Crypto Security Report: May 2024

Featuring Smart Transactions, Pink Drainer's shutdown after $85M in thefts, Lazarus's Contagious Interview job scams, and a $68M address poisoning loss.

7 minutes
Crypto Security Report: May 2024

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In May 2024, MetaMask launched Smart Transactions—delivering a 99.9% transaction success rate, MEV protection, pre-simulation, and better network fee settings. We also shared a new user guide to protecting your Secret Recovery Phrase, and a Snaps security discussion with HAPI. The month also marked the shutdown of Pink Drainer, which had drained tens of millions from around 20,000 victims. Elsewhere, the Lazarus Group's "Contagious Interview" campaign targeted blockchain developers with fake job offers. And, address poisoning attacks kept rising, with one victim losing $68 million. The full breakdown is below, but first...

Gerald "Jerry" Lawson (1940–2011) was an American electronic engineer who led the team behind the Fairchild Channel F, the first home video game console to use interchangeable ROM cartridges—earning him the title "father of the video game cartridge." One of very few Black engineers in early Silicon Valley, Lawson built a modular system that let users safely swap in new capabilities, a design philosophy that echoes in how modern software is extended and isolated today.

Introducing Smart Transactions for a higher success rate and MEV protection

Transaction inefficiencies aren't strictly a security matter, they can also cost users money. This month MetaMask unveiled Smart Transactions, which can deliver a 99.9% transaction success rate, maximal extractable value (MEV) protection, pre-transaction simulation, and better network fee settings. As Executive Product Director Gal Eldar explained, wallets are "uniquely positioned, and in many ways responsible for addressing these user pain points head on,”. Smart Transactions reflect MetaMask's commitment to making submitting transactions safer, easier, more efficient, and more reliable, for everyone.

A user guide to the Secret Recovery Phrase, password, and Private Keys

As part of its ongoing user education, MetaMask published a support article on the Secret Recovery Phrase, password, and Private Keys, aimed at helping newcomers avoid common, costly mistakes. It's a good resource to share with anyone getting started in crypto, along with the rest of the material at support.metamask.io.

MetaMaskSnaps, security, and due diligence

MetaMask Snaps are customizable, vetted, third-party add ons that extend wallet functionality. Our own Christian Montoya co-hosted an X Space with HAPI on how Snaps enable innovation that makes users more secure. As he explained, security is multifaceted, with many stages in a user's web3 journey where different protections are needed: a hardware wallet is valuable, but "you can still get drained from a hardware wallet if you interact with a malicious decentralized app. So, MetaMask is focused on bringing on security providers across many areas. The rollout of security-focused Snaps continues.

Revisiting the $10 million "mysterious hack"  that took over crypto

MetaMask’s Taylor Monahan is investigating a mysterious hack that has taken over crypto wallets and drained roughly $10 million worth of ether from longtime users. Speaking to The Defiant, she shared details about when the hack first started, and the latest in the saga noting that while her opinion on the root cause has evolved with further investigation, the facts have not changed: the incident is yet another attack tied to the infamous LastPass breach, which we’ve reported on in previous months. The hacker is believed to be part of an organized group and has compromised the seed phrases of at least 300 victims, all of which were likely stored via LastPass. Remember: your Secret Recovery Phrase should be stored offline and in a safe place that only you can access. She also linked the related Krebs on Security writeup from September 2023.

Pink Drainer shuts down after draining over $75 million

Pink Drainer, a notorious crypto wallet drainer, announced it was shutting down after amassing over $75 million by exploiting around 20,000 victims through sophisticated phishing, stating, "We have reached our goal and now, according to plan, it's time for us to retire." (Scam Sniffer, citing ZachXBT, put the haul at over $75 million from roughly 20,000 victims in a single year.) As Pink Drainer itself acknowledged, its retirement is unlikely to have a major impact, since "people will move on to other drainers just as quickly as they moved to us." Do scammers suddenly have a conscience? Or is something else at play? Our spidey senses point to the latter… And, with many other drainers still active, the standing advice holds: keep substantial funds in a hardware wallet, hold minimal assets in everyday wallets, and use different accounts for different risk levels.

Lazarus Group's "Contagious Interview" campaign targets blockchain developers

What happened

The Lazarus Group, an advanced persistent threat (APT) active since 2007 and notorious for the 2014 Sony Pictures attack, has increasingly targeted financial institutions and virtual currency venues. Security researchers uncovered a series of attacks using ZIP files with malicious JavaScript aimed at blockchain developers through job postings on platforms like LinkedIn, Upwork, and Braintrust. Consistent with Lazarus's "Contagious Interview" campaign, the attacks trick candidates into running malicious code that steals crypto-related information and implants malware. How users can protect themselves

To protect against phishing and malware attacks like those executed by groups such as Lazarus, it's crucial to verify the legitimacy of unexpected job offers through independent research and to maintain robust digital hygiene. This includes using up-to-date anti-virus and anti-malware software, enabling multi-factor authentication (MFA) for an added layer of security, and exercising caution with email attachments and links from unknown sources. Additionally, keeping all software updated is essential to guard against exploitable vulnerabilities. By adopting these practices, individuals can significantly bolster their defenses against sophisticated cyber threats and safeguard their sensitive information

Address poisoning attacks rise, with one victim losing $68 million

What happened

Address poisoning is a deceptive tactic where attackers manipulate a victim's transaction history to trick them into sending funds to the wrong address—and one recent victim lost $68 million to it. This scam tactic involves creating fake tokens, using 'vanity' addresses that closely resemble the target's, and exploiting the ERC-20 token standard's "transferFrom()" function. Attackers employ these strategies to conduct zero-value token transfers and spoofed token transfers, making their fraudulent addresses appear legitimate. These attacks are designed to confuse users into copying the wrong address for their transactions, leading to financial losses. The sophistication of these methods highlights the evolving nature of cyber threats in the blockchain space. How users can protect themselves To protect against address poisoning, users should avoid copying addresses directly from their transaction history and instead, copy them from a trusted source. Implementing domain names for addresses can enhance distinguishability, though users must be cautious of domain name spoofing. Utilizing an address book feature provided by wallet services or adding a private name tag on platforms like Etherscan to whitelist trusted addresses can help users easily identify and avoid spoofed addresses.


MetaMask's May 2024 Crypto Security Report covered the launch of MetaMask Smart Transactions, the shutdown of Pink Drainer after it drained tens of millions from around 20,000 victims, and a rise in address poisoning attacks that cost one victim $68 million. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles