MetaMask Security Report: October 2025

Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below.

But first... meet our STEM pioneer of the month!👩‍🔬

Jagadish Chandra Bose contributed to the fields of radio microwave optics and botany, and is considered the father of Bengali science fiction.

MetaMask in the security ecosystem

MetaMask joins launch of SEAL's phishing defense network

We’ve partnered with Security Alliance (SEAL) and other leading wallets to build a global defense network that strengthens real-time phishing mitigation. Through this collaboration, security researchers can verify user-submitted phishing reports and instantly share them with participating wallets, which include WalletConnect, Backpack, and Phantom.

As MetaMask’s Ohm Shah noted, “Drainers are a constant cat and mouse game,” and the defense network is designed to throw “a wrench at the drainer’s infra.” We’re proud to contribute to this initiative, which will enable faster and more effective protections for the entire crypto ecosystem.

Déjà vu all over again: Blockchain malware’s neverending novelty

There's been a lot of buzz recently about EtherHiding, a new variation of an attack in which malicious code is hidden inside smart contracts to distribute malware through the blockchain. MetaMask's Taylor Monahan shares her hot take on why each new wave of so-called “blockchain malware” captures so much attention and why defenders should focus on fundamentals before getting carried away.

🤝 Friends of the Fox 🤝

Linea team quickly rallies with Astera to contain lending exploit

On Oct 9th 2025, the Astera lending protocol on Linea was exploited via a liquidity index inflation attack, resulting in an estimated loss of over $880,000 (about 8% of Astera's TVL) across three minipools (asUSD, LINEA, and WETH). While the attack was unfolding, Linea teams detected the pattern, cut off the attacker’s path, froze compromised funds within minutes, alerted Astera, and coordinated mitigation with their team and external researchers. Astera publicly acknowledged working overnight with Linea and Spearbit during the incident, and independent analysts outlined how the manipulated liquidity index enabled collateral overvaluation and a borrow-drain cycle. 

Linea continues to support Astera's recovery efforts. The L2’s security lead Eloi Manuel affirmed to MetaMask: “This episode underscores our approach on Linea: protect users and builders, move quickly with narrowly scoped on-chain countermeasures when needed, and keep improving our detection and response after every incident so risks are contained faster and with less impact.”

SEAL’s new State of Drainers series

In other news from our SEAL colleagues, the alliance has released the first volume in its new series exploring how drainers operate and evolve. The goal of this series is to give the community and wallet developers clearer insight into how these threat groups operate and change over time, so they can better defend against them.

This debut edition examines prominent drainer-as-service groups that include Inferno, Rublevka, and Eleven, highlighting their ability to adapt through the use of deceptive scripts and spoofed wallet interactions. Some drainers are now targeting multiple networks (namely EVM, Solana, Tron, and TON) while relying on trusted domains and dynamic infrastructure to evade detection.

Meanwhile…

Two record-breaking pig butchering busts

In late September, £5.5 billion (about $7.4 billion) in Bitcoin was seized by Metropolitan police in the UK in what was then called the world's largest cryptocurrency bust to date. Chinese national Yadi Zhang, aka Zhimin Qian, pleaded guilty to possessing crypto connected to an international cybercrime ring that targeted victims with fake investment scams. The practice, known as pig butchering, involves gaining the trust of targets and stringing them along over extended periods of time in order to extract as much value as possible.

Just two weeks later in the US, the Department of Justice confiscated $15 billion in cryptocurrency from the kingpin of the Prince Group criminal, which also engaged in pig butchering. This operation started in 2015 and used call centers in Cambodia manned by trafficked individuals who were forced to carry out the investment scams. Leader of the Price Group Chen Zhi, aka Vincent, and other operators of the syndicate used the ill-gotten gains to buy yachts, private jets, and even a Picasso painting.

Chainalysis hopeful that majority of illicit funds can be seized

Findings by the blockchain analytics company indicate that about $15 billion in digital assets are currently controlled by threat actors, while a whopping $60 billion are being stored in wallets that have interacted with these actors. The fact that the majority of these funds are parked in traceable on-chain wallets means that there is an opportunity for authorities to seize them if they can coordinate action.

