Crypto Security Report: November 2024

Featuring a scammer-baiting granny, LavaMoat's GitNation demo isolating malicious npm packages, the SEAL Wargames drill template, The Red Guild's Phishing Dojo, Microsoft's CYBERWARCON exposé on North Korean cyber capabilities, and more..

6 min read
Crypto Security Report: November 2024

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about. November 2024 brought the kind of headlines that make you double-check your locks. A crypto CEO was kidnapped in downtown Toronto and held for $1 million in ransom. ZachXBT pulled back the curtain on a $6.5 million Coinbase support impersonation scam. Microsoft laid out a decade of DPRK cyber evolution at CYBERWARCON. But, an AI grandma might be coming to the rescue? British telecomunnications company O2 decided the best way to fight phone scammers is with an AI granny who won't stop talking about her cat. The month was also packed with proactive security updates too. MetaMask shipped Signature Insight Snaps, LavaMoat got a fresh demo at GitNation, SEAL released a DIY wargames drill template, and The Red Guild launched Phishing Dojo to help users train against real-world scam scenarios. Dive into the details below, but first...

Jude Milhon, who coined the term “cypherpunk”, is known as the patron saint of hackers.


MetaMask's Taylor Monahan explores top security talks from Devcon 7 in Bangkok

There was much to keep track of at Devcon 7 in Bangkok during November 2024. Luckily, MetaMask's Taylor Monahan has selected her favorites from the security track. Grab some popcorn, because this thread is extensive.

MetaMask launches Signature Insight Snaps to analyze and flag risky signature requests

Dive into the newest type of MetaMask Snaps that help keep users more secure: Signature Insight Snaps. These Snaps analyze signature requests, providing users with insights into their purpose and potential risks, thereby helping to prevent phishing attempts and unauthorized access.

The initial offerings include Kleros Scout, which decodes signature requests and identifies associated contracts to warn users of potential threats, and ZyFi Paymaster Insights, which improves the readability of signing transactions in the zkSync ecosystem by providing detailed information about paymaster-related transactions. Users can install these Snaps from the MetaMask Snaps Directory, using MetaMask Extension 12.4.2 or later.

Crypto scam mechanics explored in Devcon 2024 lightening talk

Drainers, transaction simulations, pig butchering and more... The Devcon 2024 lightning talk from MetaMask Security's Ohm is jam-packed with crypto scam mechanics.

How LavaMoat isolates malicious npm packages: Zbigniew Tenerowicz demos at GitNation

He’s at it again: Zbigniew's latest talk on how LavaMoat open-source toolkit can mitigate the risks of consuming malicious NPM packages is available from GitNation. LavaMoat isolates each package into its own compartment and provides tools to define strict access policies. It prevents threats like cookie theft and unauthorized access to sensitive global variables. For a limited time, we're offering support to help you integrate LavaMoat into your projects, so you can secure your applications with ease. Reach out to ZB at [email protected] with any questions.

SEAL Wargames drill template helps protocol teams run their own security exercises

Check out Kelsie Nabben's write-up about the Security Alliance Wargames Drill Scenario Template. This open-source GitHub repository, designed and launched by The Security Alliance, is a template to help protocol teams conduct their own security drills. The template offers comprehensive guidance on planning and executing wargame scenarios, including:

  • Step-by-step instructions for organizing and running drills.

  • Development and testing setups using Foundry and Hardhat on local forks.

  • Configurations for live forks on Tenderly.

  • Templates for tabletop exercises and monitoring bot services integrated with Prometheus, Grafana, and OpsGenie.

The initiative emphasizes fostering a proactive security culture within the blockchain ecosystem, encouraging continuous preparedness against evolving threats. For more details and access to the template, visit the GitHub repository.

O2's AI grandma, Daisy, wastes scammers' time and collects intel on their tactics

British telecom company O2 has unleashed Daisy, an AI-powered granny who’s giving phone scammers a taste of their own medicine. Daisy keeps fraudsters tied-up in hilariously irrelevant chats about knitting, cats, and her "dear old memories", wasting their time and saving real victims from their schemes. While scammers try to con her, she’s collecting intel on their tactics, turning the tables in the most charming way possible. Who knew grandma’s nattering could be a secret weapon?

