MetaMask Security Report: March 2025

    It's tax season; have you reviewed your Github Actions dependencies? Because the DPRK has.

    8 minutes
    MetaMask Security Report: March 2025

    MetaMask Security Monthly: March 2025

    Nothing in life is certain but... scams and taxes. This issue contains a little bit of both, along with some bragging about MetaMask extension security 💪.

    🦊 What We’ve Been Up To 🦊

    MetaMask integrates Crypto Tax Calculator to simplify tax management for global users

    In many regions, the confusion around paying taxes on crypto has made it a daunting task and a prime target for scam services. Fake tax professionals charge high fees only to leave your taxes still unprepared  and your personal information compromised. But this year MetaMask users can rest easy when they use the new automated MetaMaskTax Hub powered by Crypto Tax Calculator to produce geo-specific tax summaries.
    Read more about this embedded solution, brought to you by the fox you can trust, that takes the guesswork out of claiming digital assets this tax season. Or if you prefer, watch the detailed demo.
    
    

    🎙️ MetaMask in the Security Ecosystem 🔎

    How the MetaMask extension’s security measured up in an in-depth look by Neplox

    Fresh off his visit to SECCON, Gal Weizman breaks down a talk by Artem Mikheev and Vsevolod Kokorin of Neplox. These Capture the Flag security researchers examined the MetaMask browser extension along with other extension-based crypto wallets and, as Gal put it, “acknowledged how from the perspective of web app security, MetaMask was basically the most secure wallet they looked into.” Thanks, Neplox!

    Meanwhile…

    2025 Chainalysis Crypto Crime Report

    The latest installment of the annual Crypto Crime Report from Chainalysis is now available for download. It details significant trends and developments over the course of 2024, estimating at least $40 billion in illicit cryptocurrency transactions with projections suggesting this figure could surpass $51 billion as more data becomes available. These criminal transactions increasingly involve stablecoins. 
    Some of the highlights include:
    • State-sponsored North Korean hackers were responsible for over 60% of the $2.2 billion worth of crypto that was stolen last year, often acquired by infiltrating crypto firms.
    • Crypto investment scams, including those that promise high-yield earnings, accounted for around $5 billion in losses. Additionally, "pig butchering" scams—where perpetrators build relationships to defraud victims—grew by 40% compared to the previous year.
    • Despite some high-profile incidents, ransomware payments decreased by 35% in 2024, totaling approximately $813.55 million. This decline is attributed to enhanced law enforcement efforts and increased refusal by victims to pay ransoms.
    • Cryptocurrency use for sanctions evasion grew significantly, with Iranian crypto outflows rising 70% to $4.2 billion in 2024—highlighting a clear shift toward digital assets as a tool to bypass international restrictions..
    Additionally, significant portions of the report describe the activities of Huione Guarantee, a black-market platform operated by the Cambodian conglomerate Huione Group that offers money laundering services, stolen personal data for purchase, investment scam and drainer kits, and human trafficking, among other nefarious goods and services. 

    What Ethereum’s Pectra upgrade can mean for security

    Consensys is bullish on improvements promised by the Pectra Upgrade, which will introduce several key Ethereum Improvement Proposals (EIPs). By streamlining validator operations and introducing key protocol improvements, Pectra aims to reduce vulnerabilities and reinforce Ethereum’s core infrastructure. These changes not only tighten the network’s defenses against potential threats but also lay the groundwork for more robust scalability and validator efficiency in the long term.

    SEAL Releases Advisory on Reflected XSS Exploits by Perpetual Drainer

    A new, highly targeted drainer campaign—dubbed Perpetual Drainer—is actively exploiting Solana and Tron users by leveraging reflected XSS vulnerabilities on trusted websites. Tracked by our friends at the Security Alliance (SEAL), this threat actor deceives victims into believing they're interacting with legitimate sites, bypassing standard wallet protections and increasing the chances of fraudulent approvals. Operating via an affiliate model, Perpetual Drainer uniquely masks its origin by injecting malicious scripts through trusted domains, making detection harder. SEAL is coordinating with industry partners to mitigate the threat and urges developers to strengthen their defenses against XSS vulnerabilities.

