Crypto Security Report: February 2023

Featuring MetaMask disabling eth_sign by default as the Monkey Drainer phishing group shuts down, a Namecheap/SendGrid breach behind MetaMask-branded phishing emails, a Google Fi SIM-swap hack, and a fake EthDenver site tied to a phishing wallet.

5 minutes
Crypto Security Report: February 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

February 2023 saw MetaMask disable eth_sign by default to blunt a wave of signature-phishing kits, a change that may have helped push the notorious Monkey Drainer group to shut down, while the Endo and LavaMoat teams advanced secure bundling, a webpack compartment-map plugin, and hardening for MetaMask Snaps. On the threat side, a Namecheap/SendGrid breach let attackers send MetaMask-branded phishing emails, a Google Fi SIM-swap hijacked a victim's Coinbase and two-factor app, and a fake EthDenver site promoted through Google Ads was linked to a notorious phishing wallet. The full breakdown is below, but first...

Emmett Chappelle (1925–2019) was an American biochemist renowned for his work in bioluminescence, developing methods that use light-emitting reactions to detect the presence of bacteria and life where it would otherwise be invisible—techniques later applied in NASA's search for life and in rapid contamination testing. His work turning a faint signal into reliable detection echoes the everyday security challenge of surfacing hidden threats before they cause harm. Chappelle held 14 patents and is counted among the most distinguished Black American scientists of the 20th century.

MetaMask disables eth_sign by default as the Monkey Drainer phishing group shuts down

MetaMask observed a significant trend of phishing kits abusing eth_sign to trick users into signing malicious transactions. To balance protection with user autonomy, MetaMask disabled eth_sign by default, leaving a toggle in advanced settings for users who still need it, as detailed in its extension PR. Devin Shin, a MetaMask technical support engineer, reported seeing the change work in practice: while investigating a user's scam site, "nothing was happening," and the console logs showed the site had attempted to prompt an eth_sign transaction that failed because of the recent change. Late in the month, the change may have contributed to the demise of the Monkey Drainer NFT phishing group, which @0xFantasy noted had been shut down according to its owner on February 28, 2023

Fake MetaMask-branded phishing emails sent in Namecheap and SendGrid breach

Attackers sent fake MetaMask-branded phishing emails asking recipients to enter their Secret Recovery Phrases. To counteract the scam, we flagged the high-profile phishing attempt on February 12 2023, and reminded users that MetaMask will never ask you for your Secret Recovery Phrase or Private Keys. The breach did not affect MetaMask directly; instead, attackers were able to send the emails from a Namecheap domain. Namecheap initially attributed the incident to its upstream provider, SendGrid, and later posted astatement on its Twitter account, though both statements appeared to have been withdrawn as of February 28, 2023. Bleeping Computer reported on the incident.

Endo splits secure bundling into two stages and adds policy attenuation for globals

The Endo project adopted a new approach to secure bundling that splits the work across two stages so it can plug into more of the existing ecosystem: first, a plugin to an existing tool such as webpack creates a compartment map and transformed sources and saves them as an app archive; second, a bundler turns that app archive into a secure bundle file. The split should make supporting a new bundling tool less work and less likely to undermine the bundler's security. Endo also added attenuation for globals in policy, bringing the basis for full compatibility with LavaMoat policies to the compartment mapper, including a proof-of-concept attenuator implementing a "write" global policy.

LavaMoat begins a webpack compartment-map plugin and patches a Snow bypass

LavaMoat started initial work on a webpack plugin to generate an Endo-compatible compartment map. Separately, @lavamoat/snow disabled the creation of URL objects out of Blob and File objects to prevent a bypass of its realm protections.

LavaMoat hardens MetaMask Snaps and researches Chrome iframe sandboxing

The LavaMoat team helped harden functionality exposed to MetaMask Snaps and conducted research into unexpected iframe sandboxing side effects in Chrome.

Google Fi SIM-swap hack hijacks a victim's Coinbase and two-factor app

In another SIM-swap case, a Google Fi customer had their Coinbase account and two-factor authentication app hijacked by attackers, according to TechCrunch Google Fi informed the user that hackers had stolen some customers' information, likely connected to a recent breach at T-Mobile. The situation appeared resolved, but it left open questions about how safe affected customers' phone numbers remained. TechCrunch reported the details.

Fake EthDenver 2023 website linked to a notorious phishing wallet via Google Ads

In the lead-up to EthDenver 2023, one of Ethereum ecosystem's biggest events, a fake Ethereum Denver website promoted through Google Ads was linked to a notorious phishing wallet. The case is a reminder not to trust Google Ads results when navigating to crypto and event websites.


MetaMask's February 2023 Crypto Security Report covered MetaMask disabling eth_sign by default amid the shutdown of the Monkey Drainer phishing group, a Namecheap and SendGrid breach used to send MetaMask-branded phishing emails, and a Google Fi SIM-swap hack that hijacked a victim's Coinbase and two-factor app. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles