Crypto Security Report: September 2022

Featuring a Consensys study on why MetaMask users fall for phishing, a CircleCI impersonation campaign that bypassed GitHub 2FA, and Twitter-promoted Ethereum Merge scam accounts impersonating Vitalik Buterin and the Ethereum Foundation.

4 minutes
Crypto Security Report: September 2022

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In September 2022, the Endo project landed a major SES shim refactor, internally nicknamed "quadruple backflip, while LavaMoat shipped a documentation refresh and new LavaMoat-node usage modes. Elsewhere, a Consensys study dug into why users lose funds to phishing. Meanwhile, a CircleCI impersonation campaign harvested GitHub credentials and relayed TOTP codes in real time to bypass two-factor authentication, and Twitter's own algorithm surfaced a verified scam account as the #EthereumMerge hashtag trended—part of a campaign using 36 compromised verified accounts to impersonate Vitalik Buterin and the Ethereum Foundation. The full breakdown is below, but first...

Kevin Mitnick (1963–2023) demonstrated that the most effective attack vector is not code, but human psychology. Once one of the FBI's Most Wanted for breaking into dozens of major corporations, Mitnick later became a trusted security consultant to Fortune 500 companies and governments, serving as Chief Hacking Officer at security-awareness training firm KnowBe4. His work establishing social engineering as a formal discipline directly shaped how the industry defends against the phishing campaigns covered in this report. 

Consensys study analyzes why crypto wallet holders users lose funds to phishing

Consensys published a study analyzing how and why users lose funds to phishing. The research examined 70 customer support tickets and conducted interviews with 7 users who had lost funds, following a standardized question guide covering their understanding of and experience with Secret Recovery Phrases and phishing. A key finding: users apply web2 trust signals, verified badges, follower counts, profile images, to assess web3 entities, but these signals do not map to actual trustworthiness in a self-custodial wallet environment where transactions are irreversible.

CircleCI phishing campaign targets GitHub users, bypasses two-factor authentication

On September 16, 2022, GitHub Security identified a phishing campaign impersonating CircleCI to harvest user credentials and two-factor codes. Phishing emails claimed users' CircleCI sessions had expired or that they needed to accept updated terms of use, directing them to lookalike domains including circle-ci[.]com and emails-circleci[.]com. The phishing site relayed TOTP codes to the attacker and GitHub in real time, bypassing time-based two-factor authentication. While GitHub itself was not compromised, the campaign impacted multiple victim organizations. The incident highlights that TOTP-based 2FA is vulnerable to real-time relay attacks—hardware security keys (FIDO2/WebAuthn) remain the strongest defense.

On September 14, 2022, as the #EthereumMerge hashtag trended on Twitter ahead of the September 15, 2022 transition, the platform's algorithm surfaced a promoted scam account alongside legitimate Merge content. The broader campaign involved at least 36 compromised verified Twitter accounts used to impersonate Vitalik Buterin and the Ethereum Foundation, promoting fake "50,000 ETH giveaway" schemes that directed victims to phishing sites requesting ETH deposits with the promise of doubling returns.

Endo SES shim refactor separates scope handling with "quadruple backflip"

The Endo project submitted a major refactor of the SES shim's evaluator into a multilayered scope stack, internally referred to as "quadruple backflip." The change addresses an issue where the scope proxy could leak and separates distinct concerns in global scope handling into discrete layers. A secondary benefit: LavaMoat can use the unaltered SES shim once the refactor lands, eliminating the need for LavaMoat-specific patches to the shim.

LavaMoat ships documentation refresh and new lavamoat-node usage modes

MetaMask’s LavaMoat project shipped a documentation refresh across its tooling. New lavamoat-node features include a convenience helper for running commands from node_modules/.bin and a programmatic usage API, making it easier for developers to integrate LavaMoat's supply chain protections into existing build pipelines.


MetaMask’s September 2022 Crypto Security Report covered a CircleCI impersonation campaign that bypassed GitHub two-factor authentication via real-time TOTP relay, and Twitter's algorithm surfacing verified scam accounts during the Ethereum Merge trending event. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles