As the adoption of cryptocurrency increases and the popularity of dApps rises, so does the use of popular web-based extensions like MetaMask. With more crypto newbies utilizing these tools, scammers have used this as an opportunity to swindle many investors out of large volumes of valuable crypto assets.
Whether you’re new to the crypto world or a regular participant in the metaverse, it’s important to stay vigilant and ensure that you keep abreast of the latest scams abounding in the crypto space. That way, you won’t fall victim to one of these hoaxes. In light of this, we have included:
- 5 common MetaMask threats to keep a lookout for, including honeypot scams, rug pulls, phishing, and fake MetaMask extensions
- 9 safety tips so that your assets remain safe and secure.
Threat 1: Fake MetaMask extension drains user accounts
A nefarious North Korean group called BlueNoroff was found to be targeting cryptocurrency startups in 15 countries by using inauthentic documents and fake MetaMask extensions.
Because of the sophisticated nature of the attack, researchers believe the group to be a sub-group of the North Korean Lazarus gang, whose clandestine operations have evaded researchers since its inception several years ago.
According to a Kaspersky report, BlueNoroff was able to breach the firms’ security and map the interactions between their employees in order to come up with potential methods of social engineering.
In some instances, they obtained the intel by hacking into an employee’s LinkedIn account and sharing a download link to a macro-laced document directly on the platform. By making use of real discussions that the employee had on LinkedIn, BlueNoroff was able to name the macro-laced documents accordingly and then target the employee at the right time, making it look like it was an official internal company document.
The group would also attach a tracker to the document that would send them a notification as soon as it was opened. After the file was unleashed, the victim would be encouraged to open another shortcut file that executed a series of scripts to access the employee’s machine before initiating a list of malicious functionalities.
Through the employee hack, BlueNoroff was able to access user credentials, which they could use to achieve even deeper network infiltration. By doing so, they were eventually able to obtain configuration files relevant to the firm in question’s cryptocurrency software. Then they would monitor users for weeks or months and collect keystrokes and other data.
The main method the hackers used to steal the crypto assets was to replace the main components of the employees’ MetaMask extensions with tampered versions created by the group. In order to tamper with the extensions, a thorough analysis of 170,000 lines of code was required, which is indicative of BlueKoroff’s expertise.
The hackers would wait for the victim to initiate a transaction, at which time they would change the recipient’s address in the backend. Since it is likely that the victim would be made aware of the hack after the first attempt, the hackers would change the transaction amount to the highest possible number, effectively draining the wallet of all assets.
Kaspersky attributes the hacks to BlueNoroff because of various similarities in the way these hacks were executed with confirmed incidents in the past as well as the fact that Korean characters were found in some of the malicious files.
Threat 2: Malicious NFT airdrops target MetaMask vulnerability
Cryptographer and security analyst Alexandru Lupascu has revealed how MetaMask users who access the app on mobile devices are at risk of exposing their IP addresses if malicious actors airdrop them NFTs.
Lupascu, who co-founded the privacy node service OMNIA Protocol, revealed how access to the IP addresses of users is achieved in a blog post. He explained that by minting and airdropping NFTs to the MetaMask-connected Ethereum address of a user, attackers could gain access to their IP address to execute targeted attacks.
When bad actors are aware of a blockchain address, they can mint NFTs with URLs directed to their own servers and transfer the ownership, he wrote. He added that when the crypto wallet retrieves the remote image from the server, its privacy will be compromised.
According to Laspascu, he informed the MetaMask team about the vulnerability in mid-December 2021. The team said they would release a patch by the second quarter of 2022. However, given the severity of the threat, Lupascu regarded this as “unacceptable.” The team then changed their stance and committed to solving the issue as soon as possible.
Lupascu has warned MetaMask users to remain vigilant if they received airdropped NFTs.
Threat 3: MetaMask honeypot/rug pull scams
In December 2021, 400 crypto investors fell victim to a combined honeypot and rug pull scam that relieved them of cryptocurrency to the tune of $1.8 million.
