MetaMask Security Monthly: November 2023

Whether you just returned from DevConnect or were holding down the fort from home, we hope this issue finds you safe and well!

by LukerDecember 4, 2023
MM Monthly 1024 x 576

Screenshot 2023-12-04 at 2.14.47 PM

Satyendra Nath Bose in 1925. Bose provided the foundation for Bose-Einstein statistics and the theory of the Bose-Einstein condensate.

🎙️ MetaMask in the Security Ecosystem 🔎

Ian Wallis Presented at Zuzalu’s ZuConnect Event in Istanbul

View the Security Considerations in Web3 slide deck!

MetaMask’s Taylor Monahan Teams up with ZachXBT to Investigate Last Pass Breach Crypto Losses

“According to research conducted by Monahan and ZachXBT, it is believed that the threat actors are cracking these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys.”

Reminder for Dev Feedback on DNS Allowlist Solution

If You Haven’t Already Checked Out MetaMask’s Blockaid Integration And Security Snaps, You’re Missing Out on Valuable Security Enhancements

Latest from the LavaMoat Team

Screenshot 2023-12-04 at 2.24.20 PM

Tales of Caution

Tether Freezes 225M USDT Linked to International Crime Syndicate


OKX, Tether, Chainalysis, ZachXBT, and the US Department of Justice collaborated to freeze 225M USDT linked to a human trafficking syndicate responsible for global pig butchering scams. This is the largest token freeze performed by Tether to date. Tether will work with lawful end users to unfreeze their wallets.

How Users Can Protect Themselves

To avoid pig butchering and or romance scams users should do the following:

  • If it’s too good to be true, it probably is - Receiving an exchange of value significantly higher than what you give is a key indicator of a pig butchering scam.
  • Be wary of unsolicited contact - If a stranger reaches out to you asking to exchange or to be sent money, you probably should not. The same goes for an online relationship where you have never met the person in real life.
  • Start a conversation with our MetaMask support team - If you feel like you are about to be scammed, start a chat with our team before you decide to send any crypto. They can tell you if you are likely being pig-butchered.

Hacker Who Stole Over $130M Offered a $10M Bounty


Justin Sun’s Exchange, Poloniex, suffered what was believed to be a private key compromise in early November. This attack resulted in the loss of over $130M, coming out to be one of the largest hacks of the year and landing Poloniex on the Rekt leaderboard rank #16. The Poloniex team claims to have identified the attacker and offered to pay a $10M bounty if funds are returned. Law enforcement is threatening to take action if the attacker chooses to keep the funds.

Screenshot 2023-12-04 at 2.28.59 PM

How Users Can Protect Themselves

Poloniex announced that funds will be restored and users will soon have the ability to deposit and withdraw their funds. As a user, you should practice safe self-custody by withdrawing your tokens and preferably storing large/risky amounts on a cold wallet and smaller/less risky amounts on a hot wallet, such as MetaMask. Anytime an exchange is holding your crypto, they have full custody of how it can be handled. Always remember: “Not your keys, not your coins.”

For developers, admins, and any parties responsible for managing the wallets of other users: It’s important to incorporate the use of multi-signature wallets. In order for an attacker to successfully compromise the multi-signature wallet, every key manager would have to be compromised significantly reducing the risk of an attack.

Executives Lured on 'Business Trip' to Montenegro; Abducted and Forced to Empty Wallets. Total loss ~$12.5m.

How Users Can Protect Themselves

  • Never disclose (especially brag) about any crypto holdings to anyone who doesn’t strictly need to know. Your granny, barber, or best friend from high school may be impressed but loose lips dramatically increase your threat profile.
  • Diversify when reasonable, keeping different amounts in appropriate places. Connect a hardware wallet to MetaMask to achieve a good security balance for many activities. Then research and consider multisig and/or paper wallets not connected in any way to your identity that are only known by the people you trust most. For multisigs, keep geographic distance and necessary opsec between keyholders.
  • Don’t allow direct access to more funds than you need to transact with or can afford to lose on devices you carry on you (laptop/phone). Heading on vacation and don’t plan to use/trade anything from your large cold wallet? Leave absolutely everything needed to access it somewhere safe while you’re gone, and definitely don't bring it on the trip.

Receive our Newsletter