Crypto Security Report: April 2024

Featuring an investigation of $200 million laundered by Lazarus Group, CryptoChameleon phishing targeting LastPass users, SEAL's new crypto-native ISAC, a Privnote phishing network, and Google's suit over 87 fraudulent crypto apps.

7 minutes
Crypto Security Report: April 2024

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In April 2024, ZachXBT, MetaMask’s Taylor Monahan, and other researchers shared their investigation into $200 million laundered by North Korea’s Lazarus Group. Elsewhere, MetaMask's Security Lab submitted a Snow.js proposal to the W3C, upgrade LavaMoat's policy generation for ES modules, while Gal Weizman detailed the new LavaDome tool for safely displaying sensitive data. Meanwhile, the Security Alliance launched a free, crypto-native ISAC. Elsewhere, The full breakdown is below, but first...

Fazlur Rahman Khan (1929–1982) was a Bangladeshi-American structural engineer and architect, an early pioneer of computer-aided design, and the figure often called the "father of tubular designs" for high-rises. His structural systems made a new generation of efficient skyscrapers possible—including the Willis (Sears) Tower and the John Hancock Center. Designing structures that stay standing under enormous stress is, in its own way, the same challenge security engineering takes on: build something that holds up when everything pushes against it.

LavaMoat and Snow updates: a W3C proposal, ESM policy generation, and iOS lockdown

MetaMask's Security Lab submitted a proposal to the W3C for incubation, introducing basic functionality that would let the team ship Snow.js on the user end rather than through LavaMoat. Embedding it directly into the browser would make bypass virtually impossible and is a key step in addressing the "same origin concern." The team also upgraded its policy generation to support ECMAScript Modules (ESM)—accommodating import and export syntax beyond the traditional require system—for both the webpack plugin and a new Endo-based tool, and support for target: 'node' with built-in modules is coming to the LavaMoat webpack plugin in the next release. Lockdown has now been permanently released on MetaMask Mobile for iOS, and the team is improving its docs and educational videos to smooth LavaMoat onboarding for the wider ecosystem.

How LavaDome proactively protects against web application code hacks

As trust in the code inside web applications erodes, traditional protections like the Same Origin Policy are increasingly inadequate against internal threats. MetaMask is addressing this with LavaDome, an experimental tool for safely displaying sensitive information in the DOM without it being stolen by malicious code through XSS or supply chain attacks. As Gal Weizman put it, LavaDome can render sensitive values—a PIN, a Secret Recovery Phrase, a Private Key, or other personal data—to the DOM securely, with close to zero integration friction.

A fake lawsuit threat exposes a Privnote phishing network

A cybercriminal running counterfeit versions of the self-destructing message service Privnote inadvertently exposed the scale of their operation by threatening to sue MetaMask. It started when a GitHub user complained that their site, privnote.co, had been wrongly added to MetaMask's phishing blocklist, and threatened legal action over it. When pressed to actually produce the lawsuit, they got flustered and began naming other domains they controlled, like privnode.com, privnate.com, and prevnóte.com, revealing a whole network. 

Taylor Monahan flagged the slip-up, and as Brian Krebs detailed, these sites mimic the real Privnote in look and function with one critical difference. Any message containing a cryptocurrency address is automatically rewritten to swap the real payment address for one owned by the fraudsters, and because the note self-destructs, the change is easy to miss. It is a lucrative trick, too: through just one of these phishing sites, four scam addresses moved nearly $18,000 in crypto in a single five-day stretch in March. 

ZachXBT traces how Lazarus Group laundered $200 million

ZachXBT, with help from MetaMask Security’s Taylor Monahan and other researchers, followed the transaction trail through mixers and centralized exchanges to document how the Lazarus Group laundered $200 million from more than 25 crypto hacks into fiat between 2020 and 2023. Between 2020 – 2023, the infamous Lazarus Group, which has suspected ties to North Korea, laundered an estimated $200 million. ZachXBT, in tandem with MetaMask Security’s Taylor Monahan and other researchers, shared an investigation into Lazarus’ transaction trail—through mixers and centralized exchanges—to trace 25+ hacks attributed to the group.

The Security Alliance (SEAL) launches a free, crypto-native ISAC

The Security Alliance launched a free Information Sharing and Analysis Center (ISAC) built for open-source crypto, supporting both centralized and decentralized entities. Its SEAL 911 initiative, which samczsun noted has helped recover over $50 million since launching the prior year, invited stakeholders to apply—including exchanges and trading platforms, blockchain projects, wallet and storage providers, mining pools and infrastructure providers, blockchain-focused cybersecurity firms and researchers, and regulation and compliance experts.

Bernhard Mueller analyzes the Angel Drainer service

Bernhard Mueller published a detailed analysis of Angel Drainer, one of the most notorious drainer services in operation. Although the service advertises a way to bypass Blockaid detection, the Blockaid feature enabled by default in MetaMask still flags the transaction as fraudulent, thwarting the full attack.

LastPass users hit by CryptoChameleon phishing that bypasses MFA

LastPass users were targeted by a sophisticated phishing campaign that combined email, SMS, and voice calls to steal master passwords. The attackers used CryptoChameleon, a phishing-as-a-service kit focused on cryptocurrency accounts that can bypass multi-factor authentication (MFA), tricking users into believing their LastPass account had been accessed from a new device and steering them to a credential-capturing phishing site. LastPass took action against the campaign, which is part of a series of attacks on the password manager including a significant breach disclosed the prior year. The defense is straightforward: verify any communication claiming to be from a service provider by contacting them through their official website or support line rather than responding directly, and be wary of unsolicited, urgent requests to share information, click links, or download attachments.

Google sues two developers over 87 fraudulent crypto apps

Google filed suit against developers Yunfeng Sun and Hongnam Cheung for distributing 87 fraudulent cryptocurrency apps on the Google Play Store, affecting over 100,000 users—8,700 of them in the US. The lawsuit, filed in the Southern District of New York, describes how the apps lured users with the promise of crypto investments and then trapped them with fees for withdrawing supposed returns, disguising themselves as legitimate trading platforms and evading removal by repeatedly changing identities and network infrastructure. The pig-butchering-style scheme is a reminder to research and verify an app's legitimacy—scrutinizing reviews and social media feedback—and to remember that offers that seem too good to be true usually are.

Crypto drainers deployed on ~2000 WordPress sites

Nearly 2,000 WordPress sites were hacked to show fake NFT and discount pop ups that lead visitors to connect their wallets to crypto drainers. The campaign initially pushed drainers via ads and YouTube, then shifted to brute-forcing admin passwords, and now displays fraudulent NFT offers that trick users into connecting wallets to malicious scripts served from dynamic-linx[.]com. Users should only connect wallets to trusted platforms, keep substantial funds in a hardware wallet, hold minimal assets in everyday wallets, and use different accounts for different risk levels.


MetaMask's April 2024 Crypto Security Report covered ZachXBT's investigation of $200 million laundered by the Lazarus Group, the launch of the Security Alliance's free crypto-native ISAC, and a CryptoChameleon phishing campaign that targeted LastPass users while bypassing multi-factor authentication. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Tüm makaleleri oku