Node.js Security Working Group propose a process-level Permission Model that complements LavaMoat's per-package approach. On the threat side, North Korea's Lazarus Group pushed a new AppleJeus malware variant through fake crypto apps, and a month-long social engineering scam drained 14 Bored Apes worth $1.07 million. Closing out the year, the HackerOne bug bounty program passed 100 researchers, PhishFort tracked 19,571 MetaMask-branded phishing attacks, and MetaMask and Laconic launched the MobyMask anti-phishing initiative. The full breakdown is below, but first...

Hedy Lamarr (1914–2000), alongside composer George Antheil, patented a "Secret Communication System" in 1942 that used frequency-hopping to keep radio-guided torpedo signals from being jammed. The idea of spreading a signal across rapidly switching frequencies became the foundation for modern spread spectrum technology used in Wi-Fi, Bluetooth, and GPS—the wireless protocols that connect self-custodial wallet users to blockchain networks. Lamarr was inducted into the National Inventors Hall of Fame in 2014.

LavaMoat releases bin confusion attack mitigation behind an experimental flag

LavaMoat released @lavamoat/allow-scripts with the --experimental-bins flag, providing protection against npm bin script confusion attacks for both npm and Yarn 1 projects. The mitigation guards against malicious packages hijacking legitimate CLI commands through npm's bin field linking behavior.

Endo advances its compartment-mapper bundler with CommonJS support

Work on bundling intensified in the Endo project. A series of compatibility fixes moved the compartment-mapper bundler closer to being usable for real projects, and an initial proof of concept of CommonJS support passed its tests.

Node.js Security Working Group proposes a Permission Model aligned with LavaMoat

The Node.js Security Working Group prepared a first proposal for a Permission Model to complement its existing Policy system. The goal is similar to LavaMoat's: reduce the system access exposed to semi-trusted third-party code. The proposed approach resembles Deno's Permissions System in configuring system access at the process level, whereas LavaMoat enables more granular isolation by configuring access at the package level within a process. Once the Node.js Permission Model matures and ships, it should be usable in conjunction with LavaMoat for stronger supply chain protection.

Lazarus Group distributes AppleJeus malware through fake crypto applications

North Korea's Lazarus Group was spotted distributing a new variant of AppleJeus malware through fake cryptocurrency applications and websites, where an unsuspecting user could inadvertently download the malware. The activity was reported by Volexity and covered by The Hacker News on December 5, 2022.

Social engineering scam steals 14 Bored Apes worth $1.07 million

Security analyst Serpent documented a month-long social engineering scam that stole 14 BAYC NFTs worth over 852 ETH ($1.07 million) from a single collector, sharing the analysis on December 17, 2022. Social engineering remained one of the most effective tools for bad actors through the year, with elaborate scams like this one playing out over weeks rather than minutes.

HackerOne bug bounty program builds a network of over 100 researchers in 2022

Through its HackerOne bug bounty program, MetaMask developed relationships with over 100 unique researchers who helped identify many vulnerabilities across the year, contributing to a safer experience for users. The program continued to welcome new participants pursuing bounties.

PhishFort detects 19,571 MetaMask-branded phishing attacks in 2022

Over the year, PhishFort detected 19,571 attacks using MetaMask branding, and within the final 30 days successfully took down 1,873 campaigns. MetaMask also ran known-phishing blocking initiatives in both the browser extension and mobile app, covering MetaMask impersonation and other web3 brand spoofing. The blocklist is owned and managed by Consensys/MetaMask and updated multiple times per day.

MetaMask and Laconic launch the MobyMask anti-phishing initiative

MetaMask introduced MobyMask, a new initiative to proactively protect users from phishing that uses a dynamic web of trust for sourcing phishing reporters, developed with help from Laconic.


MetaMask's December 2022 Crypto Security Report covered the Lazarus Group's new AppleJeus malware distributed through fake crypto applications, a month-long social engineering scam that stole 14 Bored Apes worth $1.07 million, and a year-end wrap spanning LavaMoat's bin confusion mitigation, PhishFort's phishing takedowns, and the launch of the MobyMask anti-phishing initiative. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Leer todos los artículos