Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
In June 2024, Consensys acquired Wallet Guard to strengthen MetaMask's scam and drainer detection, while MetaMask updated its privacy policy for greater transparency and control, and LavaMoat launched a new website. The Security Alliance also opened a legal defense fund for whitehat researchers. On the threat side, employment scams tied to North Korea-linked APT groups kept targeting crypto workers, a user lost $11 million to signature phishing, a CoinGecko email-vendor breach sent tens of thousands of phishing emails, and a malicious Aggr Chrome extension stole over $1 million by harvesting exchange cookies. The full breakdown is below, but first...
Featured STEM pioneer: Ben Barres, neurobiologist who revealed the role of glial cells
Ben Barres (1954–2017) was an American neurobiologist whose research was instrumental in uncovering how glial cells interact with neurons in the nervous system—showing that the brain's long-overlooked "support" cells are in fact essential to how it works and defends itself. He was also the first openly transgender scientist elected to the US National Academy of Sciences and a vocal advocate for equity in science. His work is a reminder that the systems doing the quiet protective work in the background often matter most.
MetaMask updates privacy policy for greater transparency and user control over their data
Privacy and security go hand-in-hand and MetaMask takes users’ privacy very seriously. This month, in the spirit of informed consent, MetaMask released an updated policy to let users know what we’re doing to keep them safe and provide them with greater transparency and control over their personal data. You can read our announcement and the full notice, and check out our Privacy and Security resources.
MetaMask may temporarily process your IP address only where required for some of our Services (depending on your MetaMask settings) to provide the best possible experience for MetaMask users. This includes, for example, the prevention of DDoS attacks.
We do not collect your private keys.
We do not sell your Personal Information.
We do not collect or retain Personal Information unless necessary to provide you the Services and a great user experience.
We do not collect financial payment or banking information. However, when you use our on or offramp features these services may necessitate you submitting this information to third-party providers.
Consensys acquires Wallet Guard to enhance MetaMask security
We’re incredibly excited to have the amazing Wallet Guard team officially join forces with MetaMask, furthering our quest to deliver the most secure experience possible to users. As the announcement put it, the integration "will enhance MetaMask's security by improving scam and drainer detection through transaction validation and client-side heuristics, thereby providing users with superior real-time protection against malicious decentralized apps and scams while preserving privacy and self-sovereignty."
LavaMoat launches a new website
Everything LavaMoat now lives at lavamoat.github.io, including an introductory video on how the open-source toolset secures JavaScript projects against supply chain attacks. MetaMask's Zbigniew Tenerowicz also brought the Defensive Coding workshop he ran at DEFCON the previous summer to the Confidence and X33FCON conferences to spread the word about LavaMoat.
State of Security: MetaMask and Wallet Guard
The latest installment of MetaMask and Wallet Guard’s State of Security series featured Ryan Jones and Gal Weizman joining Ohm and Michael to discuss transaction simulations, interoperability, MetaMask Web, and using LavaMoat to protect against supply chain attacks—along with the usual tips for staying safe in crypto.
Employment scams rise, with North Korea-linked groups targeting crypto workers
The US FBI released a PSA urging work-from-home job seekers to be cautious. Crypto and blockchain jobs weren't specifically named, but MetaMask's Threat Intelligence and User Safety teams say the community is being particularly targeted. Treat unsolicited job offers with extra suspicion, never click links or open attachments from untrusted messages, and never engage if "you are directed to make cryptocurrency payments to your employer as part of a job." A significant number of these scams are tied to advanced persistent threat (APT) groups that are often state-sponsored—as one hiring manager, zak, bluntly put it, "literally every developer we've interviewed recently has likely been a North Korean." Crypto-related businesses should also be extremely vigilant when interviewing applicants, as this has also become a popular attack vector. Make sure to conduct thorough interviews that include verified, consistent background information and require applicants to be on camera.
SEAL launches a legal defense fund for whitehat researchers
Ethical whitehat hackers are a cornerstone of our industry. These researchers uncover and responsibly disclose vulnerabilities before bad actors are able to exploit them. However, as the Security Alliance (SEAL) recently explained, web2’s history shows that “this important work can sometimes lead to significant legal risks and subsequent costs, particularly when their research and disclosures are unwelcome or misunderstood.” Therefore, SEAL has launched an initiative with the Security Research Legal Defense Fund to provide legal resources to eligible researchers who use the Whitehat Safe Harbor Agreement.
A user loses $11 million to signature phishing
What happened
On June 22nd 2024, a user signed multiple permit phishing signatures, which resulted in a loss of US$11 million worth of tokens. It was further revealed that the victim was a MakerDAO governance delegate. SEAL researcher Pcaversaccio believes signature phishing is the biggest problem in our industry, stating users don’t care about the warnings and they don't consider the consequences of signing them. MetaMask's Taylor Monahan revealed a total estimate of $600M+ in damages from approval phishing scams since 2021.
How users can protect themselves
Users can protect themselves by following three key steps.
1. Limit the assets of the wallet you browse daily with. If you sign a malicious signature, the impact will be minimized.
2. Validate the domain the signature request originates from and verify it matches the domain of the original project. A quick way to do this is to navigate to the project's official social media or blog page and check that the domains from these profiles match the request.
3. Validate the token and address contents of the request. The request will often involve a token you did not intend to send. The spender address and/or the address of the transaction will be different than the address you intended.
These simple checks can help to prevent unintended loss of funds.
23,000 phishing emails follow a CoinGecko email-vendor breach
What happened
CoinGecko, a cryptocurrency data aggregator, experienced a data breach on June 5, 2024 via a compromised account at its third-party email marketing platform, GetResponse. The attacker accessed nearly 2 million contacts and sent 23,723 phishing emails from another client's account, exposing users' names, emails, IP addresses, and locations—though CoinGecko user accounts and passwords remained secure.
How users can protect themselves
Users should approach any email about claiming airdrops or tokens with extreme caution and avoid clicking links or downloading attachments from unsolicited emails. Crypto projects have a responsibility to be vigilant about the security controls used by the third-party vendors they work with.
Malicious Chrome extension steals over $1 million
What happened
Aggr, initially marketed as a trading data aggregator, is a Chrome extension that turned out to be malicious. In early June 2024, a Binance user reported a $1 million loss that SlowMist traced back to the Aggr plugin. SlowMist found that Aggr harvested traders' cookies—specifically those tied to cryptocurrency exchanges—which the attackers used to access centralized exchange (CEX) portals and take control of victims' accounts.
How users can protect themselves
The lesson: be vigilant about any software you install, including browser extensions, and research the developers—favor verified, reputable ones over anonymous accounts with no track record, and review the app's history before trusting it.
MetaMask's June 2024 Crypto Security Report covered the Consensys acquisition of Wallet Guard, MetaMask's updated privacy policy, and a string of threats including an $11 million signature phishing loss, a CoinGecko email-vendor breach, and a malicious Aggr Chrome extension that stole over $1 million. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.