This month's crypto security report

Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below.

But first... meet our featured STEM pioneer!👩‍🔬

Alan Emtage is a Bajan-Canadian computer scientist who created Archie, widely considered the world's first Internet search engine, which indexed public FTP archives before the web existed.

🤝 Friends of the Fox 🤝

The Ethereum Foundation tackles the quantum computing problem

As quantum computing looms, the EF has assembled a Post Quantum security team to pre-emptively eliminate the chance of fund loss and network downtime. Experts across the blockchain ecosystem have been steady in their warnings about how the emergent technology can subvert cryptography that networks like Ethereum and Bitcoin rely on. The foundation is committing $2 million in funding and the team will meet twice a week for the foreseeable future. 

As Ethereum co-founder Vitalik Buterin put it: “Being able to say 'Ethereum's protocol, as it stands today, is cryptographically safe for a hundred years' is something we should strive to get to as soon as possible, and insist on as a point of pride.”

SEAL creates tongue-in-cheek consultancy page aimed at DPRK infiltration education

The Security Alliance (SEAL) has taken ownership of the lazarus.group URL and is using it as a comedic demonstration of what to look out for when safeguarding against North Korean operatives that apply to work at crypto companies. Their “meet our team” page displays profile pics of many known state-sanctioned threat actors, including this literal red flag:

The parody page also displays a condensed overview of historical malicious DPRK activity, and links to a serious and thorough framework that companies can use to harden their hiring process against sneaky criminal applicants.

Consensys urges FTC to favor tech-neutral security standards in Nomad hack case

Senior Counsel and Director of Global Regulatory Matters for Consensys (provider behind MetaMask) Bill Hughes submitted a letter to the Federal Trade Commission in response to its proposed order in the Nomad hacking case.  Hughes argues that the FTC’s position discourages security transparency and pushes for technical requirements that are not industry standard (i.e., “circuit breakers” aka “killswitches”).

In his push for a more technology-neutral approach, Hughes asserts: “Security engineering is managing tradeoffs. The question should not be ‘Did you have this specific control?’ It instead should be ‘Did you have reasonable capabilities to detect, respond, and mitigate loss given your architecture and threat model?’"

Meanwhile…

AI fraud and malware

Chainalysis credits the rise in AI with the exponential growth of losses in 2025. Last year saw at least $14 billion worth of crypto confirmed to be stolen in scams, and the analytics company projects that number may grow to $17 billion as more illicit activity is uncovered. The firm maintains that scams powered by AI tooling are 4.5 times more profitable than traditional methods, and AI-powered impersonations of legitimate businesses have seen a 1,400% year-over-year increase.

Deepfakes and AI-generated content have made investment and romance scams more believable, while increased reach and speed associated with the technology has given criminal operations a significant advantage. Scammers are even convincing people they are co-workers.

Malware has also gotten a boost from the AI boom, as demonstrated in Januaey by Check Point Research. The DPRK-backed KONNI crime group targeted developers with fake blockchain project docs and using an AI-written PowerShell backdoor.

Social engineering and data breaches come up against hardware wallet safeguards

2026 is off to a rocky start. One individual lost over $282 million in Bitcoin and Litecoin in mid-January to a social engineering scheme that surpassed a similar record-breaking $243 million attack. Hardware wallets are considered particularly secure, as private keys never leave the device, but that defense is useless in cases like this, where a user is tricked into offering up access to their funds.

It has since been discovered that the hardware in question was a Trezor wallet and the scammers used a leaked API key, but this is not a Trezor problem. Posing as tech support is a standard tactic in the scammer playbook. Targets can also selected based on known high value and/or contact information obtained through data breaches, such as the high-profile incident involving Ledger users that was reported earlier in the month.

Holiday humdingers

Baddies don’t take holidays. In fact, they’re counting on you to let your guard down while you’re celebrating or let your guard down. 

Exhibit A: This scam that enticed GrubHub customers with a message stating: “There are 30 minutes left in our Holiday Crypto Promotion. Grubhub will 10x any Bitcoin sent to this address [...]. For example, if you send $1000, we’ll send back $10,000.”

Exhibit B: Workaholic @the_smart_ape’s account of how chatting openly about being in crypto and connecting to hotel WIFI on a family vacation led to his holdings being drained. We say it time and time again: Keep a low profile!

Then, there’s this, seemingly innocuous, notification from a faux fox that prompted targets with a fake New Year’s update...

 Chat, this is not real. Security researchers believe this imposter MetaMask email may be related to the $7 million Trust Wallet Hack that occurred on Christmas day. Ooof. As Cointelegraph reports: 

“The incident likely occurred due to the ‘Sha1-Hulud’ supply chain attack in November, which compromised npm software packages commonly used by crypto projects to build blockchain applications, according to Trust Wallet’s incident report.

Developer “secrets” were leaked from Trust Wallet’s GitHub, which gave the attacker access to the wallet’s browser extension source code.”

Bleeping Computer has more details on the Trust Wallet Hack and Sha1-Hulud bypasses.

Also during those dark days of year’s end, Unleashed Protocol announced it had been drained of $3.9 million in crypto from a multisig hijack.

Truebit was exploited during the early days of the new year, costing the protocol’s reserves $26.6 million in Ether and causing the TRU token to lose nearly all its value. The ghost of vulnerabilities past reminds us that we shouldn’t take the security of our older smart contracts for granted...

We want to thank any of you out there who did and continues to put in those extra hours to keep watch and defend during holiday periods. The world mostly hears about when things go wrong, rather than the many attempts that were thwarted. Make sure you get some rest and touch grass (or snow).

See you next month. 

Looking for more? Head here to peruse previous editions of Luker's Crypto Security Reports, and get additional tips for how you can stay safe in the ecosystem.