Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
January 2024 opened with a wave of DeFi attacks—Orbit, Radiant, and Gamma were all hit in the first week of the year—prompting MetaMask Security’s Taylor Monahan to reflect on the community's war rooms and how ready the ecosystem is for the next bull run. Additional risks and attacks this month included an emerging MailerLite compromise that let scammers send phishing emails from the official addresses of Cointelegraph, WalletConnect, and Token Terminal—netting over $580,000, ,aNFT airdrop campaign that spoofs Etherscan logs to drain wallets, and a macOS malware campaign hiding in cracked software to steal crypto wallets. MetaMask also shared Dan Finlay's talk on safety and authority for AI and large language models. The full breakdown is below, but first...
Featured STEM pioneer: George Carruthers, inventor of the far-ultraviolet camera
George Robert Carruthers (1939–2020) was an American physicist and inventor who built the Far Ultraviolet Camera/Spectrograph carried to the Moon on Apollo 16 in 1972—the first Moon-based observatory. His instruments made visible what the eye can't see, and his work earned him a place in the National Inventors Hall of Fame. Seeing the unseen is exactly what good security tooling aims to do, too.
Taylor Monahan on the early 2024 war rooms and DeFi's readiness
In the first week of January 2024, Orbit, Radiant, and Gamma all suffered a reported ~$90 million in attacks. When these events occur, security researchers spring into action to join "war rooms" that try to mitigate the damage. Even with the Seal 911 group of auditors and white-hat hackers created the previous August, Taylor Monahan questioned whether the ecosystem is ready for the volume of attacks a future bull run might bring. She discussed the range of bad actors, from "script-kiddies" to advanced persistent threats (APTs), and the lack of accountability when protocols get hacked. The Orbit hack, estimated at around $81 million, appears to carry the hallmarks of a North Korea (DPRK)-sponsored attack.
Monahan rightly questioned whether the ecosystem is ready, and her challenge surfaces a few priorities before the next bull run:
Make incident response permanent, building on efforts like SEAL 911 so it isn't an ad hoc scramble.
Shift security earlier, with audits, monitoring, and pause mechanisms that can catch an exploit in progress.
Close the accountability gap, with transparent post-mortems, real bug bounties, and safe-harbor protections for white-hats.
MetaMask co-founder Dan Finlay discussed safety and authority for AI and large language models
MetaMask co-founder Dan Finlay's talk from Builder Nights Istanbul 2023—exploring AI and LLM security—was shared via parent org Consensys.. In it, Finlay covers user custody, anti-monopoly, the principle of least authority, object identity, and language-level security, among other topics.
A fake web3 game job that nearly drained a developer's wallet
A fake web3 game developer job nearly cost one target everything. As crypto trader Mario (@0xM4R10) detailed on January 15, 2024, the scam used a polished but fake game called "MythIsland," a seemingly doxxed team, and a friendly Telegram chat that ended with a request to download a "game launcher" to test the alpha. The launcher was malware. Mario opened it in a virtual machine and lost nothing, but a less careful developer could have been drained. It's a sharp reminder of how convincing modern social engineering has become.
MailerLite email phishing hack leads to over $580,000 in stolen assets
Scammers reportedly stole over $580,000 in cryptocurrency via a phishing campaign that sent fake emails from the official addresses of major crypto companies, including Cointelegraph, WalletConnect, and Token Terminal. The email service provider MailerLite was allegedly hacked and is currently investigating the incident; the phishing emails carried malicious links to a multichain address, promoting a fake launchpad and a fake Token Terminal beta, both leading to fictitious airdrops. Cybersecurity platform Hudson Rock suggested that malware on a MailerLite employee's computer may have been used to reach the company's servers. To protect against attacks like this, treat unsolicited emails with extreme caution, keep antivirus software updated and running, and enable Blockaid security alerts in MetaMask;every MetaMask user who had Blockaid alerts enabled was safeguarded from this phishing attempt.
NFT airdrop scam campaign spoofs Etherscan logs to drain wallets
Check Point Research detailed a large-scale NFT scam campaign that uses a source-spoofing technique—familiar to scammers who understand Ethereum smart contracts—to spoof Etherscan logs. The scam sends airdrops that appear to come from reputable sources, then directs holders to a fraudulent website where they're tricked into authorizing the attacker to drain their wallets, using complex smart contract interactions and a proxy contract to obscure what's really happening. The defenses are the usual ones: approach unsolicited airdrops with caution, scrutinize embedded links, understand what interacting with a smart contract means, verify with trusted tools, double-check the source of any airdrop, and store significant amounts in a hardware wallet.
Cracked macOS software hides backdoors that steal crypto wallets
Kaspersky uncovered a sophisticated macOS malware campaign that targets users through cracked apps on pirating websites. Embedded in repackaged, pre-cracked applications, the malware infects via a Trojan proxy and a post-install script, runs on macOS Ventura 13.6 and later, and uses a program named "Activator" to execute a payload that steals cryptocurrency wallets. Its final payload is a backdoor that can run any script with administrator privileges and replace the Exodus and Bitcoin wallet apps with infected versions that steal Secret Recovery Phrases. The best defenses are to install applications only from official platforms or trusted app stores (never pirating sites), keep the operating system and all apps updated, and run reliable, regularly updated anti-malware software.
MetaMask's January 2024 Crypto Security Report covered Taylor Monahan's look at the early-2024DeFi war rooms after attacks on Orbit, Radiant, and Gamma, a MailerLite compromise that fueled over $580,000 in phishing from web3 brand addresses, and a macOS malware campaign hiding in cracked software to steal crypto wallets. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.