Crypto Security Report: July 2023

Featuring pig butchering and fake mining scams, a new fake approvals scam using airdropped gas tokens, npm malware from the Lazarus Group targeting crypto developers, and MetaMask's Menpo DeFi incident database at DeFi Security Summit.

5 minutes
Crypto Security Report: July 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In July 2023 MetaMask Security team present Menpo, a STIX 2.1 standard for cataloging DeFi incidents, at the DeFi Security Summit, while Gal Weizman wrapped a three-part X series on how LavaMoat's scuttling and Snow harden supply chain security, and LavaMoat advanced its ScorchWrap webpack plugin and EIP-4361 work. On the threat side, this month’s report also  uncovered at pig butchering (shāz hū pán) and fake mining scams that abuse token approvals, a new fake approvals scam using airdropped gas tokens, and a Lazarus Group social engineering campaign spreading npm malware to crypto and security developers. The full breakdown is below, but first...

Josephine Jue was a mathematician and aerospace technologist at NASA, remembered as one of its "hidden figures" and among the first Asian American women to work as a programmer at NASA's Manned Spacecraft Center, where she contributed to the software behind the Apollo program. The precision and reliability her work demanded of early mission-critical software is the same standard that trustworthy systems still depend on today.

MetaMask presents Menpo, a STIX 2.1 DeFi incident database, at DeFi Security Summit

At the DeFi Security Summit 2023, Herman Junge presented Menpo, a project the MetaMask security team is building to standardize the cataloging of DeFi incidents using STIX 2.1. The initiative, Junge's brainchild, promotes cross-organizational collaboration among security analysts and researchers to enrich the shared threat intelligence landscape.

Gal Weizman completes a three-part X series on LavaMoat's scuttling and Snow

Continuing the thread from the previous month's blog, Gal Weizman completed his three-part X series explaining how scuttling and Snow by LavaMoat strengthen MetaMask's supply chain security—and can do the same for other apps. Scuttling makes the app's window object almost unusable to injected code, closing a common avenue for browser-based attacks.

LavaMoat updates ScorchWrap, tests Snow with CSP, and contributes to EIP-4361

The ScorchWrap webpack plugin now uses @lavamoat/aa to identify packages in dependencies and enforce policy when importing them, with further work needed on webpack-emulated builtins such as buffer and crypto. The team also attempted to support Snow with Content Security Policy recommendations, but found CSP on iframe srcdoc underwhelming; next steps include limiting the DOM APIs that accept text-string input to improve security. LavaMoat contributed to conversations about more explicit scheme handling in EIP-4361 and proposed an origin-verification algorithm, and finally merged the exitModules hook in Endo. Separately, Zibi is leading a Defensive Coding workshop at DefCon's AppSec Village.

Pig butchering (shāz hū pán) scams from 2022 - 2023 mapped in Dune dashboard

Long-con scams, in which bad actors lure victims into a false sense of security with the promise of investment returns, are on the rise. These schemes—which frequently involve a romantic angle and originated in China—are known as shāz hū pán, or "pig butchering," because the perpetrator "fattens up" the target before the "slaughter." MetaMask Security’s Taylor Monahan compiled a Dune dashboard that, in her words, "attempts to capture the magnitude of these scams via hard data pulled directly from the blockchain and people's stories, told in their own words," noting that "these scammers are onboarding more people to crypto than any legitimate crypto organization. All in order to steal their money."

Fake mining scams exploit token approvals, detailed in a Consensys breakdown

A Consensys blog article by Joel Willmore, "Fake 'Mining' Scams: A Familiar Foe in a New Disguise," breaks down how USDT approval mining and liquidity mining scams work, how to recognize them, and how to stay safe by understanding and safeguarding token approvals. It includes a Dune dashboard by Harry Denley tracking the scams. For a more concise overview, MetaMask also published a support article on fake mining voucher scams.

Revoke.cash warns of a fake approvals scam using airdropped gas tokens

Revoke.cash highlighted a new fake approvals scam involving airdropped "gas tokens" that trick users into thinking they have suspicious approvals needing revocation. The scammers program the fake tokens to mint a large quantity of gas tokens during a revoke transaction, which are then sent to the attackers to sell. Because the wallet popup shows only a high fee rather than funds leaving the wallet, the theft is easy to miss. In response, Revoke.cash added a check that disables revoking approvals when the gas fee is excessive, and recommends ignoring unexpected transactions that carry very high gas fees.

Lazarus Group spreads npm malware in a social engineering campaign against developers

According to Socket, the Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden npm packages. The writeup explains how the attack chain works, how to protect against it, and lists the known malicious npm packages.

Immunefi lists the top 10 most common web3 vulnerabilities

Immunefi published a rundown of the top 10 most common vulnerabilities in web3, covering the smart contract vulnerabilities that developers and auditors should watch for in order to build secure, robust contracts.

Taylor Monahan shares wallet security tips: hardware wallets, paper backups, and decentralized storage

Taylor Monahan shared practical tips for keeping funds secure while using a web3 wallet: using hardware wallets, the low-tech best practice of storing a Secret Recovery Phrase on paper, and decentralizing where funds are stored.

Chainalysis mid-year update: crypto crime down 65% as ransomware climbs

Chainalysis published its mid-year crypto crime update, reporting that crypto-related crime was down roughly 65% overall, even as targeted ransomware trended upward.


MetaMask's July 2023 Crypto Security Report took extensive look at pig butchering and fake mining scams that abuse token approvals, a new fake approvals scam using airdropped gas tokens, and a Lazarus Group social engineering campaign spreading npm malware to crypto and security developers. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      すべての記事を読む