Entries related to MetaMask

February 27, 2024

"Crypto inheritence" project Serenity Shield hacked, token price plummets 99%

Serenity Shield, a project aiming to solve "crypto inheritence", has been hacked. Although the project prominently claims to help "ensur[e] your financial and personal security", they seem to have some trouble ensuring their own.

An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.

Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.

The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.

According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).

Tweet by Serenity Shield [archive]
Zachxbt on Telegram [archive]
On-chain message by Serenity Shield to the hacker [archive]

January 2, 2024

Wallet security startup founder scammed out of $125,000

Bill Lou, the co-founder of a cryptocurrency wallet that claims to "revolutionize wallet security", was scammed out of 52 stETH (~$125,000) when he clicked a link promising an airdrop for a project. However, he had fallen for a phishing link that was prominently placed in Google search results, mimicking a real project but draining users' wallets when they authorized the transaction.

"I just got scammed out of $125k of stEth while trying to claim the $LFG airdrop. And I'm a fking founder of a wallet startup that's trying to improve wallet security..." wrote Lou on Twitter. "This is the first time I've been scammed. I always read about others but you never think it could happen to you..." he wrote.

If the founder of a wallet security project can't avoid scams in the crypto world, what hope do the rest of us have?

Tweet thread by Bill Lou [archive]

September 15, 2023

Crypto booster Mark Cuban hacked for $870,000

Mark Cuban (attribution)

Billionaire crypto evangelist Mark Cuban apparently fell victim to a hack when an attacker was able to siphon around $870,000 in multiple cryptocurrencies from a wallet belonging to him. Cuban later acknowledged the hack to DL News. "They must have been watching," he said, explaining that "I'm pretty sure I downloaded a version of MetaMask with some shit in it".

This isn't the first time Cuban has been burned by the crypto industry. In June 2021, he lost "enough that I wasn't happy about it" in the collapse of the Titan stablecoin. Cuban is also a defendant in a class action lawsuit related to his endorsement of Voyager, a crypto broker that collapsed in July 2022.

"Mark Cuban on how he lost $870k to crypto scam — 'They must have been watching'", DL News [archive]

September 5, 2023

MetaMask phishing scammers hijack government websites

(attribution)

Phishing scammers hoping to lure victims into visiting fake websites resembling that of the popular MetaMask crypto wallet have adopted a new approach: compromising government websites. CoinTelegraph identified websites on domains belonging to the governments of countries including India, Nigeria, Egypt, Colombia, Brazil, Vietnam that had been compromised and modified to redirect to these scam sites. Some of them included the websites of the Nigerian postal service and, ironically, of Egypt's Consumer Protection Agency.

Once victims visit the fake site, they're prompted to connect their MetaMask wallets to access various services, which would allow the scammers to steal any assets in the wallets.

"MetaMask scammers take over government websites to target crypto investors", CoinTelegraph [archive]

February 26, 2023

hideyoapes suffers $200,000 wallet drain

An illustration of an ape with cream-colored fur. Its eyes are half-lidded and its mouth is open in a grimace or smile. It has a tuft of brown hair on its head.

Bored Ape #5917 was the most expensive NFT stolen, selling for 68.6868 wETH (~$112,750) (attribution)

"I still don't quite understand what happened here", wrote hideyoapes.eth after their wallet was drained of around 30 NFTs. They had previously owned several pricey NFTs from the various Yuga Labs collections, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds.

The thief sold all the NFTs and then transferred the proceeds from the sales to their own wallet. Altogether they made off with 127.3 wETH (~$208,000).

On Twitter, hideyoapes explained that they had downloaded and installed the MetaMask wallet extension from MetaMask's official website. "I didn’t think anything of it because it was the legit site and verified chrome app. While I was sleeping all my assets were sold," they wrote. At this point, it's not clear how exactly the hack was perpetrated.

August 6, 2022

Hacker compromises wallet of Steven Galanis, CEO of Cameo app, stealing $231,000

An illustration of an ape with grey-brown fur, with heavily lidded eyes, wearing 3D glasses and a toga

Bored Ape #9012 (attribution)

A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).

Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.

Tweet by Steven Galanis

April 18, 2022

$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud

An ape with fur resembling magma and volcanic rock, with a green muzzle, with leeches coming out of its nose and mouth

Mutant Ape #28478 (attribution)

Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.

It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".

March 3, 2022

MetaMask and Infura block Venezuelan users, at least briefly

(attribution)

Users based in Venezuela suddenly found themselves unable to use the enormously popular crypto wallet, MetaMask, on March 3. MetaMask relies on Infura, a popular API platform for Ethereum, which had apparently blocked access for Venezuelan users. Both MetaMask and Infura are owned by the parent company ConsenSys. An FAQ page on MetaMask's website states that "MetaMask and Infura are unavailable in certain jurisdictions due to compliance with laws", though it does not specify which jurisdictions, or which laws.

Some Venezuelan users were furious with MetaMask, feeling that their choice to prevent them from using the platform was incompatible with the decentralized and deregulated nature of much of crypto. One Twitter user wrote, "MetaMask Do not tell me that you became Centralized, I have this problem and many people in Venezuela have the same".

ConsenSys later appeared to say that the block of Venezuelan users was in error, writing that "In changing some configurations as a result of the new sanctions directives from the United States and other jurisdictions mistakenly configured the settings more broadly than they needed to be".

March 1, 2022

Former ConsenSys employees demand audit regarding MetaMask and Infura's transfer to a new company

(attribution)

A group of 35 former employees of the startup incubator ConsenSys filed a request for an audit of a transfer of the company's "crown jewel" assets to a new company, which they say "was to the detriment of the minority shareholders". The requested audit relates to an August 2020 deal that saw the cryptocurrency wallet MetaMask and the developer platform Infura be transferred to a brand new entity. The transaction also resulted in the banking giant JPMorgan taking a 10% share in ConsenSys, and in a $39 million loan by ConsenSys founder being offset. The shareholders allege that MetaMask and Infura were massively undervalued in the trade; an allegation that a ConsenSys spokesperson has rebutted, saying that "the group would like to apply a valuation that might be achieved today to a set of projects that were pre-monetization during the darkest days of Covid when the transaction took place".

"Crypto Company ConsenSys Under Fire From Shareholders Demanding Audit", Blockworks
"Crypto Powerhouse ConsenSys Faces Action by Former Employees", Bloomberg

January 27, 2022

People begin creating IP-harvesting NFTs to highlight the vulnerabilities in marketplaces and wallets

IP gathering NFT titled "Random 1". The image data shows text reading: "Latest IP logged: 108.62.52.135 Total visitors logged: 12643"

IP gathering NFT on OpenSea (attribution)

MetaMask acknowledged a week ago that they'd failed to address an IP leakage "issue has been widely known for a long time". The issue is present in many NFT marketplaces and wallets, including both MetaMask and OpenSea, and presents potential privacy concerns for anonymous collectors or anyone concerned about potentially having their IP (and as a result, often geolocation information) exposed to any NFT creator. Some researchers and engineers have begun creating NFT projects that gather IPs and display them back to the viewers, as a way to highlight the vulnerability.

This is as good a time as any to remind you to use a VPN! Mullvad is a particularly good pick (#NotAnAd).

"This NFT on OpenSea Will Steal Your IP Address", Vice

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.