MetaMask Security Report: May 2025

Solana is on MetaMask! Whether you're a SOL or ETH maxi, the Fox has always got your back...

5 minutes
MetaMask Security Report: May 2025
This month, find out how we're keeping you safe while using Solana on MetaMask, peruse news about IRL crypto kidnappings, explore the extortion attempt on Coinbase, and more.
Considered "the father of the computer," Charles Babbage is credited with inventing the difference engine and designed the first computer printers.

🦊 What we’ve been up to 🦊

Enhancing security as MetaMask expands to Solana

As MetaMask expands native support for the Solana blockchain, we're committed to ensuring your digital assets remain secure. Here’s an overview of the key features and resources designed to safeguard your interactions on Solana.
Robust security features for Solana users
  • Eth Phishing Detect: This feature plays a crucial role in identifying and flagging malicious domains that target web3 users. As we integrate with Solana, the same vigilant monitoring will apply. Any domains targeting Solana, once reported and verified as malicious, will be flagged to protect all MetaMask users. If you encounter a suspicious site, please help the community by reporting it. You can find guidelines on how to do so in our contributing guide.
  • MetaMask Security Alerts by Blockaid: Originally designed for Ethereum transactions, this protection is now extended to include Solana. Blockaid has been instrumental in preventing users from signing malicious transactions, and we are pleased to offer this same level of security for transactions made on Solana.
Support and resources
  • MetaMask Support: Encounter an issue? Our support team is ready to assist you with any queries, including those related to security. Reach out to us at MetaMask Support.
  • Navigating Solana Guide: For those new to Solana or looking to deepen their understanding, our comprehensive guide is a must-read. It covers essential topics such as safely importing Solana accounts, bridging funds, and token swapping. Check out the Navigating Solana guide to enhance your experience and security on Solana.
Contribute to our security
  • Bug Bounty Program: As part of our ongoing commitment to security, MetaMask’s bug bounty program actively encourages security researchers to identify and report potential vulnerabilities. If you have the skills to spot security gaps, your contributions on the HackerOne platform are invaluable in helping us fortify MetaMask’s defenses, now including our Solana integration.

Meanwhile…

Coinbase faces extortion attempt and lawsuits over data breach

Coinbase is confronting a complex cybersecurity challenge involving a targeted extortion attempt and a wave of customer lawsuits. According to Coinbase's official blog, a cybercriminal group exfiltrated internal Coinbase data and demanded a $20 million ransom, which the company refused to pay. Although no customer funds were lost, attackers obtained some personally identifiable customer information.
The breach has sparked a series of lawsuits alleging Coinbase failed to adequately protect customer data and respond appropriately to the incident. One complaint alleges “Coinbase failed to adequately adopt and train employees on even the most basic of information security protocols.”
Coinbase’s disclosure states that the event originated when “cyber criminals bribed and recruited a group of rogue overseas support agents” who “abused their access to customer support systems to steal the account data for a small subset of customers.” The exchange maintains it acted swiftly, notified law enforcement, and is cooperating fully with investigations.
More recently, Taylor Monahan claimed that security researchers had provided Coinbase with evidence that threat actors had ongoing access to the data for many months prior to the date that the exchange publicly acknowledged the breach.
Follow @MetaMask on X for the latest!

Surge in physical attacks raises alarm across crypto industry

There has been a troubling rise in physical attacks targeting individuals associated with digital assets, as highlighted by The Wall Street Journal and CNN.
French authorities are investigating an attempted kidnapping in Paris involving a prominent crypto executive. The attackers reportedly used physical force and threats in an effort to gain access to digital assets but ultimately failed to complete the theft. The incident underscores a growing trend of physical threats against individuals linked to the crypto industry and has intensified calls for improved personal security measures.
Meanwhile in New York City, two arrests have been made after an Italian citizen was kidnapped and tortured in an attempt by his captors to access his bitcoin. The victim told authorities that after two weeks of harrowing torture, he was able to escape with his life.
These stories follow a similar incident in January, when the co-founder of Ledger and his wife were abducted during a home invasion, which resulted in the mutilation of Ballard’s hand by his kidnappers. Dozens of these attacks have been ramping up over the past year.
Victims are often targeted based on public profiles, visible wealth, or perceived access to crypto wallets. MetaMask's Taylor Monahan commented: “The younger generation is just very good at doxxing people,” and detailed how threat actors discover home addresses by cross-referencing databases and purchasing personal information.

