MetaMask Security Report: June 2025

Each month, MetaMask's Luker runs through the global crypto security news that you need to know about. Dive into the headlines below, featuring the latest scams to watch-out for, tales of triumph over nefarious actors, and ways you can stay safe in the ecosystem.

Nergis Mavalvala contributed to the detection of gravitational waves in the LIGO project and experimentation in quantum measurement science.

🦊 New security updates on MetaMask 🦊

Consensys brings Web3Auth into MetaMask to make it safer, smoother, and more developer-friendly

We talk a lot about malicious attacks, but did you know 35% of users fail to adequately back up their secret recovery phrases, putting them at risk of fund loss? As MetaMask's co-founder Dan Finlay put it: "Don’t share this with anyone, but also don’t lose it is a very difficult needle to thread." 

That's why we're excited to announce that Consensys has acquired leading provider of key management and embedded wallet infrastructure Web3Auth. By integrating Web3Auth’s capabilities, MetaMask users will be able to create and recover wallets using familiar web2 authentication methods, such as social logins and device-based authentication. Stay tuned for more exciting announcements to come!

The acquisition also provides developers with access to embedded wallet SDKs and key management infrastructure, making wallet management easier and more streamlined.

LavaMoat updates

@lavamoat/webpack hits 1.0

After an audit from OtterSec, allowing for dynamically loaded chunks, and refactoring for maintainability, our Webpack plugin has reached version 1.0 and is considered stable and ready to use. Next up are plans for opt-in security improvements.

@lavamoat/react-native-lockdown gets the first release

We've not only been able to get Hardened JavaScript’s lockdown() working within the constraints of the Hermes engine in React Native, but also found a way to deliver it to the developers in a neat package that integrates via the Metro config file. We’ve released a very early version and are looking for test results and feedback. Try it out and share your experience in the issues!

In case you missed it, we also have other projects going:

@lavamoat/node

Though still a work in progress, our complete rewrite of LavaMoat for Node.js is already functional. It introduces full ESM support and DX improvements for those running commands from npm packages. lavamoat-node is still supported and stable, though it will eventually be deprecated for the lack of ESM support. 

As we develop new capabilities, some are being integrated into lavamoat-node . You can now get more precise access control on globals that are marked as writable elsewhere. Policy file ordering improvements have landed in all LavaMoat tools, allowing policy.jason files to be generated. Git diff has been optimized to only indicate actual changes and to minimize reordering of resources listed as your dependency tree rearranges upon update.

@lavamoat/git-safe-dependencies

We’ve released a new tool that serves as an opinionated validator to prevent security issues with installing dependencies (or GitHub actions) directly from git repositories. Its release was followed by an article in the 6th issue of PagedOut! Magazine.

🎙️ MetaMask in the security ecosystem 🔎

How did we measure up in Cryptonews' independent evaluation?

Cryptonews recently examined how safe the MetaMask wallet is, and we're grateful for their assessment that "with over 30 million active users and an eight-year track record," MetaMask has solidified its reputation as "a very safe choice with many security features and an active development team committed to improving its security level." The article highlights our security features and gives tips on self-custodial best practices. Thanks Cryptonews!

MetaMask's Taylor Monahan weighs in on potential Pectra vulnerabilities

Ethereum's recent Pectra upgrade introduced EIP-7702, aiming to enhance user experience by allowing wallets to temporarily function like smart contracts. However, this feature has been exploited by malicious actors. Wintermute's analysis revealed that over 80% of EIP-7702 delegations were linked to a single malicious script dubbed "CrimeEnjoyor," designed to automatically drain wallets with compromised keys. A notable incident involved a user losing nearly $150,000 through a phishing attack facilitated by this script.

However, MetaMask’s Monahan emphasized that the core issue isn't EIP-7702 itself but the persistent challenge of users securing their private keys. She noted that while EIP-7702 offers advanced functionalities, it also provides attackers with more efficient means to exploit compromised keys. This situation underscores the importance of robust private key management and heightened user vigilance in the evolving Ethereum ecosystem.

Meanwhile…

DPRK-backed threat actors continue to pose danger for crypto community

In three related stories published in June, we can see that advanced persistent threats coming out of North Korea show no signs of slowing.

• The U.S. Department of Justice is seeking the forfeiture of $7.7 million in cryptocurrency linked to North Korean hackers who posed as IT workers to infiltrate U.S. companies. These individuals used fake identities to secure remote jobs, received payments in stablecoins, and laundered the funds through various methods before transferring them to the North Korean government. Experts warn that such operations, often employing AI-generated personas and deepfake technology, could generate hundreds of millions annually for the regime.

• BitoPro, a Taiwanese crypto exchange, lost $11 million in a hack on May 8, 2025, during a hot wallet system update. The attack is attributed to North Korea’s Lazarus Group, who used malware and stolen AWS tokens to bypass security and drain funds across multiple blockchains. The stolen crypto was then laundered through mixers and decentralized exchanges. BitoPro has since restored the wallets and confirmed no internal involvement.

• North Korea's Lazarus Group has been laundering billions in stolen cryptocurrency through decentralized finance platforms, particularly utilizing the Tron blockchain's low-fee infrastructure. According to on-chain analyst ZachXBT, the group operates within an underground network of brokers who utilize swap pools, new wallets, and peer-to-peer trading methods, making transactions difficult to trace the estimated $5 billion to $10 billion in illicit funds. 
  