In order to execute the scam, swindlers managed to mint a fake MetaMask token and convinced traders it was verified by exploiting a flaw in the DeFi trading app DEXTools. They were able to pass the token off as legitimate by inserting code into the front end of the DEXTools app for the Uniswap WETH/MASK pair. When selected, the pair would open a pop-up confirming the verification of the coin.
Following their purchases, investors were pulled into the combined honeypot/rug pull scam. The mechanism built into smart contracts that normally allows token holders to sell their coins was deactivated. The scammers appear to have programmed the smart contract to only deactivate this mechanism when the liquidity pool was worth upwards of $1 million.
Afterward, they drained the token’s Uniswap liquidity pool of 475 ETH, which was worth roughly $1.8 million at the time. The stolen assets were then sent to the popular coin mixing application Tornado Cash before finally being sent off to a cold storage wallet.
Why did users fall for a fake MetaMask token?
Part of why the scam was so successful was that it played on the high anticipation surrounding the release of MetaMask’s native token, $MASK. The team behind the popular web browser wallet has repeatedly indicated they intend to launch their token through an airdrop to the wallets of existing users. When the scam happened, many believed the promise had finally come to fruition. This initial excitement led the scam token’s value to soar by 2,600%.
When the token passed the $1 million valuation mark and then could no longer be sold, suspicions that people might have bought into a scam started to arise. Some internet sleuths even started their own investigation on Twitter. One user, @coby.eth, uncovered that the scammers were able to achieve the token’s verified status by manipulating DEXTools.
What is a honeypot scam?
A honeypot scam targets crypto newbies and lesser-informed crypto investors. It’s an attempt to play on the greed of the public. Typically, the scammer uses a smart contract that appears to have a design flaw. The user being preyed upon will believe that because of this defect, they can drain Ether from the contract so long as they send a particular quantity themselves beforehand. However, when the user tries to exploit the flaw, a mechanism is set off that prevents the Ether from being drained.
With this type of scam, the con artist relies on the fact that the unsuspecting user is so focused on exploiting the obvious vulnerability that they fail to notice the second flaw in the smart contract. This would be the defect that prevents them from draining Ether and traps theirs in it as well. In the end, the person who set the trap is able to leave with both the bait as well as the crypto the victim sent to the smart contract.
What is a “rug pull”?
In crypto, a rug pull refers to a scam where developers entice investors into a project with large value propositions and a lot of hype on social media. However, in most rug pulls, there is never actually a burgeoning project in the pipeline. The whole thing is concocted solely for the purpose of a scam.
Once users start investing in the project by purchasing its native token in exchange for a legitimate cryptocurrency, such as Ether, the scammer removes the withdrawal function of the smart contract so that when the value of the scam token rises high enough, investors will not be able to cash out. As soon as the liquidity pool grows to an adequate size, the criminals make off with the legit token and leave the investors with its worthless counterpart, and there is no way for them to retrieve their capital.
Threat 4: MetaMask phishing emails and ads
One of the simplest but most effective ways for scammers and hackers to get your private key or seed is to trick you into providing it, by simply asking for it. Cybercriminals use phishing emails and even phone calls (see Ledger and MEW scam) to pretend they’re from MetaMask, asking you to “verify” your details for Know-Your-Customer (KYC) purposes. KYC is a regulatory requirement that identifies an account holder to the authorities, ironically to stifle money laundering. Phishing emails are rife in the banking sector, and crypto unfortunately as well.
Also, if you’ve ever used Google or Youtube to look for crypto content, you’ve probably come across fake ads for huge scams. Google is doing an absolutely horrible job at screening these sickening scam crypto ads, and users can easily be duped into falling for them. Always look at the URL provided, and if it seems too good to be true, it usually is. For Youtube, scammers will often use old footage of Elon Musk or a crypto leader like Vitalik Buterin or Charles Hoskinson to create the illusion that they’re doing giveaways. Don’t fall for it! These criminals often target your greed, creating FOMO that compels you to act.
Threat 5: Can MetaMask be hacked by connecting to sites or giving token approvals?
