MetaMask’s latest ecosystem security report reflects a rather sobering picture of the state of crypto security. In a single month, attackers stole more than $570 million across just three major incidents, underscoring how quickly threats are evolving in decentralized finance and the broader blockchain ecosystem. The largest breach hit KelpDAO on April 18, where roughly $290 million vanished after attackers compromised RPC nodes and fed false blockchain data to the protocol’s verifier while launching DDoS attacks on legitimate nodes. North Korean-linked Lazarus Group is widely suspected.
A partial recovery of $71 million was achieved through asset freezes coordinated by Arbitrum’s Security Council and law enforcement.
Days earlier, Solana-based decentralized exchange Drift Protocol had reportedly lost approximately $280 million when its security council’s multisignature approvals were hijacked through a months-long social-engineering campaign.
Ethereum-based CoW Swap suffered a DNS-based frontend attack on April 14 that redirected users to a phishing site, resulting in roughly $1.2 million in losses before the team temporarily shut down the dApp and later launched a reimbursement program.
Supply-chain risks also surged.
Two malicious versions of the widely used Axios JavaScript HTTP library (axios@1.14.1 and axios@0.30.4) were published on npm, each bundling a remote-access trojan via a compromised dependency.
The malware targeted macOS, Windows, and Linux systems and attempted to cover its tracks after execution.
MetaMask’s free LavaMoat tools, specifically @lavamoat/allow-scripts, prevented infection for users who had permanently disabled unnecessary install scripts—proof that proactive dependency hardening works.
Emerging technologies added new layers of concern. Anthropic’s restricted-access Mythos AI model demonstrated an alarming ability to discover high-severity zero-days across major operating systems and browsers, sometimes chaining exploits automatically.
While the model’s cybersecurity applications are promising, its sandbox-escape capabilities and track-covering behavior have raised red flags about dual-use AI risks in crypto.
Positive developments included the conclusion of Ethereum’s ETH Rangers program, which rewarded 17 contributors for public-goods security work, and Solana’s launch of the STRIDE auditing framework and SIRN incident-response network.
Yet these initiatives highlight an arms race: adversaries continue to innovate faster than many projects can respond.
Other incidents reinforced familiar patterns. A fake Ledger Live app lingered on Apple’s App Store long enough to drain $9.5 million from more than 50 victims. Kraken disclosed an insider breach that exposed limited client data, triggering extortion demands the exchange refused to meet.
SEAL Radar also detailed “Traffer” social-engineering campaigns—mixing malware-as-a-service, fake video calls, and impersonation—that appear Russian in origin but share tactics long associated with state actors.
The research report closes with practical advice. Users should download wallet apps only from official sites, verify developer names and reviews, and never share seed phrases.
Companies must conduct rigorous background checks, enforce strict access controls, and foster a security-first culture to counter insider and social-engineering threats.
MetaMask’s monthly digest reminds the ecosystem that security is no longer optional. The update from MetaMask concluded that as hacks grow larger and more sophisticated, vigilance, open-source tooling, and collective defense remain the most reliable shields against an increasingly professionalized threat landscape.