MetaMask Security Report: September 2025

Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below.

But first... meet our STEM pioneer of the month!👩‍🔬

Ellen Ochoa's credits include being the first Latina to go to space and first Latina director of the Johnson Space Center. She served on the Space Shuttle Discovery.

🦊 What we’ve been up to 🦊

MetaMask’s Social login simplifies wallet management

Managing secret recovery phrases (SRPs) and keeping them safe has long proved to be one of the trickiest aspects of self-custodial responsibility. If you lose your keys, you lose your crypto. Metamask now makes it easier than ever to create, backup, or restore wallets using Apple or Google account credentials combined with a secure password.

For enhanced security, SRPs are encrypted and sharded, with another encryption key that is split across different locations. Only the wallet owner can reconstruct the SRP in plaintext, so it is imperative that they guard the password as safely as they should an SRP. Read more about this new feature on our MetaMask Support page.

Supply chain dangers and LavaMoat protection

In early September, we saw one of the largest supply chain attacks to date, which compromised at least 18 popular JavaScript NPM packages after a maintainer known as Qix fell victim to a phishing campaign. One or more threat actors were able to inject code and publish malicious versions of the packages, which are often downloaded over 2 billion times per week, allowing them to manipulate crypto wallet interactions and redirect funds for several hours before the attack was neutralized. 

It was later discovered that the injected malware behaved like a worm, capable of spreading automatically to other projects managed by Qix. Though losses could have been catastrophic, only a few hundred dollars’ worth of funds were stolen before malicious versions were removed. The event highlighted how detrimental a single point of failure in the open source landscape could be.

Luckily, LavaMoat from MetaMask protects against these widespread supply chain attacks by enforcing runtime controls on dependencies that restrict how they can interact with their environments, a process known as sandboxing. Even if a malicious package is installed, LavaMoat prevents it from exfiltrating secrets, tampering with wallet APIs, or performing unauthorized network activity. As MetaMask’s Zbyszek Tenerowicz puts it: “You too can run malware from NPM... I mean without consequences.”

Meanwhile…

Vitalik Buterin skeptical of AI governance

Software engineer Eito Miyamura flagged risks to personal user data following OpenAI's most recent ChatGPT update, prompting Vitalik Buterin to enter the chat. Buterin dismissed reliance on centralized AI as a viable governance solution, pointing out that attackers "WILL put a jailbreak plus 'gimme all the money' in as many places as they can" if AI is trusted with sensitive roles like fund distribution.

Instead, Buterin suggested an "info finance" model in which AI systems are open to third-party audits and random spot-checking by human juries. This approach aligns with the ethos of decentralization, which values transparency and community as a more secure path forward. The perspective of the Ethereum co-founder underscores the growing debate around how best to balance innovation, security, and accountability in AI. 

Personalized vishing attacks against crypto execs on the rise

In their latest efforts to target U.S. executives in the crypto space, scammers are paying as much as $20,000 a month to use professional voice impersonators in elaborate voice phishing, aka vishing, attacks. Researchers at GK8 discovered that the teams of impersonators are being recruited through underground forums and supported by curated datasets, deepfake tech, and elaborate infrastructure designed to bypass security controls.

These phone-based attacks are highly personal and aimed at individuals with privileged access, reflecting a shift from mass phishing to precision social engineering. GK8 researcher Tanya Bekker cautions that executives should "assume their personal information has already been exposed" and warns that "high-value transactions should not be confirmed by a single individual."

Kiln exits Ethereum validator following SwissBorg hack

Staking platform Kiln announced that in an abundance of caution it would exit all of its Ethereum validators after its partner SwissBorg was impacted by an API security breach. Blockchain investigator ZachXBT reported that Swissborg lost approximately $40 million worth of SOL. Kiln stressed its users' funds were secure and no other Ethereum assets were affected, stating the move is precautionary.

At the time the decision was announced, Kiln estimated the process would take 10-42 days per validator with withdrawals requiring and additional 9 days. Meanwhile, over 2.5 million ETH became backed up in the network's validator exit queue causing excessive wait times.