    ⚠️ Tales of Caution ⚠️

    Fake Zoom malware campaign by DPRK

    Summary
    In a concerning trend, crypto entrepreneurs, including David Zhang and Giulio Xiloyannis, have reported attempts by alleged North Korean hackers to compromise their data through deceptive Zoom calls. These incidents have seen hackers feigning technical issues during calls to distribute malware-laden links under the guise of fixing audio/video problems. Nick Bax from the Security Alliance highlighted this method, which has previously led to the theft of millions from unsuspecting victims. The scammers typically initiate contact with an offer for a meeting or partnership, only to attempt to dupe the participants into installing malicious software.
    How Users Can Protect Themselves
    1. Avoid Installing Unverified Software: Be cautious of any requests to install software or patches during video calls. Legitimate software updates should only be downloaded from official sources.
    2. Use Secure Devices: Consider using a device with limited access to sensitive information for taking calls with unknown parties.
    3. Educate Your Team: Ensure your team is aware of this scam and understands how to recognize and respond to suspicious meeting requests.
    

    StilachiRAT malware targets Chrome crypto wallets: A rising threat

    Summary
    StilachiRAT, a sophisticated remote access Trojan (RAT) discovered by Microsoft Incident Response in November 2024, poses a significant threat to Google Chrome users by targeting cryptocurrency wallets. This malware is designed to steal credentials, decrypt usernames and passwords, and perform extensive system reconnaissance. It targets up to 20 crypto wallet extensions within Chrome, including well-known ones like Coinbase and MetaMask, by scanning for sensitive information such as passwords and private keys.
    How Users Can Protect Themselves
    1. Verify Software Sources: Always download browser extensions and software from official sources or the Chrome Web Store.
    2. Be Wary of Phishing Attempts: Exercise caution with emails or messages that prompt you to download attachments or click on links.
    3. Keep Software Updated: Regularly update your browser and extensions to patch any vulnerabilities that could be exploited.
    4. Use Antivirus Software: Install reputable antivirus software to detect and prevent malware infections.
    5. Monitor Account Activity: Regularly check your crypto wallet and online accounts for unauthorized transactions or changes. By following these safety measures, users can enhance their security posture and mitigate the risk of falling victim to cybercriminals targeting cryptocurrency assets.

    23,000 Organizations targeted in GitHub Actions supply chain

    Summary
    A significant open-source supply-chain attack targeted the tj-actions/changed-files package, used by over 23,000 organizations, including large enterprises. This package, integral to GitHub Actions for CI/CD processes, was compromised to include credential-stealing code. Attackers gained unauthorized access by compromising a maintainer account, altering tags to point to malicious code that scrapes server memory for credentials, and exposing sensitive data in publicly accessible logs. The incident, first identified by security firm StepSecurity, underscores the vulnerabilities in the open-source ecosystem and the sophistication of supply-chain attacks.
    How Users Can Protect Themselves
    1. Audit Your GitHub Actions: Review all GitHub Actions in your repositories to identify any use of tj-actions/changed-files. Pay special attention to your versions, especially if they fall within the compromised version range.
    2. Replace Compromised Tags with Secure Commit Hashes: Instead of using tags to reference GitHub Actions, switch to using commit hashes. This ensures that you're pointing to a specific, unaltered code version.
    3. Reset Credentials and Secrets: If you suspect your repository's secrets or any credentials stored within your GitHub Actions workflows could have been exposed, reset them immediately.
    4. Review and Restrict Third-party Access: Carefully review third-party applications and GitHub Actions that have access to your repositories. Limit the permissions granted to these third parties to only what's necessary for their function.

    This article is written by: