MetaMask Security Monthly: September 2024

Puerto Rican physician Dr. Helen Rodriguez-Trías was the first Latina president of the American Public Health Association. She championed healthcare rights for women and children, fought against sterilization abuse, and cared for HIV and AIDS patients in the 1980s.

🦊 What We’ve Been Up To 🦊

Kleros x MetaMask Snaps: Unlocking Trust with Signature Insights

Can you believe it's been a year since MetaMask Snaps launched? Christian Montoya joins Guangmian Kung from Kleros, one of the first snaps to launch, to discuss the current Snaps focus on signature protection.

"By opening up this other dimension of allowing developers to build security features for signatures, we're able to leverage the power of the community to safely decode and help protect users from malicious signatures. " – Christian Montoya

Additionally, Christian discusses how MetaMask and Consensys are supporting up-and-coming third-party developers who have a lot to offer the ecosystem through snaps, helping them to build sustainable businesses and brands. He also teases that human-readable name resolution will be launching soon, and looks down the road to the next phase of permissionless snaps.

Crypto Job Scams: Staying Safe in Web3

Whether you’re hiring or looking to be hired, make sure you stay aware of the spike in work-related grifts that have been seen this year. Scammers are creating fake job offers to trick individuals into sharing sensitive information, or installing malware as a means to separate them from their crypto assets. Threat actors have also been weaseling their way into blockchain-related companies to wreak havoc through the back door.

MetaMask Support's Staying Safe in Web3 article offers tips on how to identify and avoid these fraudulent schemes, including verifying the legitimacy of job postings and safeguarding businesses.

🎙️ MetaMask in the Security Ecosystem 🔎

State of Security: MetaMask X WalletGuard

In case you missed it: MetaMask Security Researchers Miles Nolan and Jackson Brietzke joined our regular Wallet Guard hosts, Ohm Shah and Michael Khekoian, on a threat intelligence-heavy installment of our quarterly State of Security. Plus, we’re excited to welcome Wallet Guard into the Consensys family! As always, we’ll also give you tips on being safe as you navigate the crypto space.

Taylor Monahan Weighs in on FBI Warning of North Korean Hackers’ Interest in Bitcoin, Ethereum ETFs

As reported by DLNews, the FBI has warned that North Korean hackers are targeting companies involved with cryptocurrency exchange-traded funds (ETFs), such as those dealing with Bitcoin and Ethereum. These hackers, particularly the Lazarus Group, are known for using sophisticated cyber attacks and social engineering tactics to steal funds. With ETFs growing in popularity and attracting significant investment, the FBI's warning urges companies to strengthen internal security and prepare for potential attacks.

MetaMask’s Monahan was quoted as saying “If I were an ETF issuer (or even working at a company adjacent or brand affiliated with ETFs), I would definitely be reviewing my internal controls right now," and went on to give tips to organizations. She also theorizes that the federal PSA may be an effort to “front run a hack.”

⚠️ Tales of Caution ⚠️

Scammers Orchestrate $243 Million Bitcoin Heist

Summary

Federal agents have arrested 2 individuals for orchestrating a US$243 million Bitcoin theft from a Washington, D.C. resident, believed to be a Genesis creditor. The duo, employing sophisticated tactics and online aliases, are accused of accessing and laundering over 4,100 Bitcoin since August. Their extravagant expenditures included international trips, luxury items, and high-end Los Angeles and Miami rentals. Blockchain investigator ZachXBT highlighted their "highly sophisticated social engineering attack, "which involved impersonating support staff from Google and Gemini exchange to deceive the victim into compromising their Bitcoin keys. The stolen funds were dispersed across multiple exchanges, encompassing a complex web of transactions involving Bitcoin, Litecoin, Ethereum, and Monero. However, in leaked videos showing the attack in progress and efforts to hide the stolen funds, the alleged attackers inadvertently exposed their own identities and the details of their money laundering operation.

How Users Can Protect Themselves

Enable two-factor authentication (2FA) for an added layer of security on all sensitive accounts and be wary of any requests to reset or disable it, especially from unsolicited calls or messages. Always verify the identity of support personnel by contacting the company directly through official channels. Be cautious of sharing personal information or allowing remote access to your devices. Educate yourself on the latest phishing tactics and remain vigilant for any suspicious activity.

FBI Seizes Cryptocurrency Recovery Website

Summary

The FBI San Diego Field Office has recently taken action against a new scam targeting victims of cryptocurrency fraud by seizing the websites of three so-called cryptocurrency recovery services: MyChargeBack, Payback LTD, and Claim Justice. These services falsely advertised their ability to trace and recover lost cryptocurrency funds, often demanding substantial upfront fees and additional commissions without delivering on their promises. Utilizing social media and fake reviews, these fraudulent companies have exploited victims' hopes of reclaiming their lost assets, further entrenching them in financial loss.

How Users Can Protect Themselves

Exercise caution and conduct thorough research on any cryptocurrency recovery service. Be skeptical of services that require upfront payments, or boast unrealistic success rates without verifiable track records. Always verify the authenticity of individuals claiming to offer recoveryservices, especially if they allege connections to legal or financial institutions. If approached by someone promising to recover stolen cryptocurrency, refrain from sharing personal or financial information and avoid making any payments. Victims of such schemes are encouraged to report their experiences to ic3.gov to help combat these fraudulent activities.

Home Invasions to Steal Bitcoin Result in a 47 Year Prison Sentence

Summary

Remy St Felix, a 24-year-old from Florida, was sentenced to 47 years in prison for leading a criminal group in a series of violent home invasions targeting cryptocurrency owners. The group, consisting of 13 co-conspirators, stole 3.5 million in Bitcoin and other digital assets through brute force, SIM-swapping attacks, and holding victims at gunpoint in Florida. St Felix was convicted on multiple counts, including conspiracy, kidnapping, and wire fraud, and was ordered to pay 524,000 in restitution. The criminal activities spanned across the United States, from Texas to New York, between September 2022 and July 2023. The crew also engaged in laundering the stolen funds using decentralized finance tools. A co-conspirator, Jarod Gabriel Seemungal, received a 20-year sentence and was ordered to pay $4 million in restitution. The FBI, along with other law enforcement agencies, played a crucial role in bringing the perpetrators to justice.

How Users Can Protect Themselves

Individuals should enhance their digital security practices. This includes using strong, unique passwords for all accounts, enabling two-factor authentication, and being cautious of sharing personal information online. Additionally, consider using non-custodial wallets to store significant amounts of cryptocurrencies, as they are less vulnerable to online hacking attempts like SIM-swapping. This incident is a reminder that cryptocurrency holders, like those with traditional fiat, may face physical security threats.

Meanwhile...

The Real Impact of an Onchain Hack: A Comprehensive Study of Hack Damage from 2021 to 2023

Immunefi's Mitchell Amador talks about the challenges and opportunities in blockchain security and bug bounties. He highlights a growing need for more skilled people to tackle security issues in the space, and stresses that trust is key to improving security outcomes. He also shares some forward-looking ideas, suggesting that in the future, new systems might emerge to replace the old ones, similarly to how tech is shaking up traditional finance.

Common Vulnerabilities: Liquid Restaking Protocols - Smart Contracts

Sigma Prime security researcher Elmedin Burnik outlines potential risks in liquid restaking protocols, like reentrancy attacks, denial-of-service issues, and reward distribution bugs. He breaks down how these work in systems like EigenLayer, using real-world examples from security reviews. With this knowledge share, Elmedin hopes to help developers and researchers understand and fix these problems to improve blockchain security.