Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below, including: fake Firefox extensions, the DPKR’s BabyShark scam, zombie dapp hunters, and more.
But first... meet our STEM pioneer of the month!👩🔬
Chien-Shiung Wu was known as the Queen of Nuclear Research. She worked on the Manhattan Project
🤝 Friends of the Fox 🤝
How Wise Signer Snap protects your wallet
Watch Patrick Collins’ slick demo of how his MetaMask Snap uses AI to comb the web, and determine whether a transaction may be vulnerable based on suspicious addresses, calldata, and chain. While this Snap is currently in beta, you can review the code now! Read more about MetaMask Security Snaps on our support page.
Thanks, Patrick, for helping fight the good fight!
Coinspect: Zombie dapp hunters
MetaMask continues to hold onto Coinspect’s #1 most secure web3 wallet ranking!
This month, our friends at Coinspect highlighted a disturbing trend in which threat actors are re-registering the domains of defunct crypto projects, using previously established reputations to bypass security checks and rob users.
Coinspect has been teaming up with DeFi platforms and security groups to identify and report over 100 of these so-called zombie dapps.Socket launches pilot program to protect Chrome extensions
In an effort to protect against supply chain attacks caused by malware and risky permissions in Chrome extensions, Socket is inviting builders to test out their new product line that uses real-time scanning and analysis. The tool was designed to be lightweight and privacy-preserving, and also shows risk metrics on package directories like NPM, PyPI, Go, and Maven. Risk signals include obfuscated or install scripts, high entropy or suspicious strings, typo-squatted names, and risky APIs. There are plans to extend coverage beyond Chrome in the future.
Meanwhile…
Attacker drains $42 million from GMX and quickly surrenders funds for bounty
On July 9, GMX’s Arbitrum-based V1 GLP liquidity pool lost $42 million when a hacker used a re-entrancy attack to mint excess GLP tokens, according to the firm’s postmortem. GMX immediately halted trading after being alerted by Hexegate of the exploit and was able to trace onchain activity that showed the majority of the stolen funds had been swapped for other digital assets.
GMX offered a 10% white hat bounty with the promise of no legal actions if the funds were returned within 48 hours. After responding with the casual message: “Ok, funds will be returned later,” the attacker retained approximately $4.5 million and surrendered the rest to GMX.
Malicious code found in forETHCode extension
Security researchers at ReversingLabs discovered two lines of rogue code had been inserted into a PR for the open-source toolkit forETHCode. While evidence shows that this particular code had not been used to steal tokens or data (yet), it's assumed that the intention was “to steal crypto assets stored on the victim's machine" or "compromise the Ethereum contracts under development by users of the extension.”
The news reinforced concerns over the trend of malicious and compromised extensions, as well as supply chain attacks.US agencies target DPRK identity theft operations
In late June, the Justice Department announced it had led a coordinated effort that resulted in multiple arrests, indictments, and seizure of over 200 laptops, 29 financial accounts, and 21 fraudulent websites. The DOJ found North Korean-backed malicious activity across 16 states that included identity theft, and the infiltration of over 100 American companies, including crypto firms.
A week later, it was reported that the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals linked to the theft and sale of such information to be used in employment scams. Revenue generated in these schemes is known to bolster DPRK ballistic missile programs.
Some good news
$2 million UK investment scam case ends in sentencing
Raymondip Bedi and Patrick Mavanga were charged and sentenced to a combined 12 years for selling fraudulent crypto consultation services to at least 65 people between 2017 and 2019. As reported by Crypto Times: "Both men admitted to multiple charges, fraud, regulatory violations, and money laundering being part of them. Additionally, Mavanga was charged with tampering with evidence and having fake ID documents." The prosecution led by the UK’s Financial Conduct Authority is part of a larger effort by the agency to crack down on crypto crimes, and the FCA is attempting to recover the funds.
US Secret Service recovered $400 million over 10 years
The Secret Service’s Global Investigative Operations Center (GIOC) specializes in tracing digital financial crimes and now holds the bulk of the recovered crypto assets in one of the world’s largest cold wallets. GIOC investigators typically utilize open-source tools, blockchain analysis, and domain registration info in their investigations. The Secret Service has additionally provided training to law enforcement and prosecutors in 60 other countries.
