SEC sues Consensys, maker of MetaMask wallet

As expected, the SEC has filed a lawsuit against Consensys, the maker of the popular MetaMask cryptocurrency wallet. Although Consensys had recently gloated about the SEC completing an investigation into the company's offering of ETH, and determining not to pursue action over it, a Wells notice sent to the firm in April suggested that some legal action was impending. Shortly afterwards, Consensys filed a lawsuit against the SEC, alleging regulatory overreach.

The SEC's lawsuit claims that Consensys violated securities laws by acting as an unregistered securities broker, and by offering staking services that constituted unregistered securities offerings. The SEC has previously cracked down on staking offerings by other firms, including Coinbase and Kraken.

Hacker compromises wallet of Steven Galanis, CEO of Cameo app, stealing $231,000

An illustration of an ape with grey-brown fur, with heavily lidded eyes, wearing 3D glasses and a togaBored Ape #9012 (attribution)
A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).

Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.

$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud

An ape with fur resembling magma and volcanic rock, with a green muzzle, with leeches coming out of its nose and mouthMutant Ape #28478 (attribution)
Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.

It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".

MetaMask and Infura block Venezuelan users, at least briefly

Users based in Venezuela suddenly found themselves unable to use the enormously popular crypto wallet, MetaMask, on March 3. MetaMask relies on Infura, a popular API platform for Ethereum, which had apparently blocked access for Venezuelan users. Both MetaMask and Infura are owned by the parent company ConsenSys. An FAQ page on MetaMask's website states that "MetaMask and Infura are unavailable in certain jurisdictions due to compliance with laws", though it does not specify which jurisdictions, or which laws.

Some Venezuelan users were furious with MetaMask, feeling that their choice to prevent them from using the platform was incompatible with the decentralized and deregulated nature of much of crypto. One Twitter user wrote, "MetaMask Do not tell me that you became Centralized, I have this problem and many people in Venezuela have the same".

ConsenSys later appeared to say that the block of Venezuelan users was in error, writing that "In changing some configurations as a result of the new sanctions directives from the United States and other jurisdictions mistakenly configured the settings more broadly than they needed to be".

Former ConsenSys employees demand audit regarding MetaMask and Infura's transfer to a new company

A group of 35 former employees of the startup incubator ConsenSys filed a request for an audit of a transfer of the company's "crown jewel" assets to a new company, which they say "was to the detriment of the minority shareholders". The requested audit relates to an August 2020 deal that saw the cryptocurrency wallet MetaMask and the developer platform Infura be transferred to a brand new entity. The transaction also resulted in the banking giant JPMorgan taking a 10% share in ConsenSys, and in a $39 million loan by ConsenSys founder being offset. The shareholders allege that MetaMask and Infura were massively undervalued in the trade; an allegation that a ConsenSys spokesperson has rebutted, saying that "the group would like to apply a valuation that might be achieved today to a set of projects that were pre-monetization during the darkest days of Covid when the transaction took place".

People begin creating IP-harvesting NFTs to highlight the vulnerabilities in marketplaces and wallets

IP gathering NFT titled "Random 1". The image data shows text reading: "Latest IP logged: 108.62.52.135 Total visitors logged: 12643"IP gathering NFT on OpenSea (attribution)
MetaMask acknowledged a week ago that they'd failed to address an IP leakage "issue has been widely known for a long time". The issue is present in many NFT marketplaces and wallets, including both MetaMask and OpenSea, and presents potential privacy concerns for anonymous collectors or anyone concerned about potentially having their IP (and as a result, often geolocation information) exposed to any NFT creator. Some researchers and engineers have begun creating NFT projects that gather IPs and display them back to the viewers, as a way to highlight the vulnerability.

This is as good a time as any to remind you to use a VPN! Mullvad is a particularly good pick (#NotAnAd).

MetaMask founder acknowledges they've failed to remedy an IP address leak vulnerability that's been "widely known for a long time"

Security researchers publicly disclosed a critical privacy vulnerability with the popular cryptocurrency wallet Metamask, where a malicious attacker can easily create an NFT and airdrop it to a victim to obtain their IP address (and thus potentially their location). Metamask founder Dan Finlay acknowledged that "this issue has been widely known for a long time", and that the researchers were "right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it."

Traders duped out of $1.8 million in a fake MetaMask governance token scheme

A listing for MASK on DEXTools, showing a blue checkmark by the nameSpoofed verification badge on DEXTools (attribution)
Scammers took advantage of rumors that MetaMask, a popular Ethereum wallet, would be airdropping governance tokens. The scammers created a fake MetaMask token, $MASK, and managed to inject code into the popular DEXTools trading app to show the token as verified. The token reached over $9 million in traded volume before scammers pulled the liquidity, making off with about $1.8 million worth of Ethereum.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.