The Ethereum Foundation's push for security

EF’s Trillion Dollar Security Initiative

In case you missed it, in late August the Ethereum Foundation unveiled an effort to bolster the safety of the network through what it’s calling the “Trillion Dollar Security” initiative. The stated goal of the program is to create a reality in which billions of users are comfortable with holding at least $1000 onchain while institutions and governments would rest easy managing trillion-dollar scale assets within Ethereum applications. The plan is laid out in three phases that include mapping vulnerabilities across the ecosystem, implementing fixes and improvements with partners, and establishing clear security standards. 

The program will be supported by Security Alliance founder samczsun, Sigma Prime co-founder and director Mehdi Zerouali, and Etherealize co-founder Zach Obront. Additionally, the EF is calling on the ecosystem for input on where the security of Ethereum needs to improve.

Fusaka Upgrade contest

Just a few weeks later, the EF announced it is launching a $2 million contest in which researchers are invited to audit the upcoming Fusaka upgrade. The contest is running from September 15 to October 13 on the Sherlock testnet and is co-sponsored by Gnosis and Lido, which contributed $100,000 and $25,000, respectively. This approach highlights the decentralized ecosystem’s collective stake in the network’s future.

⚠️ Tales of caution ⚠️

Undetectable malware is draining crypto browser wallets

Summary

Security researchers found a new malware strain called ModStealer that managed to dodge antivirus software for almost a month while stealing crypto wallet data from Windows, Linux, and Mac users. The attackers are spreading it through fake job postings targeting developers. Once it's on a system, it hunts for browser wallet extensions and credentials before quietly sending everything back to their servers. On Macs, it even sets itself up to run automatically at startup by pretending to be a system helper. Security experts say this is bad news for crypto holders since stolen private keys and seed phrases mean direct access to people's funds, and the fact that it can slip past detection tools makes it a real threat to the whole crypto space.

How users can stay safe

Best practices include constant vigilance of what sites you are visiting, especially when you are searching for things such as job postings or crypto related content. Always refer to trusted sources to verify authenticity. Unsolicited offers of any type should be treated with the utmost caution, and likely be ignored entirely. 
Also, maintaining cold storage options for your largest crypto assets, such as a hardware wallet, is one of the best ways you can keep your funds safe.

TOR-based cryptojacking attack expands through misconfigured docker APIs

Summary

A cryptojacking campaign is targeting misconfigured Docker APIs to install XMRig cryptocurrency miners, with attackers using the TOR network to hide their tracks. The malware spreads by scanning for other exposed Docker instances and contains dormant code for attacking Telnet and Chrome remote debugging ports, which suggests the attackers may be building toward a larger botnet operation. 

How users can stay safe

Researchers stress that organizations must lock down API access, segment their networks properly, and change default credentials to protect against these attacks.

Crypto hacks surge in August, $173M lost in exploits

Summary

CertiK reported in September that crypto hacks shot up by over 13% from July to August, with thieves walking away with around $173 million. Phishing scams alone made up $101 million of that total. The month's worst hits included a massive $91 million phishing attack and a $53 million hack of BTC Turk. 

It's part of a trend we've been seeing since June, and experts predict the losses will continue to get worse every month. Despite evolving defenses, these basic phishing scams are still incredibly effective. One CEO made the observation that organized crime groups have essentially turned themselves into "tech startups," that deal in scams-as-a-service.

How users can stay safe

Social engineering attacks are particularly effective because the human element has the most difficult attack surface to defend. Always know who it is that you are talking to, and be wary of any type of unsolicited communications. Never click on a random link in an email or a text message. If you even have the slightest inkling that you aren’t talking to who you think you are, find a way to reach out directly to that person in a different way, such as a phone call to their place of business, or verifying their identity through another secure method.

Looking for more crypto security news? Head here to peruse previous editions of Luker's Security Reports, and get additional tips for how you can stay safe in the ecosystem.