Greece makes first-ever crypto asset seizure thanks to Chainalysis assist
Greece’s Hellenic Anti-Money Laundering Authority (HAMLA) has made its first-ever seizure of crypto funds. Working in tandem with Chainalysis as well as Performance Technologyies, HAMLA traced and froze a part of stolen assets from Bybit’s $1.5billion exchange hack. This worldwide recovery effort was made possible by “the power of combining cutting-edge blockchain analysis tools with expert training and international cooperation to combat global crypto crime." ICYMI, Bybit suffered losses of $1.5 billion during a hack earlier this year, allegedly carried out by North Korea's Lazarus Group.
⚠️ Tales of caution ⚠️
Swath of fake firefox wallet extensions found
Summary
Yuval Ronen of Koi Security broke the discovery of over 40 malicious Firefox extensions linked to the same campaign that were created to impersonate crypto wallets, including MetaMask. The threat that was launched in April is still active, and being used to extract credentials from "targeted websites and exfiltrate them to a remote server controlled by the attacker," as well as transmit external IP addresses. These counterfeit extensions appear legitimate,and utilize bad-faith positive reviews to trick users. Evidence points to a Russian-speaking perpetrating source.
How users can protect themselves
Ronen also gave his recommendations for staying safe:Only install extensions from verified publishers, and be cautious even with high-rated listings.
Treat browser extensions as full software assets—subject to vetting, monitoring, and policy enforcement.
Use an extension allowlist and restrict installation to pre-approved, validated extensions only.
Implement continuous monitoring, not just one-time scanning. Extensions can auto-update and silently change behavior after installation.
Gamblers, gamers fall victim to social engineering
Summary
Social media continues to be a hotbed for social engineering aimed at stealing crypto. Krebs on Security shared how legitimate-appearing “scambling” sites attract users with ads touting free credits and phoney endorsements from celebrities, such as Mr. Beast. Users must then create accounts to claim their “credits” and can then interact with well-polished games and place bets.
However, these scrambling schemes share hallmarks with classic pig butchering scams. The user is never able to cash out and is instead instructed to make additional “verification deposits” or consult with “recovery experts.” How users can protect themselves
Be wary of gaming sites that require deposits to retrieve credits, and especially those that require deposits for withdrawal. Remember that the vast majority of crypto recovery services are fraudulent, and legitimate services usually have high minimum thresholds valuing in the tens of thousands of dollars. Any promotions involving influencers should be validated by consulting verified channels.DPRK’s BabyShark campaign utilizes ClickFix tactic
Summary
As first reported by SentinelOne, in a novel method of attacking web3 companies, North Korean actors are using a new Nim-based macOS backdoor called NimDoor to steal credentials and exfiltrate data via encrypted WebSockets. The malware also uses AppleScript and process injection.
As part of the larger BabyShark operation, the attackers are employing ClickFix-style phishing tactics, in which targets are urgently tricked into clicking dangerous links that are disguised as benign. These activities have been linked to the advanced persistent threat group Kimsuky.
How users can protect themselves
Always pause and consider the situation before being pressured into urgent actions, and verify the source of the information. Be wary of downloading files as part of any interview process. Disable remote AppleScript execution, keep all systems and software up-to-date (e.g., browsers, extensions, and scripting runtimes). Be vigilant against WebSocket connections to unknown domains, unusual process injections or scripts running on app startup, and persistence via launch agents or signal handlers if using macOS.*Don’t get rekt doo doo doo doo doo doo…*
Looking for more crypto security news from the frontlines? Head here to peruse previous editions of Luker's Security Reports, and get additional tips how you can stay safe in the ecosystem.
This article is written by:
- Luker
- Ecosystem
MetaMask Card: get early access
Spend crypto anywhere.
- Ecosystem
MetaMask Security Report: June 2025
Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the latest headlines, featuring: MetaMask welcoming Web3Auth, updates to LavaMoat, cyber baddie takedowns, and more.
- Ecosystem
MetaMask Security Monthly: June 2024
Lots going on with our privacy policy update, new installment of the State of Security, and big news that Wallet Guard is joining Consensys!
