MetaMask Security Report: November 2024

Kidnapping, pig butchering, AI Grandma, and more – our November security report is action packed. Find out what's been going down, and how we're keeping you safe in the ecosystem.

by LukerNovember 29, 2024
MetaMask Security Report November 2024

Jude Milner patron saint of hackers

Jude Milhon — who coined the term “cypherpunk” — is known as the patron saint of hackers.


🦊 What we’ve been up to 🦊

Tay’s Devcon 7 security talk picks

There was much to keep track of at Devcon 7 in Bangkok this year. Luckily, MetaMask's Taylor Monahan has selected her favorites from the security track. Get some popcorn because this thread is extensive.

Devcon 7 recap of best security talks

Introducing MetaMask Signature Insight Snaps

Introducing MetaMask Signature Insight Snaps

Dive into our latest MetaMask Snaps that help keep users more secure: Signature Insight Snaps! These Snaps analyze signature requests, providing users with insights into their purpose and potential risks, thereby helping to prevent phishing attempts and unauthorized access.

The initial offerings include Kleros Scout, which decodes signature requests and identifies associated contracts to warn users of potential threats, and ZyFi Paymaster Insights, which improves the readability of signing transactions in the zkSync ecosystem by providing detailed information about paymaster-related transactions. Users can install these Snaps from the MetaMask Snaps Directory, using MetaMask Extension 12.4.2 or later.

🎙️ MetaMask in the security ecosystem 🔎

Evolution of scams

Drainers, transaction simulations, and pig butchering. This Devcon lightning talk from Ohm is jam-packed!

Watch Zbszek run malware from NPM

He’s at it again! Zbszek’s latest talk on how MetaMask’s LavaMoat can mitigate the risks of consuming malicious NPM packages is available from GitNation. LavaMoat isolates each package into its own compartment and provides tools to define strict access policies. It prevents threats like cookie theft and unauthorized access to sensitive global variables. For a limited time, we're offering support to help you integrate LavaMoat into your projects — don’t miss out on securing your applications with ease! You can reach out to Zb at zbigniew.tenerowicz@consensys.net.

Meanwhile…

DIY seal wargames

Check out Kelsie Nabben's write-up about the Security Alliance Wargames Drill Scenario Template. This open-source GitHub repository, designed and launched by The Security Alliance, is a template to help protocol teams conduct their own security drills. The template offers comprehensive guidance on planning and executing wargame scenarios, including:

  • Step-by-step instructions for organizing and running drills.
  • Development and testing setups using Foundry and Hardhat on local forks.
  • Configurations for live forks on Tenderly.
  • Templates for tabletop exercises and monitoring bot services integrated with Prometheus, Grafana, and OpsGenie.

The initiative emphasizes fostering a proactive security culture within the blockchain ecosystem, encouraging continuous preparedness against evolving threats. For more details and access to the template, visit the GitHub repository.

AI Grandma ties up scammers

AI Grandma ties up scammers

British telecom company O2 has unleashed "Daisy" — an AI-powered granny who’s giving phone scammers a taste of their own medicine. Daisy keeps fraudsters tied-up in hilariously irrelevant chats about knitting, cats, and her "dear old memories", wasting their time and saving real victims from their schemes. While scammers try to con her, she’s collecting intel on their tactics, turning the tables in the most charming way possible. Who knew grandma’s nattering could be a secret weapon?

The Red Guild releases Phishing Dojo

Security research and education group The Red Guild has launched Phishing Dojo, an interactive platform designed to help users identify and avoid phishing scams in the crypto space. This educational tool presents scenarios such as scam emails, fraudulent airdrop sites, and malicious transaction approvals, allowing users to practice recognizing and responding to common threats. The initiative aims to enhance community awareness and resilience against increasingly sophisticated cyberattacks targeting the crypto ecosystem.

Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON

At CYBERWARCON 2024, Microsoft Threat Intelligence analysts presented in-depth research on North Korean and Chinese cyber threat actors. The session, titled "DPRK – all grown up", highlighted North Korea's decade-long development of advanced cyber capabilities, enabling significant cryptocurrency thefts, and targeting organizations linked to satellites and weapons systems. Additionally, a presentation called "China’s evolving cyber operations" examined China's adoption of new tactics to enhance operational security, including the exploitation of vulnerable small office/home office (SOHO) devices to obscure their activities. These insights underscore the increasing sophistication and adaptability of cyber threats from these nation-states.

⚠️ Tales of caution⚠️

ZachXBT: scammer stole over $6.5 Million by impersonating Coinbase Support

Summary

Crypto investigator, SEAL member, and all-around hoopy frood, ZachXBT has uncovered a sophisticated phishing operation led by scammer Ronald Spektor, who impersonated Coinbase support to steal over $6.5 million in October 2024. Spektor lured victims by posing as official support, then laundered the stolen funds through TON-linked wallets, and deleted his social media accounts to evade detection. Despite these efforts, ZachXBT's investigation has identified untraced funds and potential accomplices, raising hopes that further leads may emerge to assist victims and authorities in recovering the stolen assets.

How Users Can Protect Themselves

Protecting yourself against scammers posing as customer support in the crypto space requires vigilance and proactive security measures. Here are some key strategies:

  • Verify sources: only use official websites or apps to contact support. Avoid links in emails or social media.
  • Ignore unsolicited contacts: legitimate companies don’t reach out unprompted or ask for urgent action.
  • Protect sensitive info: never share private keys, recovery phrases, or passwords. Avoid screen sharing.
  • Stay informed: learn common scam tactics and follow trusted security experts.
  • Use extra security: enable 2FA and anti-phishing tools where available.
  • Double-check requests: confirm support claims through official channels before acting.

Toronto crypto company CEO kidnapped, held for $1M ransom before being released

Summary

In early November 2024, Dean Skurka — CEO of Toronto-based cryptocurrency firm WonderFi, was kidnapped in downtown Toronto and held for a $1 million ransom. The incident occurred near University Avenue and Richmond Street West just before 6 p.m. The kidnappers forced Skurka into a vehicle and demanded the ransom, which was paid electronically. Skurka was later found uninjured in Centennial Park, Etobicoke. He assured the public that WonderFi's client funds and data remained secure and unaffected by the incident. Experts note that such attacks, though rare, can coincide with surges in cryptocurrency values, as criminals may perceive high-profile figures in the crypto industry as lucrative targets.

How Users Can Protect Themselves

Never underestimate the $5 wrench attack, by which physical coercion (like threats or violence) is used to force someone to reveal private keys or access their crypto funds. If at all possible, keep a low profile and avoid flaunting your holdings in public. Diversify your storage by spreading funds across multiple software and hardware wallets, keeping the majority of your holdings in cold storage. Consider utilizing multi-sig wallets and time-locked transactions. And remember that if you are ever faced with this scenario, your life is more important than your crypto.

A crypto nerds imagination

Receive our Newsletter