Each month, MetaMask security guru Luker reports on the latest crypto attacks and emerging risks that you need to know about. But first...
Featured STEM pioneer: Jude Milhon, the patron saint of hackers who coined "cypherpunk"
Jude Milhon — who coined the term “cypherpunk” — is known as the patron saint of hackers.
Taylor Monahan's top security talks from Devcon 7 in Bangkok
There was much to keep track of at Devcon 7 in Bangkok this year. Luckily, MetaMask's Taylor Monahan has selected her favorites from the security track. Get some popcorn because this thread is extensive.
MetaMask launches Signature Insight Snaps to analyze and flag risky signature requests
Dive into our latest MetaMask Snaps that help keep users more secure: Signature Insight Snaps! These Snaps analyze signature requests, providing users with insights into their purpose and potential risks, thereby helping to prevent phishing attempts and unauthorized access.
The initial offerings include Kleros Scout, which decodes signature requests and identifies associated contracts to warn users of potential threats, and ZyFi Paymaster Insights, which improves the readability of signing transactions in the zkSync ecosystem by providing detailed information about paymaster-related transactions. Users can install these Snaps from the MetaMask Snaps Directory, using MetaMask Extension 12.4.2 or later.
Ohm's Devcon 2024 lightning talk on crypto scam mechanics
Drainers, transaction simulations, and pig butchering. This Devcon 2024 lightning talk from Ohm is jam-packed!
LavaMoat isolates malicious npm packages: Zbyszek Tenerowicz demos at GitNation
He’s at it again! Zbszek’s latest talk on how MetaMask’s LavaMoat can mitigate the risks of consuming malicious NPM packages is available from GitNation. LavaMoat isolates each package into its own compartment and provides tools to define strict access policies. It prevents threats like cookie theft and unauthorized access to sensitive global variables. For a limited time, we're offering support to help you integrate LavaMoat into your projects — don’t miss out on securing your applications with ease! You can reach out to Zb at [email protected].
SEAL Wargames drill template helps protocol teams run their own security exercises
Check out Kelsie Nabben's write-up about the Security Alliance Wargames Drill Scenario Template. This open-source GitHub repository, designed and launched by The Security Alliance, is a template to help protocol teams conduct their own security drills. The template offers comprehensive guidance on planning and executing wargame scenarios, including:
Step-by-step instructions for organizing and running drills.
Development and testing setups using Foundry and Hardhat on local forks.
Configurations for live forks on Tenderly.
Templates for tabletop exercises and monitoring bot services integrated with Prometheus, Grafana, and OpsGenie.
The initiative emphasizes fostering a proactive security culture within the blockchain ecosystem, encouraging continuous preparedness against evolving threats. For more details and access to the template, visit the GitHub repository.
O2's AI Grandma "Daisy" wastes scammers' time and collects intel on their tactics
British telecom company O2 has unleashed "Daisy" — an AI-powered granny who’s giving phone scammers a taste of their own medicine. Daisy keeps fraudsters tied-up in hilariously irrelevant chats about knitting, cats, and her "dear old memories", wasting their time and saving real victims from their schemes. While scammers try to con her, she’s collecting intel on their tactics, turning the tables in the most charming way possible. Who knew grandma’s nattering could be a secret weapon?
The Red Guild launches Phishing Dojo for interactive crypto scam training
Security research and education group The Red Guild has launched Phishing Dojo, an interactive platform designed to help users identify and avoid phishing scams in the crypto space. This educational tool presents scenarios such as scam emails, fraudulent airdrop sites, and malicious transaction approvals, allowing users to practice recognizing and responding to common threats. The initiative aims to enhance community awareness and resilience against increasingly sophisticated cyberattacks targeting the crypto ecosystem.
Microsoft exposes DPRK and Chinese cyber threat actor tactics at CYBERWARCON 2024
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts presented in-depth research on North Korean and Chinese cyber threat actors. The session, titled "DPRK – all grown up", highlighted North Korea's decade-long development of advanced cyber capabilities, enabling significant cryptocurrency thefts, and targeting organizations linked to satellites and weapons systems. Additionally, a presentation called "China’s evolving cyber operations" examined China's adoption of new tactics to enhance operational security, including the exploitation of vulnerable small office/home office (SOHO) devices to obscure their activities. These insights underscore the increasing sophistication and adaptability of cyber threats from these nation-states.
ZachXBT uncovers $6.5 million Coinbase support impersonation scam
Crypto investigator, SEAL member, and all-around hoopy frood, ZachXBT has uncovered a sophisticated phishing operation led by scammer Ronald Spektor, who impersonated Coinbase support to steal over $6.5 million in October 2024. Spektor lured victims by posing as official support, then laundered the stolen funds through TON-linked wallets, and deleted his social media accounts to evade detection. Despite these efforts, ZachXBT's investigation has identified untraced funds and potential accomplices, raising hopes that further leads may emerge to assist victims and authorities in recovering the stolen assets.
How users can protect themselves
Protecting yourself against scammers posing as customer support in the crypto space requires vigilance and proactive security measures. Here are some key strategies:
Verify sources: only use official websites or apps to contact support. Avoid links in emails or social media.
Ignore unsolicited contacts: legitimate companies don’t reach out unprompted or ask for urgent action.
Protect sensitive info: never share private keys, recovery phrases, or passwords. Avoid screen sharing.
Stay informed: learn common scam tactics and follow trusted security experts.
Use extra security: enable 2FA and anti-phishing tools where available.
Double-check requests: confirm support claims through official channels before acting.
WonderFi CEO kidnapped in Toronto and held for $1 million crypto ransom
In early November 2024, Dean Skurka — CEO of Toronto-based cryptocurrency firm WonderFi, was kidnapped in downtown Toronto and held for a $1 million ransom. The incident occurred near University Avenue and Richmond Street West just before 6 p.m. The kidnappers forced Skurka into a vehicle and demanded the ransom, which was paid electronically. Skurka was later found uninjured in Centennial Park, Etobicoke. He assured the public that WonderFi's client funds and data remained secure and unaffected by the incident. Experts note that such attacks, though rare, can coincide with surges in cryptocurrency values, as criminals may perceive high-profile figures in the crypto industry as lucrative targets.
How users can protect themselves
Never underestimate the $5 wrench attack, by which physical coercion (like threats or violence) is used to force someone to reveal private keys or access their crypto funds. If at all possible, keep a low profile and avoid flaunting your holdings in public. Diversify your storage by spreading funds across multiple software and hardware wallets, keeping the majority of your holdings in cold storage. Consider utilizing multi-sig wallets and time-locked transactions. And remember that if you are ever faced with this scenario, your life is more important than your crypto.
This November 2024 report covered the kidnapping of WonderFi's CEO for $1 million in crypto ransom, a $6.5 million Coinbase support impersonation scam uncovered by ZachXBT, Microsoft exposing DPRK and Chinese cyber capabilities at CYBERWARCON, and MetaMask launching Signature Insight Snaps. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.