  Critics highlight that platforms like Tron lack meaningful controls, enabling such large-scale laundering operations. While TRON DAO claims to support anti-crime efforts in collaboration with entities like Tether and TRM Labs, many argue these measures are reactive and insufficient. ZachXBT emphasizes that the broader crypto industry is experiencing a "crime supercycle," with massive hacks and minimal accountability.

Some good news for crypto security

Interpol pulls the plug on 20,000 cyber baddies in global infostealer takedown

Interpol's "Operation Secure" has successfully dismantled over 20,000 malicious IP addresses and domains linked to infostealer malware. This coordinated effort, involving law enforcement agencies from 26 countries and private-sector partners like Group-IB, Kaspersky, and Trend Micro, led to the seizure of 41 servers and the arrest of 32 individuals connected to cybercriminal activities. Infostealers are malicious software designed to extract sensitive data such as passwords, credit card details, and cryptocurrency wallet information from infected devices. The operation also resulted in notifying over 216,000 victims and potential victims, enabling them to take immediate protective actions.

US snatches back $225 million from pig butcherers

The U.S. Department of Justice has announced its largest-ever recovery of funds tied to crypto investment scams known as "pig butchering," where victims are manipulated over time to extract maximum value. The government is now working to return as much of the seized funds as possible to the more than 400 victims.

⚠️ Tales of caution ⚠️

CoinMarketCap’s supply chain attack

Summary

Cryptocurrency price tracking site CoinMarketCap fell victim to a supply chain attack that exposed visitors to a wallet-draining campaign. Hackers exploited a vulnerability in the site's homepage doodle image to inject malicious JavaScript, triggering fake Web3 wallet connection popups. Unsuspecting users who connected their wallets had their cryptocurrency drained, with over $43,000 stolen from 110 victims. This attack highlights the growing threat of wallet drainers, which exploit trusted elements of platforms to target crypto users. While the malicious code was quickly removed, CMC says an investigation is still ongoing.

How users can protect themselves

To protect yourself from wallet-draining attacks, always verify the legitimacy of Web3 pop-ups before connecting your wallet. Avoid clicking on suspicious links or interacting with popups on unfamiliar sites, and consider using hardware wallets for significant crypto holdings. Fortunately, the total loss of this incident was mitigated in part due to swift security responses from security practitioners and transaction simulators that warned many potential victims before they lost their funds.

CoinTelegraph’s pop-up compromise

CoinTelegraph's website was compromised through a front-end exploit that displayed a fake airdrop pop-up promoting non-existent CTG tokens. The pop-up falsely claimed users could receive $5,500 by connecting their wallets and cited a fake CertiK audit to appear trustworthy.

The blockchain news outlet was quick to warn users against interacting with these pop-ups and remove the unauthorized code. The online publication has since claimed to have “strengthened [its] security controls to prevent any similar occurrences in the future.”

How users can protect themselves

Users should be cautious about unexpected pop-ups or offers, especially those promising large financial rewards in exchange for connecting a wallet. Before interacting with such prompts, users should verify the legitimacy of the information through official sources. As an extra precaution, users should compare messaging from the organization’s verified social media, website, and other trusted marketing activities.

Trezor’s support form exploit

Summary

Hardware wallet maker Trezor issued a security alert after attackers abused its online support contact form to send phishing emails disguised as legitimate support replies. These scam emails aimed to trick users into sharing their wallet backups, which should always remain private and offline. Trezor confirmed that no breach of its systems or user data occurred, and the phishing campaign has been contained. The firm emphasized the importance of vigilance and has launched an investigation to prevent future abuse.

How users can protect themselves

To avoid phishing scams, never share your wallet backup or private keys, even if the request appears legitimate. Always verify the authenticity of communications. Be cautious of unsolicited emails, especially those asking for sensitive information, and avoid clicking on links or downloading attachments from unknown sources. 

Two sophisticated malware threats aim to steal crypto from mobile users 

SparkKitty: Stealing Crypto Seed Phrases via Screenshots

SparkKitty infiltrates both iOS and Android devices through malicious apps found on official app stores as well as through sideloaded apps like fake TikTok clones and gambling platforms. Once installed, SparkKitty requests access to the device's photo gallery and employs optical character recognition to scan images for sensitive information, particularly cryptocurrency wallet seed phrases. Upon finding such data, it transmits the information to attackers, compromising users' digital assets.

Crocodilus: Advanced Android Trojan with Full Device Control

Crocodilus is a newly identified Android banking Trojan that poses a significant threat to users globally. The malware masquerades as legitimate applications, such as Google Chrome, to deceive users. Once installed, it requests accessibility permissions, enabling it to perform actions like capturing screen content, logging keystrokes, and overlaying fake login screens to harvest credentials. It specifically targets banking and cryptocurrency applications, aiming to extract sensitive information and drain users' accounts.

How users can protect themselves

Only download apps from trusted sources and be cautious of any that request access to photos, screen content, or accessibility features. Avoid storing sensitive information like secret recovery phrases in your photo gallery, and instead use secure storage methods such as hardware wallets or encrypted password managers. Keep your device and apps up to date to patch vulnerabilities, and consider using reputable mobile security software to detect and block malware. Staying informed about emerging threats and practicing good digital hygiene can go a long way in keeping your crypto and personal data safe.

Looking for more crypto security news from the frontlines? Head here to peruse previous editions of Luker's Security Reports, and get additional tips for staying safe in the ecosystem.