Crypto Security Report: February 2024

Featuring Blockaid security alerts now on by default, Account Management Snaps and the Keyring API, the new LavaDome tool, the Security Alliance (SEAL) reveal, a $440,000 MicroStrategy X account hack, and $6.2 million in continued LastPass thefts.

Crypto Security Report: February 2024

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

February 2024 was a packed month for MetaMask Security updates. Blockaid-powered security alerts were turned on by default across multiple Ethereum networks and we added in depth LavaDome defense to our open source LavaMoat tool kit that protects from supply chain attacks. More broadly across the ecosystem, the Security Alliance (SEAL)) home to SEAL 911 and a new Whitehat Safe Harbor Agreement, launched publicly. On the threat side, drainers hijacked MicroStrategy's X account for a $440,000 phishing heist, and researchers tied another $6.2 million in thefts to the 2022 LastPass breach. The full breakdown is below, but first...

Granville T. Woods (1856–1910) was a prolific American inventor and electrical engineer who held nearly 60 patents, most famously the Synchronous Multiplex Railway Telegraph—an induction telegraph that let moving trains and stations communicate and dramatically improved railway safety. Often called "the Black Edison," Woods built systems in which reliable communication was itself a safety mechanism, the same principle that underpins secure, trustworthy infrastructure today.

MetaMask enables Blockaid security alerts by default across multiple networks

MetaMask integrated Blockaid-powered security alerts into the wallet and turned them on automatically across several Ethereum Virtual Machine (EVM) networks, addressing the growing problem of malicious transactions. The new security alerts give millions of MetaMask users additional protection from crypto phishing attacks, which rose in prominence during 2023. Think of Blockaid-powered alerts as one more tool for protecting users against scams, one that works best alongside fundamental security habits. They add a real layer against malicious transactions, and pairing them with security Snaps surfaces transaction details MetaMask doesn't show natively. Still, no automated tool stops social engineering, so the basics matter most, from not installing unverified software to staying wary of customer support impersonators in your DMs, being skeptical of overly attractive online personas, and never sharing your Private Key or Secret Recovery Phrase with any website or anyone online.

More ways to self-custody, from the Secret Recovery Phrase to Account Management Snaps 

Self-custody is the choice to hold your own keys instead of handing them to a third party, and it puts the security of your funds in your hands. That responsibility is real: the 12-word Secret Recovery Phrase historically needed to create a MetaMask wallet can be hard to keep both secret and safe. So MetaMask is expanding how you can manage accounts while staying self-custodial. It introduced Account Management Snaps, a permissionless path for teams building these solutions to deliver them to MetaMask users, and in February 2024 shipped the Keyring API in the MetaMask Extension so developers can implement their own account management concepts. Users are invited to try the first three snaps in the experimental beta, Silent Shard, Safeheron, and Capsule, with feedback welcome via the feedback page

Introducing LavaMoat LavaDome for defense in depth on critical content

LavaDome is the newest experimental tool in the LavaMoat toolbox for supply chain security. Using the Shadow DOM web API, it can implement frontend-only components that allow interactions only with the user and trusted code while blocking access attempts by untrusted JavaScript and CSS. The goal is defense in depth: protecting the most critical content displayed in LavaMoat-protected apps even if every other protection has been defeated.

The Security Alliance (SEAL) reveals itself

The Security Alliance (SEAL) a joint effort by the cybersecurity community to improve safety across the crypto ecosystem launched publicly on February 14, 2024.. It had been operating quietly, leading efforts such as SEAL 911 (a rapid-response help desk staffed by leading security experts) and SEAL Drills (attack simulation training). SEAL also announced its Whitehat Safe Harbor Agreement, a framework for ethical hackers and Maximal Extractable Value (MEV) bots that intervene in active public security incidents—permitting them to preemptively address exploits provided an attack is in progress and any recovered funds are redirected to a specified location. As SEAL co-founder samczsun announced, the group had been working on these security initiatives privately for about a year and a half before its public debut.

Drainers exploit MicroStrategy's X account in a $440,000 phishing heist

MicroStrategy's official X account was hacked on February 26, 2024 to promote a fake Ethereum-based MSTR token airdrop, with PeckShield alerting users to the phishing link. The incident led to ~$440,000 in stolen funds, the majority of which was reportedly from a single victim. The exploiter began moving funds while leaving roughly $195,000 worth of Ethereum in their address. The drainer hasn’t been identified at time of writing, though many researchers began attributing it to Pink Drainer. As with the previous  earlier  hack of Vitalik Buterin's X account, even trusted social meda accounts can be compromised. Always remember to pause before clicking a link or signing a transaction, keep substantial funds in a hardware wallet, and use different types of accounts and wallets for different risk levels.

New LastPass victims lose $6.2 million as thefts continue

In the latest heist tied to the LastPass attack, more than 22 victims lost a combined $6.2 million between February 19 and 20, 2024, with the stolen funds quickly moved from EVM networks to Bitcoin. To aid tracing and attribution, ZachXBT and Taylor Monahan documented the on-chain addresses the attacker used in a Chainabuse report. That public record flags the wallets holding stolen funds so exchanges, wallets, and other services can monitor, freeze, or block them, and warn potential victims before they interact with the attacker's accounts. Since the original LastPass breach, community members—protocol founders, investors, developers, and users who stored their Secret Recovery Phrases in LastPass—have lost over $10 million. Anyone who used LastPass before the December 2022 hack should consider their stored keys at risk, transfer balances to a new wallet, and move substantial funds to vetted hardware wallets for secure offline storage.


MetaMask's February 2024 Crypto Security Report covered Blockaid-powered security alerts becoming the default across multiple networks, the launch of Account Management Snaps and the Keyring API, and the public reveal of the Security Alliance (SEAL) alongside a $440,000 MicroStrategy X account hack and $6.2 million in continued LastPass-linked thefts. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles