Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
In October 2023, MetaMask and Blockaid rolled out privacy-preserving security alerts that flag malicious transactions before users sign, while the LavaMoat webpack plugin entered open beta. On the threat side, the Fantom Foundation lost $550,000 of a broader $7 million hack to compromised private keys, threat actors began hiding info-stealer malware on BNB Chain in a technique dubbed EtherHiding, and Galxe compensated users 110% after a DNS hijacking attack drained over $400,000. The full breakdown is below, but first...
Featured STEM pioneer: Luigi Galvani, pioneer of bioelectricity
Luigi Galvani (1737–1798) was an Italian physician and physicist who discovered what he called "animal electricity", showing that a spark could make a dead frog's leg twitch,and laying the groundwork for the study of bioelectricity. His experiments famously helped inspire Mary Shelley's Frankenstein, a fitting nod to this Halloween edition, and to the enduring reminder that powerful capabilities demand careful control.
MetaMask and Blockaid roll out privacy-preserving security alerts
MetaMask, in collaboration with cryptosecurity provider Blockaid, launched new privacy-preserving security alerts that help stop malicious transactions before they happen, protecting users from scams, phishing, and hacks. The two built a privacy-preserving module that simulates transactions without requiring users to share data with third parties. Based on previous trends, once the alerts are available to all MetaMask users, they aim to prevent billions of dollars' worth of assets from being stolen.
The LavaMoat webpack plugin enters open beta
LavaMoat released an early version of its webpack plugin (npm i @lavamoat/webpack), capable of wrapping code in compartments and adhering to a basic policy—ready for developers to test compatibility with their projects. The team is encouraging developers to try it and report any incompatibilities, and the open beta is the only window for free direct support on a LavaMoat integration. Feedback and support are available in the LavaMoat discussion thread. A new round of major releases across all LavaMoat packages also shipped, with one breaking change: they no longer support Node.js v14.
A guide to communicating effectively with victims of pig butchering, aka sha zhu pan
MetaMask and CryptoForensic have shared a guide for investigators, exchanges, and crypto product builders to support pig butchering scam victims. Contributors include the MetaMask Security and Trust & Safety teams, along with investigators from CryptoForensic. Pig butchering, or sha zhu pan, scams have been rising: bad actors build an online relationship—often romantic, sometimes platonic—over painstaking months, so the victim frequently doesn't realize the person they trusted has stolen from them. The runbook covers the facts that indicate a user has been affected, the questions to ask, and how to coach them toward mitigating further losses.
LavaMoat update: new major releases, a conference tour, and mobile lockdown testing
Beyond the webpack plugin beta and the Node.js v14 change, LavaMoat continued improving its type definitions and took its work on tour: the webpack plugin was announced at React Advanced online, and the team appeared at The Hack Summit in Warsaw. On mobile, MetaMask strengthened its build by adopting macOS 13.5.2+ and upgrading MetaMask Mobile to Xcode 15 and React Native 0.71.14 (now merged), applying an upstream security fix as part of the update; lockdown is undergoing final testing on iOS (JSC), to be followed by Android (Hermes).
Fantom Foundation loses $550,000 of a $7 million hack to compromised Private Keys
On October 17, 2023, a subset of Fantom Foundation wallets was drained through compromised Private KeysFantom initially claimed in its Telegram channel that the loss resulted from a Chrome zero-day exploit but provided no supporting evidence; onchain analysis of the transactions instead points, with moderate confidence, to compromised private keys, since multiple wallets were drained at the same date and time—making a simultaneous phishing attack on each key holder unlikely. Fantom later disclosed that only $550,000 of the total $7 million stolen belonged to the Fantom Foundation, without detailing how the attack occurred. As reported by CryptoSlate, user funds were unaffected because only employee wallets were hit.
In the wake of this attack, MetaMask Security’s Taylor Monahan reiterated core safety advice for keeping your wallet secure:
Practice good operational security: use multi-factor authentication and hardware wallets, and avoid random downloads.
Distribute assets across multiple wallets and rotate old or reused keys.
Never sign high-value transactions on the same device that's used for casual browsing
EtherHiding: threat actors store info-stealer malware on BNB Chain
Threat actors behind info-stealer campaigns began storing their malicious payloads on BNB Chain, a technique Guardio Labs dubbed EtherHiding. Info-stealing malware is designed to quietly steal banking information, login credentials, and credit card data. Attackers are pivoting from traditional web2 hosting to web3 technologies to store malicious content because older methods keep getting taken down by hosting services—and they have also leveraged IPFS for the same purpose. While the campaign doesn't specifically target crypto users, the standard defenses apply: keep your browser and computer updated, use ad blockers, and avoid downloading anything from people or organizations you don't trust.
Galxe compensates users 110% after a DNS hijacking attack cost over $400,000
Galxe compensated users who lost funds after a DNS hijacking attack. Galxe's domain registrar, Dynadot, granted domain access to an attacker impersonating members of the official Galxe team, who then turned Galxe's front end into a phishing site that affected 1,120 users. MetaMask acted quickly to temporarily mark Galxe as a phishing site. Impacted users were compensated 110% of their lost funds on October 20, 2023, and those not yet compensated can contact Galxe support. The episode is a reminder to stay vigilant even with trusted apps—keeping protocol announcement alerts on, wallets updated, and MetaMask security features (PPOM/Blockaid) enabled. Developers looking to mitigate DNS hijacking can review MetaMask's DNS hijacking mitigation proposal and share feedback here.
Save the date: MetaMask x Wallet Guard State of Security Space
The next State of Security X Space cohosted by MetaMask and Wallet Guard is scheduled for November 29, 2023 at 12 pm PST, covering the latest threats, security best practices, and releases.
MetaMask's October 2023 Crypto Security Report covered the rollout of MetaMask and Blockaid's privacy-preserving security alerts, the $7 million Fantom Foundation hack traced to compromised private keys, and Galxe's 110% user compensation after a DNS hijacking attack. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.