Connecting your MetaMask extension to websites shouldn’t put you at risk, in theory. But, it all depends on which sites you have connected to. It’s always important to ensure that the site you have linked your MetaMask extension to is reputable, as accounts can be compromised through phishing if users enter their seed phrase into fake websites. If you connect to scam sites and approve the wrong privileges, they can drain your crypto wallet.
The following website can be used to check which sites you have connected with and revoke access if necessary: https://tac.dappstar.io/#/.
8 Tips To Keep Your MetaMask and Other Wallets Safe
As the threats listed above prove, remaining vigilant and keeping your wits about you when navigating the world of Web 3.0 is extremely important. One false step and you can fall victim to malicious activity that may permanently relieve you of your crypto-assets. Here are some of our best safety tips below to keep in mind for all crypto wallets, including MetaMask and CoolWallets:
1. Never share your seed phrase with anyone
Remember that as soon as someone has access to your seed phrase, they have access to all your assets. So it’s important to remember to never store it on any internet-connected device, where hackers could gain access. This goes for any wallet that was given to you by another person as well. Write it on a piece of paper and store it in a safe place that you’re likely to remember.
2. Always keep your firmware/software up to date
Keeping your security software on your devices up to date means they will always have the best available data to detect and prevent the latest potential hacks and scams before you are even made aware of them.
3. Don’t download apps from outside the official channels
If the official Apple App Store or the Google Play Store have accepted an app onto their platform, it means that the app, as well as the developers, have been properly vetted. The teams of these marketplaces have done the work for you.
4. Be aware of fake websites
Ensure that you don’t fall victim to a phishing hack by only entering your details into verified and secure sites. Make sure that all URLs you interact with start with “https.”
5. Beware of fake dApps
When you receive a dApp link from someone, ensure that it is genuine before interacting with it.
6. Use different addresses for different purposes
Use separate accounts for NFT storage, NFT bidding, and airdrop claiming, and so on. The key idea here is to avoid a single point of failure in your crypto security system.
7. Review and revoke your token approvals
You can use the following website in order to review your token approvals and revoke unused ones: https://etherscan.io/tokenapprovalchecker
8. Be aware of fake support accounts
Reputable companies will never reach out to you to verify personal information. If you need to get in touch with CoolWallet, these are our official support channels:
- Email: [email protected] (Make sure your email agent verifies SPF, DKIM and DMARC records)
9. Be careful what information you provide online for airdrops and competitions
Phishing comes in many forms and usually follows after carefully orchestrated information-gathering missions from hackers. Chasing airdrops on Twitter and Telegram? Be careful. By providing all your personal info (name, address, public address, email address etc), you might be turning yourself into an easy target for bad actors who are collecting this private data to use in phishing attempts against you. Taking part in airdrops is fine, but it’s best to create a throwaway account for that that doesn’t hold much crypto.
Right alongside the rising adoption of cryptocurrency, cybercrime has been increasing in recent years. In a Chainalysis report, researchers estimated that crypto assets with a total value of $7.7 billion were scammed out of investors in 2021 alone, with the most common con job being the notorious rug pull, accounting for $2.8 billion of the heists that year.
Although we have outlined the various threats associated with using the MetaMask extension, the security features of the Web 3.0 app still makes it a reasonably safe software wallet. Almost all hacks and scams that occur are due to human error and general carelessness. This is reinforced through the fact that most MetaMask compromises have been achieved through phishing and malware attacks, rather than direct cyberattacks.
In light of this, it’s important to bear the above safety tips in mind when utilizing any crypto wallet. Additionally, all investors in the space must be careful to perform their own due diligence before investing in a new project. It’s essential to keep your wits about you to avoid falling victim to scams.
The fact of the matter remains that using a cold wallet for crypto storage is the best way to ensure the safety of your funds. We recommend both the CoolWallet S and the CoolWallet Pro, which features a CC EAL6+ secure element.
Written by Werner Vermaak
The opinions of the author and information available in this article are shared for educational and entertainment purposes only and should not be considered as financial or security advice of any kind. Always do your own research in order to best protect yourself and your financial assets.