If Demonic was to latch on-to a crypto wallet, it could lead to the wallet’s hostile takeover.
People who use crypto wallets via browsers must migrate to a new set of accounts
Photo Credit: Reuters
A cyber vulnerability, codenamed ‘Demonic', has been risking the networks of crypto wallets like Metamask, Brave, and Phantom. The threat, that was discovered last year, is now being addressed publicly to make people aware and limit any damage that may be caused to them. If Demonic was to latch on-to a crypto wallet, it could lead to the wallet's hostile takeover. This issue is known to impact those people who access their crypto wallets via unencrypted desktop browsers.
Blockchain security firm Halborn has informed the affected wallet providers about the issue, while suggesting the deployment of a quick security update.
Soon after, Metamask published a blog on Medium informing users that the vulnerability has been fixed.
“Security researchers at Halborn have disclosed an instance where a Secret Recovery Phrase used by web-based wallets like MetaMask could be extracted from the disk of a compromised computer under some conditions. We have since implemented mitigations for these issues, so these should not be problems for users of the MetaMask Extension versions 10.11.3 and later,” the post read.
The Demonic was not just active on Windows and macOS browsers, but was also functional on Linux, Google Chrome, Chromuim, and Firefox browsers.
In its blog Metamask explained that the vulnerability is most likely to affect users who had a device compromised or stolen soon after importing their Secret Recovery Phrase into the servers of their crypto wallet providers.
Phantom, the Solana-based DeFi and NFT wallet also issued a statement acknowledging that Demonic was a potential issue, which the company claims, has now been tackled.
“After some investigation and an official audit, fixes began rolling out in January 2022 and by April, Phantom users became protected from this critical vulnerability. An even more exhaustive patch is rolling out next week that we believe will make Phantom's browser extension the safest from this vulnerability in the industry,” the company wrote in a post.
Halborn recommends people who use crypto wallets via browsers to migrate to a new set of accounts as soon as possible.
“Rotating passwords/keys and the use of a hardware wallet in conjunction with the browser-based wallet can also provide increased security for users. Enabling local disk encryption is another best practice which mitigates this issue,” the security research firm added.
For now, details on how many wallets have been affected by Demonic remains unknown.
So far in 2022, cyber criminals have stolen $1.7 billion (roughly Rs. 13,210 crore) in digital assets with Decentralised Finance (DeFi) protocols accounting for 97 percent of the total, a report by Chainalysis had recently claimed.
The $600 million (roughly Rs. 4,660 crore) Ronin bridge breach in late March and the $320 million (roughly Rs. 2,486 crore) Wormhole attack in February were the main sources of the loot.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.