MetaMask Security Report: April 2025

This month, we highlight more DPRK-linked activity, break down key insights from IC3 and Forta’s latest reports, and spotlight a curious pair of comets orbiting the threat landscape.

Svante Arrhenius was the first to link rising CO₂ levels to Earth's warming using physical chemistry.

🎙️ MetaMask in the Security Ecosystem 🔎

Follow @MetaMask on X for the latest!

🏆MetaMask maintains #1 Ranking on Coinspect’s Top 5 Most Secure Wallets!🏆

We did it again! The MetaMask extension held its #1 position as the most secure option for your wallet needs, according to Coinspect. The Security Score, ranging from 0 to 100, is based on four wallet security checklists, which include Dapp Permissions, Intent Verification, Physical Access, and Threat Prevention. Thanks again to the Coinspect team for the recognition.

DPRK Roundup

While activity from North Korean advanced persistent threats (APTs) may have briefly dipped on April 15 in observance of the Day of the Sun holiday, DPRK-linked operations remained active throughout the month. Security researchers like MetaMask’s Taylor Monahan continue to play a key role in exposing their tactics and uncovering malicious campaigns.

Security researcher exposed as DPRK-sponsored threat actor 

Nick Franklin, formerly revered as a security expert on Twitter, is alleged to have been secretly working for North Korea. He is believed to have played a role in advanced cyber espionage operations and cryptocurrency thefts, including the $50 million hack of Radiant Capital last fall. 

Over a year, Franklin built trust within the crypto community by offering timely analyses of major exploits, only to be exposed for distributing a malicious app file under the guise of a security report. Investigation into this discovery, aided by Taylor, uncovered a broader network of DPRK operatives engaging in a range of malicious activities from creating fake protocols to executing high-profile heists, highlighting a significant human exploit in the crypto industry's security apparatus.

Lazarus uses THORChain to launder crypto following Bybit hack

​In February 2025, North Korea's Lazarus Group executed a $1.4 billion hack on crypto exchange Bybit, marking the largest crypto theft to date. 

Investigations revealed that approximately $1.2 billion of the stolen funds were laundered through THORChain, a decentralized cross-chain protocol facilitating crypto swaps without intermediaries. Despite pressure from authorities, THORChain's operators have not blocked transactions linked to the heist, citing the network's decentralized nature.

Taylor criticized THORChain's stance, highlighting that while the platform claims decentralization, its developers and validators—many based in jurisdictions with strict anti-money laundering regulations—have profited significantly from transaction fees associated with the laundered funds. Monahan emphasized the ethical and legal implications of facilitating such activities under the guise of decentralization.

Security researchers release intel on North Korean operators

Security researcher Cookie Connoisseur is offering a glimpse into some of the profiles and behaviors of these APT adversaries, complete with pictures. Other researchers are chiming in to compare notes.

Meanwhile…

IC3 Internet Crime Report includes trends in crypto fraud

According to the FBI's 2024 Internet Crime Complaint Center (IC3) Annual Report, cryptocurrency-related fraud losses in the United States escalated to over $9.3 billion, marking a 66% increase from 2023. 

These losses stemmed from various schemes, including investment scams, extortion, sextortion, and fraudulent activities involving crypto ATMs and kiosks. The report also notes that victims over 60 suffered the highest financial losses in the crypto category across all age groups, reinforcing the need for enhanced education, platform-level warnings, and protective mechanisms aimed at older users.

Report: 90% of tokens launched on Uniswap v2 on Base were hard rug pulls

Our friends at Forta found that nearly 90% of tokens deployed on Uniswap v2 pools on the Base blockchain over a 28-day period were hard rug pulls—malicious tokens designed to steal funds from investors. The low cost and simplicity of deploying on Base has made it a hotspot for scammers using a “spray-and-pray” tactic: mass-deploying fake tokens, simulating activity, and quickly pulling liquidity once users engage.

One actor alone was linked to over 19,000 scam tokens, highlighting the industrial scale of the problem. Forta is calling for stronger proactive defenses, such as its Forta Firewall, to help protect users from these rapid-deployment fraud campaigns.

⚠️ Tales of Caution ⚠️

Supply chain attack targeted crypto wallets with address swapping malware

Summary

Threat actors introduced a malicious package named pdf-to-office, which pretends to convert PDF files to Microsoft Word documents but really targets cryptocurrency wallets like Atomic Wallet and Exodus. 

This package, first published on March 24, 2025, has been updated several times and remains available for download, having been downloaded 334 times. It injects malicious code to swap the recipient's wallet address with that of the attacker during transactions. This method ensures malware persistence on the developer's system, posing a significant threat to software supply chain security.

How Users Can Protect Themselves

To defend against supply chain attacks, verify the authenticity of npm packages before installing them and keep your cryptocurrency wallet software up to date. Monitor wallet activity closely, and if compromise is suspected, uninstall and reinstall from a trusted source. Use reliable, updated security software to detect threats, and stay informed—sharing knowledge with your team to strengthen overall awareness and resilience. 

Tools like LavaMoat can also help by sandboxing JavaScript dependencies and enforcing security policies, reducing the risk of malicious behavior in your software supply chain.

SEAL’s advisory on Slovenly Comet SMS-Based MFA Compromise

Summary

A newly identified threat actor, dubbed SLOVENLY COMET, has exploited vulnerabilities in the SMS infrastructure to intercept multi-factor authentication (MFA) codes, leading to unauthorized access to Telegram accounts, particularly within Argentina's crypto community. 

The attackers utilized a Telegram bot to systematically collect SMS messages containing MFA codes, affecting users across multiple services, including Google, Microsoft, Apple, Telegram, Facebook, Mercadolibre, Amazon, Binance, Instagram, TikTok, Temu, and Signal. The breach was traced to a compromised SMS gateway provider, highlighting the risks associated with SMS-based authentication methods.

How Users Can Protect Themselves

Security Alliance's SEAL team advises users and service providers to transition away from SMS-based MFA in favor of more secure alternatives like authenticator apps or hardware tokens. For those potentially impacted by SLOVENLY COMET, immediate action is recommended to secure accounts and review authentication settings.

Trail of Bits uncovers the ELUSIVE COMET Zoom campaign

Summary

With Zoom scams on the rise, security researchers at Trail of Bits have now exposed ELUSIVE COMET: a threat actor engaging in a sophisticated social engineering campaign targeting the crypto community. 

Using fake invitations for a "Bloomberg Crypto" series, the attackers aimed to compromise crypto wallets through the Zoom remote control feature. This method involved tricking victims into installing malware under the guise of fixing audio or video issues during the call. The discovery highlights the increasing sophistication of cyber threats, particularly those exploiting operational security lapses within the blockchain industry.

How Users Can Protect Themselves

To protect against social engineering attacks like those linked to ELUSIVE COMET, it’s important to exercise caution with unsolicited invitations—especially those offering media opportunities or partnerships that seem out of the ordinary. Always verify the legitimacy of such outreach through official channels, such as confirmed email addresses or direct contact with the organization.

Additionally, limit or disable features like Zoom’s remote control access unless absolutely necessary, and ensure your systems are regularly updated and hardened with strict access controls. Robust endpoint protection with real-time monitoring is essential, as is ongoing education for teams about common attack tactics.

For more on ELUSIVE COMET, see Jake Gallen’s deep-dive.