Data scientist Valerie Thomas invented the illusion transmitter, and was responsible for developing the digital media formats that image processing systems used in the early years of NASA's Landsat program.
🎙️ MetaMask in the security ecosystem 🔎
New Zoom scam tactic
MichaelK.eth who joined MetaMask from the WalletGuard team, breaks down how to avoid this sneaky Zoom scam.
How a North Korean dev tricked a Solana trading bot team and stole $1.4m
In March 2024, Solareum, a Solana-based Telegram trading bot, lost $1.4M in SOL after hiring a North Korean developer who later exploited the project. This highlights the growing risk of DPRK operatives infiltrating tech firms to facilitate cyber theft.
MetaMask’s Taylor Monahan noted that Solareum’s team became uncooperative after the incident, shutting down accounts and community channels, making recovery efforts difficult. This latest job scam breach underscores the need for stricter hiring vetting and transparency in crypto projects to protect user assets from evolving security threats.
Coming soon: LavaMoat’s shout out at SECCON
We're more than a little proud of the recognition from slonser of capture-the-flag research group C4T BuT S4D. Stay tuned for the coverage at SECCON 2025 in Tokyo next month that will highlight supply chain security of browser extensions.
The Bybit saga: pre ETHDenver
North Korean hackers are winning. Is the crypto industry ready to stop them?
MetaMask’s Taylor Monahan and security researcher Jonty “Zeroshadow” join blockchain journalist Laura Shin on the Unchained Podcast to discuss what is described as the largest hack in all history, let alone blockchain history. Here are some highlights:
"Whenever there's a large hack, people are very quick to look at the specific product ... but in general, especially with Lazarus, it really doesn't matter. You can use any wallet... When they get that initial access to the human's device, they'll just sit and watch you, and first understand your operations and what you're doing. There's not a single product out there that will perfectly save you... and they're going to come up with a very customized plan that they've tailored to you." - Taylor Monahan
“Pascal, the leader of SEAL 911, has created a very helpful utility that's open-source and public on his GitHub. Completely free to use, it's essentially a bash script that checks that the [Gnosis] Safe transaction that you are signing is the one that you intend to sign... In many cases, that tool alone is enough to realize something is wrong and not press those two buttons that could spell the end of your protocol, exchange, whatever." - Jonty
"You should be paranoid when you're making these transactions. It might be routine, and it might be something you do all the time, but it really does have the capacity to completely nuke your exchange... So if things aren't adding up, or you're getting errors, or something weird is happening, just stop what you're doing and investigate... Too many people encounter errors and try to brute-force their way through it.” - Jonty
If you’re hungry for more on Bybit and multisig security, check out this additional coverage:
The saga continues…
There was a whirlwind of information and speculation around the Bybit hack surrounding ETHDenver, one of the biggest annual web3 events. The news cast a shadow over many a panel and side event. The dubious deed was formally linked to the Lazarus Group (in a surprise to no one) by the FBI. Safe{Wallet} disclosed that the attack “was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction." Blockchain analytics firm Elliptic released a data feed of wallet addresses in an effort “to help community members minimize exposure to sanctions and prevent money laundering of stolen assets.” In addition to releasing a preliminary forensics report from Sygnia and launching a bounty, Bybit enlisted the help of web3 security firm ZeroShadow to see what else could be uncovered.
While all of this was going on, conversations around the foibles of blind signing and striving “to learn from incidents, not capitalize on them” might have been overlooked.
Some good news
MetaMask makes short list of wallets known for new user safety
Much thanks to Quartz for including MetaMask in its list of safe wallets! We’re proud to be a non-custodial while empowering new users with security features for both extension and mobile.
FBI initiative saves thousands from crypto scams, recovers $285 million
The FBI’s Operation Level Up is making big moves against crypto scams, saving over 4,300 people from losing a total of $285 million. The initiative targets “pig butchering” scams—where fraudsters build trust before convincing victims to invest in fake crypto schemes.
By stepping in before funds are transferred, the FBI has helped prevent life-altering losses, sometimes just in time. Beyond recovering funds, the operation also supports victims and spreads awareness to help people spot and avoid these scams before they happen.
Man who hijacked SEC’s X account to pump Bitcoin faces up to five years in prison
25-year-old Eric Council Jr. from Alabama admitted to hacking the SEC's X (formerly Twitter) account in January 2024. His goal? To post a bogus announcement about Bitcoin ETFs, causing Bitcoin's price to momentarily jump by over $1,000. Council and his crew pulled off this stunt using a "SIM swap" to hijack the account. Now, he's facing up to five years behind bars and a $250,000 fine.
⚠️ Tales of caution⚠️
Sophisticated seed phrase phishing tactic
Summary
A new and sophisticated phishing tactic targeting Phantom wallet users has been identified. Scammers are now connecting to legitimate Phantom wallets first and then tricking users with a fake "update extension" signature request. Once the user approves this request, a counterfeit modal appears, demanding the user to enter their seed phrases. This tactic is designed to deceive users into compromising their SRPs.
How users can protect themselves
Never enter your seed phrases on any website or popup. To identify fake popups, check the URL. Phantom’s native popup will display a URL starting with chrome-extension://..., which web pages cannot replicate. Real Phantom popups behave like system windows, allowing you to minimize, maximize, and resize them, whereas fake popups are confined within the browser tab. Stay vigilant and cautious to protect your wallet's security. This advice applies to MetaMask users, as similar seed phrase scams are prevalent. Always ensure you interact with legitimate extensions and be wary of any requests for your seed phrases.
Cardex Users' wallets drained of $400,000 in recent exploit
Summary
The Abstract security team detected and neutralized an exploit originating from Cardex, a third-party app within The Portal. This incident was not due to a vulnerability in the Abstract Global Wallet (AGW) or the Abstract network. Still, it was caused by the Cardex team to inadvertently expose the private key to their session signer on the front end of their website. This exposure allowed an attacker to initiate transactions on behalf of any wallet that had approved a session key with Cardex. The exploit contained approximately $400,000 in token value.
How users can protect themselves
To protect against potential attack vectors, users should regularly revoke approvals and permissions for apps and tokens in their Abstract wallet. This can be done via the Revoke tool at http://revoke.abs.xyz.
OCR crypto stealers found in Google Play and App Store
Summary
Researchers have discovered a new malware campaign, "SparkCat," targeting Android and iOS users through official and unofficial app stores. This malware uses OCR (Optical Character Recognition) to scan users' image galleries for crypto wallet recovery phrases. The infected apps, some available on Google Play and the App Store, have been downloaded over 242,000 times. The malware can initiate transactions for any wallet that has approved a session key with the compromised app.
How users can protect themselves
To protect against this malware, users should avoid storing sensitive information, such as SRPs, in their device's photo gallery. If you have installed any infected apps(see below), remove them immediately and consider transferring your funds to a new wallet.
Looking for more crypto security news from the frontlines? Head here to peruse previous editions of Luker's MetaMask Security Reports, and get additional tips for staying safe in the ecosystem.
