Each month, MetaMask security guru Luker reports on the latest crypto security threats and emerging risks that you need to know about. Dive into the latest below, but first...
Featured STEM pioneer: Andrew Grove and the Intel microprocessor revolution
Holocaust and 1956 Hungarian Revolution survivor Andrew Grove played a major role in Intel’s microprocessor revolution, shaping modern computing.
LavaMoat @lavamoat/node rewrite protects against malicious GitHub forks
Highlighting the first release of @lavamoat/node, Naugtur explores a sneaky security risk in GitHub development. Attackers are creating malicious forks of popular repositories and slipping in harmful code. Even if you've been following the development of LavaMoat you probably did not see @lavamoat/node coming. However, it's a major rewrite that was necessary to bring in enterprise service management (ESM) support.
AnChain.AI MetaMask Snap brings transaction risk scoring to wallet users
In this X Space, AnChain.AI discusses its MetaMask Snap that allows more people to benefit from easier access to the data they aggregate on bad actors. The algorithm they built assesses the risk to transactions, wallets, and smart contracts.
Christian Montoya said about Snaps more broadly: "Through the Snaps platform, we're able to connect with a lot of different teams that are working in the security space. Because they can launch their own Snaps, they can demonstrate their capabilities to protect against malicious activity, to help decode transactions, and to do better simulations."
Christian also teased that MetaMask is exploring ways to leverage AI to make users more secure.
MetaMask launches improved signature request readability on MetaMask Extension
This month, we launched new, consistent, and more readable transactions and signatures on MetaMask Extension. The improvements will be coming to MetaMask App on mobile very soon.
LavaMoat blocks malicious postinstall scripts in Rspack supply chain attack
It's Naugtur again, and this time he raised the alarm for Rspack users — a Rust-based JavaScript bundler — who may have unknowingly installed a malicious release. Fortunately, the issue was swiftly addressed, but tools like LavaMoat can help developers stay protected from similar supply chain attacks in the future.
North Korea's Lazarus Group suspected in $70 million Phemex exchange exploit
And one of these experts is MetaMask's Taylor Monahan. Over $70M in crypto was stolen from Singapore-based exchange Phemex. According to Taylor, the attack's complexity indicates involvement by a seasoned group, possibly linked to North Korea. The attackers swiftly drained a wide array of assets across multiple blockchains, converting them into native tokens like ETH and BTC. She noted that the manual execution of numerous transactions across various chains suggests the work of experienced threat actors. This method mirrors tactics previously associated with North Korean hacking groups, such as the Lazarus Group.
Chainalysis releases 2025 Crypto Crime Report previewing record illicit volumes
Chainalysis's annual Crypto Crime Report has landed. While you wait for your copy to arrive, get a sneak peek by reading an excerpt – Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized, here.
Fake Homebrew Google Ads distribute AmosStealer malware targeting Mac crypto users
Hackers have launched a malware campaign via Google Ads, targeting users of the Homebrew package manager for macOS and Linux with a counterfeit website. The campaign distributes AmosStealer, a malware designed to steal credentials, browser data, and cryptocurrency data by masquerading as a legitimate Homebrew site. Security experts have highlighted the campaign's sophistication and potential to harm unsuspecting users significantly.
How users can protect themselves
Always verify the authenticity of websites before downloading any software or entering personal information. Be cautious of Google ads that lead to external sites, especially those that look similar to legitimate services like Homebrew. Consider bookmarking official websites you frequently visit to avoid falling for fake ads. Additionally, follow reputable cybersecurity experts and updates to stay informed about the latest threats.
DPRK Contagious Interview campaign uses fake job offers to deploy BeaverTail infostealer
Contagious Interview, a DPRK-affiliated cyber threat group active since December 2022, has been exploiting the cryptocurrency industry through sophisticated social engineering attacks. They lure victims with fake job offers or freelance development work, only to infect their devices with BeaverTail infostealer malware via malicious code distributed through platforms like GitHub and Bitbucket. This malware targets crypto assets, draining browsers and desktop wallets soon after installation. The group employs a second payload, InvisibleFerret, to further compromise devices for ongoing exploitation.
How users can protect themselves
Individuals should exercise caution when approached with job offers on social media, verifying the authenticity of recruiter profiles and avoiding suspicious links or scripts. They should also use antivirus software and keep personal and work activities separate, possibly on different machines or virtual environments. Organizations can protect themselves by educating employees on phishing tactics, enforcing strict device policies, and using secure channels for recruitment processes.
AdsPower supply chain attack replaces wallet extensions and steals $3 million in ETH
ADSPower, an anti-detect browser, fell victim to a hacking incident that resulted in the theft of over $3M in crypto assets from over 34,000 wallets. The breach was first hinted at on January 23, with users reporting issues with MetaMask within ADSPower on various Telegram crypto chats. By January 25, a significant withdrawal of funds from users' wallets was observed, and the ADSPower team acknowledged the breach. The attack was executed by replacing legitimate wallet extensions with fraudulent ones, deceiving users into submitting their seed phrases and passwords.
How users can protect themselves
If you're an ADSPower user, and installed or updated the MetaMask extension between January 21 and January 24, take immediate action to secure your assets and account: delete the current MetaMask Extension, and any other wallet extensions you suspect might be compromised. Reinstall them directly from the Chrome Web Store to ensure that you're using the authentic versions.
Move your crypto-assets to a new wallet. When setting up the new wallet, import your seed phrases or private keys directly, and avoid using ADSPower during this process to prevent potential exposure to malicious software. Contact ADSPower's support team at [email protected]. Provide them with details and any proof of compromise to get assistance and potentially help prevent further breaches.
This January 2025 report covered the $70 million Phemex exploit suspected to be linked to Lazarus Group, a supply chain attack on AdsPower replacing wallet extensions to steal $3 million in ETH, and fake Homebrew Google Ads distributing credential-stealing malware. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.