Abracadabra: Third time's the harm

The Abracadabra.money protocol has been hit by yet another exploit, this time resulting in roughly $1.7 million lost funds. The platform, known for its MIM stablecoin and crosschain lending "cauldrons" (its version of a pool) suffered a bypass to a smart contract solvency check.

The Abracadabra DAO paused affected contracts, bought back stolen tokens to stabilize the MIM peg, and reported that users were not impacted. However, this is the third major breach that Abracadabra has suffered since early 2024, bringing the total losses to over $21 million and bringing scrutiny to the aging code. 

Hackers utilizing AI are impacting bug bounties

Web3 bug bounty platform Immunefi warns that bounty programs are facing serious limits due to the popularity of AI technology among black hats. AI tools that had previously been employed exclusively by security firms are now available to threat groups that are using them to discover vulnerabilities more quickly than they can be patched. This trend is leading experts to believe that bounty programs will not be able to keep up, even as the bounty industry has paid out over $100 million.

Immunefi's CEO Mitchell Amador stated there just aren't "enough eyeballs" to combat groups like Lazarus, who are employing hundreds to thousands of baddies around the clock.

⚠️ Tales of caution ⚠️

BNB Chain X account compromised in phishing attack

Summary

The official X account for BNB Chain got hacked in early October, with Binance co-founder CZ immediately warning users not to click on any links from the account. The attackers posted a fake rewards program that invited users to vote on an "upcoming $BSC rewards date," promising early rewards to anyone who participated within 24 hours. It's a classic phishing tactic designed to trick people into connecting their wallets and draining their funds.

Fortunately, the damage was relatively contained. The attacker managed to deploy one phishing contract and ten malicious links, but the total losses came to around $8,000 across all chains. Most of that was from a single victim who lost $6,500. BNB Chain regained control of the account and is investigating how the breach happened. While this incident was small, it's part of a much bigger problem. By the end of June 2025, crypto theft had already hit $2.17 billion, surpassing all of 2024 and running about 17% higher than 2022. At this rate, losses for the year could top $4 billion.

How users can stay safe

When official accounts post about rewards programs or urgent opportunities, take a step back and verify through other channels first. Don't click on links just because they come from an account that looks legitimate as even verified accounts can get compromised. If something promises easy rewards or asks you to act quickly, that's usually a red flag. Check the project's official website directly, or reach out to their support team through known contact methods. And always verify what you're signing or connecting your wallet to.

New Chaos-C++ ransomware wipes data and steals crypto

Summary

Researchers at Fortinet discovered a dangerous new version of ransomware called Chaos-C++. Unlike earlier versions in this malware family that were buggy and unreliable, this one was rebuilt from scratch in C++ to make it faster and more destructive. It spreads through a fake program called "System Optimizer v2.1" that tricks people into installing it, then goes to work in the background.

What makes this ransomware particularly brutal is how it handles files. Instead of encrypting everything, it strategically skips medium-sized files between 50 MB and 1.3 GB to work faster. Files over 1.3 GB, like server backups, are deleted outright. That means even if victims pay the ransom, those critical files are gone forever. The whole strategy is built around speed and irreversible damage rather than actually holding data for ransom.

Chaos-C++ also includes a clipboard hijacking feature specifically targeting cryptocurrency users. When you copy a wallet address, the malware will detect it and instantly swap the address with one belonging to the attacker. So when you think you're sending crypto to a legitimate recipient, it's actually going straight to the criminals behind the ransomware.

How users can stay safe

You must be extremely careful about what software you download and install on your computer. "System optimization" tools from unfamiliar sources are a huge red flag. Keep your antivirus and security software up to date, and consider using a hardware wallet for your crypto holdings. If you're making a cryptocurrency transaction, take the time to manually verify every single character of the wallet address after you paste it, especially for large amounts. Additionally, MetaMask address nicknames make it easier to ensure you're interacting with a trusted address.

Looking for more crypto security news? Head here to peruse previous editions of Luker's Security Reports, and get additional tips for how you can stay safe in the ecosystem.