The Red Guild launches Phishing Dojo for interactive crypto scam training

Security research and education group The Red Guild has launched Phishing Dojo, an interactive platform designed to help users identify and avoid phishing scams in the crypto space. This educational tool presents scenarios such as scam emails, fraudulent airdrop sites, and malicious transaction approvals, allowing users to practice recognizing and responding to common threats. The initiative aims to enhance community awareness and resilience against increasingly sophisticated cyberattacks targeting the crypto ecosystem.

Microsoft exposes DPRK and Chinese cyber threat actor tactics at CYBERWARCON 2024

Microsoft Threat Intelligence analysts presented in-depth research on North Korean and Chinese cyber threat actors at CYBERWARCON 2024. The session, titled "DPRK – all grown up", highlighted North Korea's decade-long development of advanced cyber capabilities, enabling significant cryptocurrency thefts, and targeting organizations linked to satellites and weapons systems. Additionally, a presentation called "China’s evolving cyber operations" examined China's adoption of new tactics to enhance operational security, including the exploitation of vulnerable small office/home office (SOHO) devices to obscure their activities. These insights underscore the increasing sophistication and adaptability of cyber threats from these nation-states.

ZachXBT uncovers $6.5 million Coinbase support impersonation scam

What happened Crypto investigator, SEAL member, and all-around hoopy frood, ZachXBT has uncovered a sophisticated phishing operation led by scammer Ronald Spektor, who impersonated Coinbase support to steal over $6.5 million in October 2024. Spektor lured victims by posing as official support, then laundered the stolen funds through TON-linked wallets, and deleted his social media accounts to evade detection. Despite these efforts, ZachXBT's investigation has identified untraced funds and potential accomplices, raising hopes that further leads may emerge to assist victims and authorities in recovering the stolen assets.

How users can protect themselves

Protecting yourself against scammers posing as customer support in the crypto space requires vigilance and proactive security measures. Here are some key strategies:

  • Verify sources: only use official websites or apps to contact support. Avoid links in emails or social media.

  • Ignore unsolicited contacts: legitimate companies don’t reach out unprompted or ask for urgent action.

  • Protect sensitive info: never share private keys, recovery phrases, or passwords. Avoid screen sharing.

  • Stay informed: learn common scam tactics and follow trusted security experts.

  • Use extra security: enable 2FA and anti-phishing tools where available.

  • Double-check requests: confirm support claims through official channels before acting.

WonderFi CEO kidnapped in Toronto and held for $1 million crypto ransom

In early November 2024, Dean Skurka, CEO of Toronto-based cryptocurrency firm WonderFi, was kidnapped in downtown Toronto and held for a $1 million ransom. The incident occurred near University Avenue and Richmond Street West just before 6 p.m. The kidnappers forced Skurka into a vehicle and demanded the ransom, which was paid electronically. Skurka was later found uninjured in Centennial Park, Etobicoke. He assured the public that WonderFi's client funds and data remained secure and unaffected by the incident. Experts note that such attacks, though rare, can coincide with surges in cryptocurrency values, as criminals may perceive high-profile figures in the crypto industry as lucrative targets.

How users can protect themselves

Never underestimate the $5 wrench attack, by which physical coercion (like threats or violence) is used to force someone to reveal private keys or access their crypto funds. If at all possible, keep a low profile and avoid flaunting your holdings in public. Diversify your storage by spreading funds across multiple software and hardware wallets, keeping the majority of your holdings in cold storage. Consider utilizing multi-sig wallets and time-locked transactions. And remember that if you are ever faced with this scenario, your life is more important than your crypto.


MetaMask's November 2024 Crypto Security Report covered the kidnapping of WonderFi's CEO for $1 million in crypto ransom, a $6.5 million Coinbase support impersonation scam uncovered by ZachXBT, Microsoft exposing DPRK and Chinese cyber capabilities at CYBERWARCON, and MetaMask launching Signature Insight Snaps. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Читать все статьи