Some good news

Researchers use AI to combat lookalike wallet address scams

Security groups Webacy and TruGard have developed a new AI-based system that reportedly detects and prevents crypto address poisoning attacks with 97% accuracy. Address poisoning is a scam by which attackers trick users into sending funds to nearly identical wallet addresses. The AI tool analyzes transaction patterns and addresses similarities to identify and block suspicious activity in real time. As address poisoning continues to rise, the tool offers a promising solution for enhancing wallet security across the crypto ecosystem.
Ethereum Foundation announces “Trillion Dollar Security” initiative
In a recent blog post, the Ethereum Foundation emphasized the critical importance of security as the Ethereum ecosystem supports over $1 trillion in assets. The Foundation’s layered approach to security will range from protocol-level audits and formal verification to bug bounty programs and efforts driven by the security research community. With the ecosystem’s scale and complexity rapidly growing, the Foundation calls for broader industry collaboration and proactive investment in security infrastructure.

FBI and Europol seize domains linked to crypto seed phrase malware

The FBI, in coordination with Europol and other global law enforcement agencies, has seized several domains associated with LummaC2, a malware tool used to steal crypto wallet seed phrases and other sensitive information. This malware was often sold as a subscription-based "infostealer" targeting users through malicious links and downloads.
According to the FBI, the takedown is part of a broader effort to disrupt cybercriminal infrastructure used to compromise digital assets. The seized domains now display official warnings, signaling ongoing investigations and a commitment to curbing crypto-related cybercrime.

⚠️ Tales of Caution ⚠️

38,000 malicious subdomains tied to 'freedrain' crypto drainer

Summary
Researchers have uncovered FreeDrain, a global phishing campaign using SEO manipulation, AI-generated content, and fake wallet interfaces to steal crypto. Over 38,000 malicious subdomains lure users via search engine queries like “Trezor wallet balance,” leading to decoy pages that mimic real wallets. Clicking these pages redirects users—sometimes to phishing sites that steal seed phrases and drain funds within minutes.
The campaign abuses tools like GPT-4o to mass-generate convincing content and boost search rankings. The operation is linked to actors working regular hours in the Indian Standard Time zone.
How users can protect themselves
To protect against scams like FreeDrain, users should never enter their seed phrase anywhere except directly into their hardware wallet. Always access wallet platforms by typing in the official URL manually rather than clicking on search engine results or ads, which may be spoofed. Use transaction preview tools or browser wallet security features to verify actions before signing. Be cautious of sites that seem slightly off or prompt urgent action, and avoid connecting wallets to unfamiliar dApps or airdrops.	

Fraudulent ledger letters aim to steal wallet keys

Summary
A new phishing campaign is targeting Ledger hardware wallet users through physical letters. Scammers have been sending fake notices disguised as official Ledger correspondence, urging recipients to connect their wallets to a malicious site to “secure” their assets. The letters are highly convincing, featuring branded packaging and fraudulent instructions.
This attack marks a troubling evolution in phishing tactics—moving from email and SMS to physical mail—leveraging data leaked in a 2020 Ledger customer breach. Security experts are urging users to remain vigilant and avoid entering recovery phrases anywhere except directly on their hardware device.
How users can protect themselves
Be cautious of unsolicited messages, physical or otherwise, that urge urgent action. Always verify any communication through official channels. Double-check URLs to avoid phishing sites, and stay updated on scams via Ledger’s official blog or social media. For added privacy, consider using a dedicated email and a PO box for crypto-related activities. If you receive anything suspicious, report it immediately to Ledger and local authorities. Note that Ledger will never request your secret recovery phrase, even for support.

This article is written by: