The SEC's lawsuit claims that Consensys violated securities laws by acting as an unregistered securities broker, and by offering staking services that constituted unregistered securities offerings. The SEC has previously cracked down on staking offerings by other firms, including Coinbase and Kraken.
SEC sues Consensys, maker of MetaMask wallet
As expected, the SEC has filed a lawsuit against Consensys, the maker of the popular MetaMask cryptocurrency wallet. Although Consensys had recently gloated about the SEC completing an investigation into the company's offering of ETH, and determining not to pursue action over it, a Wells notice sent to the firm in April suggested that some legal action was impending. Shortly afterwards, Consensys filed a lawsuit against the SEC, alleging regulatory overreach.
- "SEC Charges Consensys Software for Unregistered Offers and Sales of Securities Through Its MetaMask Staking Service", U.S. Securities and Exchange Commission [archive]
"Crypto inheritence" project Serenity Shield hacked, token price plummets 99%
Serenity Shield, a project aiming to solve "crypto inheritence", has been hacked. Although the project prominently claims to help "ensur[e] your financial and personal security", they seem to have some trouble ensuring their own.
An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.
Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.
The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.
According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).
- Tweet by Serenity Shield [archive]
- Zachxbt on Telegram [archive]
- On-chain message by Serenity Shield to the hacker [archive]
Wallet security startup founder scammed out of $125,000
Bill Lou, the co-founder of a cryptocurrency wallet that claims to "revolutionize wallet security", was scammed out of 52 stETH (~$125,000) when he clicked a link promising an airdrop for a project. However, he had fallen for a phishing link that was prominently placed in Google search results, mimicking a real project but draining users' wallets when they authorized the transaction.
"I just got scammed out of $125k of stEth while trying to claim the $LFG airdrop. And I'm a fking founder of a wallet startup that's trying to improve wallet security..." wrote Lou on Twitter. "This is the first time I've been scammed. I always read about others but you never think it could happen to you..." he wrote.
If the founder of a wallet security project can't avoid scams in the crypto world, what hope do the rest of us have?
Crypto booster Mark Cuban hacked for $870,000
Billionaire crypto evangelist Mark Cuban apparently fell victim to a hack when an attacker was able to siphon around $870,000 in multiple cryptocurrencies from a wallet belonging to him. Cuban later acknowledged the hack to DL News. "They must have been watching," he said, explaining that "I'm pretty sure I downloaded a version of MetaMask with some shit in it".
This isn't the first time Cuban has been burned by the crypto industry. In June 2021, he lost "enough that I wasn't happy about it" in the collapse of the Titan stablecoin. Cuban is also a defendant in a class action lawsuit related to his endorsement of Voyager, a crypto broker that collapsed in July 2022.
MetaMask phishing scammers hijack government websites
Phishing scammers hoping to lure victims into visiting fake websites resembling that of the popular MetaMask crypto wallet have adopted a new approach: compromising government websites. CoinTelegraph identified websites on domains belonging to the governments of countries including India, Nigeria, Egypt, Colombia, Brazil, Vietnam that had been compromised and modified to redirect to these scam sites. Some of them included the websites of the Nigerian postal service and, ironically, of Egypt's Consumer Protection Agency.
Once victims visit the fake site, they're prompted to connect their MetaMask wallets to access various services, which would allow the scammers to steal any assets in the wallets.
hideyoapes suffers $200,000 wallet drain
Bored Ape #5917 was the most expensive NFT stolen, selling for 68.6868 wETH (~$112,750) (attribution)"I still don't quite understand what happened here", wrote hideyoapes.eth after their wallet was drained of around 30 NFTs. They had previously owned several pricey NFTs from the various Yuga Labs collections, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds.
The thief sold all the NFTs and then transferred the proceeds from the sales to their own wallet. Altogether they made off with 127.3 wETH (~$208,000).
On Twitter, hideyoapes explained that they had downloaded and installed the MetaMask wallet extension from MetaMask's official website. "I didn’t think anything of it because it was the legit site and verified chrome app. While I was sleeping all my assets were sold," they wrote. At this point, it's not clear how exactly the hack was perpetrated.
Hacker compromises wallet of Steven Galanis, CEO of Cameo app, stealing $231,000
A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).
Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.
$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud
Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.
It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".
MetaMask and Infura block Venezuelan users, at least briefly
Users based in Venezuela suddenly found themselves unable to use the enormously popular crypto wallet, MetaMask, on March 3. MetaMask relies on Infura, a popular API platform for Ethereum, which had apparently blocked access for Venezuelan users. Both MetaMask and Infura are owned by the parent company ConsenSys. An FAQ page on MetaMask's website states that "MetaMask and Infura are unavailable in certain jurisdictions due to compliance with laws", though it does not specify which jurisdictions, or which laws.
Some Venezuelan users were furious with MetaMask, feeling that their choice to prevent them from using the platform was incompatible with the decentralized and deregulated nature of much of crypto. One Twitter user wrote, "MetaMask Do not tell me that you became Centralized, I have this problem and many people in Venezuela have the same".
ConsenSys later appeared to say that the block of Venezuelan users was in error, writing that "In changing some configurations as a result of the new sanctions directives from the United States and other jurisdictions mistakenly configured the settings more broadly than they needed to be".
Former ConsenSys employees demand audit regarding MetaMask and Infura's transfer to a new company
A group of 35 former employees of the startup incubator ConsenSys filed a request for an audit of a transfer of the company's "crown jewel" assets to a new company, which they say "was to the detriment of the minority shareholders". The requested audit relates to an August 2020 deal that saw the cryptocurrency wallet MetaMask and the developer platform Infura be transferred to a brand new entity. The transaction also resulted in the banking giant JPMorgan taking a 10% share in ConsenSys, and in a $39 million loan by ConsenSys founder being offset. The shareholders allege that MetaMask and Infura were massively undervalued in the trade; an allegation that a ConsenSys spokesperson has rebutted, saying that "the group would like to apply a valuation that might be achieved today to a set of projects that were pre-monetization during the darkest days of Covid when the transaction took place".