Crypto Security Report: November 2025

DPRK operatives recruiting collaborators on Upwork and Fiverr, a $128 million Balancer exploit from a rounding error, fake wallet extensions on the Chrome Web Store, and more.

5 minutes
Crypto Security Report: November 2025

Each month, MetaMask's Luker reports on the global crypto security news that you need to know about. Dive into the action below.


 Polish cryptologist Marian Rejewski conducted the initial analysis that led to the exploitation of Nazi Germany's ENIGMA cypher machine.


DPRK operatives shift from fake employment to recruiting collaborators on freelance platforms

Researcher Heiner Garcia of Security Alliance (SEAL) released a report documenting the shift in North Korean operatives behavior from seeking direct employment in IT positions to recruiting collaborators through platforms such as Upwork, Freelancer, Fiverr, and GitHub. "Rather than isolated opportunism, the scope and consistency of the material suggest a coordinated, repeatable pattern: actors adapt their tactics rapidly, share operational playbooks, and deploy structured scripts for onboarding collaborators," shares Garcia.

15–20% of crypto companies already infiltrated by North Korean applicants

This was followed up at Devconnect by another SEAL member, Pablo Sabbatella, who urged crypto companies to up their opsec game. He asserted that these companies are particularly inviting to DPRK threat actors, which  account for 30-40% of its job applicants, and that 15-20% of crypto companies have already been infiltrated.

GhostCall and GhostHire campaigns target crypto executives and developers

A recent Kaspersky investigation revealed GhostCall and GhostHire: complimentary campaigns, courtesy of the BlueNoroff APT group, targeting executives and developers, respectively. 

US Treasury sanctions North Korean bankers tied to crypto money laundering

The US Treasury Department targeted several North Korean bankers with sanctions this month for money laundering activities tied to a global crypto crime operation. All 53 of the associated wallets contained USTD that sources say was intended for the regime’s weapons program.

Concurrently, Europol and Eurojust dismantled a massive crypto money-laundering operation involving over 600 shell companies. At the recent Global Conference on Criminal Finances and Cryptoassets, Europol stated: “Law enforcement, private sector partners and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering. Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.”


Balancer V2 rounding error exploit leads to $128 million theft and Berachain network halt

In early November it was reported that around $128 million in crypto was stolen from Balancer liquidity pools, which led Berachain to halt and fork its network. Later analysis revealed that a critical exploit in Balancer V2's rate provider mechanism, which amounted to a rounding error, was the root of the exploit. While fixes have since been implemented, the event has prompted discussions around the dangers of vibe coding and otherwise less-than-best practices.

Australian ReportCyber portal abused for crypto phishing impersonating federal police

Scammers are abusing Australia's official ReportCyber portal to impersonate federal police and steal cryptocurrency. Because the system does not verify who is sending reports, criminals are able to send fake but legitimate-looking notices claiming the recipients' wallets have been flagged for suspicious activity.

Defcon talk: how pig butchering scams work and why anyone can be a target

Erin West reminds us that we can all be susceptible to scammers and gives us a deeper look into the tragic world of pig butchering.


Crypto users scammed by fake exploit promising profits on swapzone.io

Lured by promises of quick and copious profits, users of swapzone.io are being tricked into running malicious JavaScript code directly in their browsers. Spoofed emails claim that a 0-day exploit can be manipulated into generating gains. Once executed, the code fetches a larger hidden program that manipulates what victims see on screen, inflating payout amounts by 37% or more and adding fake countdown timers to create urgency. Most critically, it hijacks the transaction process by silently replacing the recipient's wallet address with one controlled by the attackers.

How users can stay safe

Never paste code snippets into your browser's address bar from untrusted sources. Be skeptical of emails promising guaranteed profits or secret exploits, particularly those urging you to act quickly before patches are applied. Verify sender addresses carefully, and bookmark official DEX/CEX service websites to avoid clicking links in unsolicited emails.

Malicious Chrome extension "Safery" steals Secret Recovery Phrases via Sui microtransactions

Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” that was designed to steal users’ secret recovery phrases (SRPs, AKA seed phrases). Safery was uploaded to the Chrome Web Store on September 29 2025, but was removed after Socket’s report was published in mid November. The fake wallet contained a backdoor that exfiltrated SRPs by “encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet.”

How users can stay safe

Check wallet extension rankings and reviews carefully, as legitimate wallets typically have thousands of reviews and established reputations rather than appearing as newer entries. Research any wallet thoroughly by visiting the project's official website, social media channels, and community forums to confirm authenticity. Look for red flags like generic email addresses, vague privacy policies, or developers with no established history in the crypto space.

DarkComet RAT spyware returns hidden in fake Bitcoin wallet apps

In other fake wallet news, a 16-year-old spyware tool called DarkComet RAT (short for remote access trojan) has been hidden inside fake Bitcoin wallet and trading applications. Point Wild's Lat61 Threat Intelligence Team discovered the latest version distributed as a compressed RAR file containing an executable named "94k BTC wallet.exe" that's packed using UPX compression to evade detection. Once targets run the disguised file, the RAT copies itself into hidden system folders and begins recording every keystroke, including passwords and private keys. The malware also includes features for file theft, webcam spying, and complete remote desktop control.

How users can stay safe

Download wallets and applications exclusively from official websites or verified app stores, never from third-party sites or unsolicited links. Be immediately suspicious of executable files that promise access to funds, as legitimate wallets don't tend to come pre-loaded. Avoid opening compressed RAR or ZIP files from unknown sources, especially those claiming to contain wallet software, since this is a common distribution method for malware.


This November 2025 report covered DPRK operatives recruiting collaborators on freelance platforms, a $128 million Balancer exploit caused by a rounding error, and fake wallet extensions and apps stealing Secret Recovery Phrases and credentials. Browse previous editions of the MetaMask crypto security report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Читать все статьи