AI Hyper-Personalised Phishing Targeting MetaMask Users
AI-powered tools allow criminals to craft highly personalised phishing emails or DMs targeting MetaMask users, referencing their known wallet activity, NFT holdings, or DeFi positions to create convincing 'security alerts' that lead to seed-phrase harvesting sites or wallet-drainer contracts.
Part of: AI Hyper-Personalised Phishing Scams
Last reviewed: 8 June 2026
MetaMask users interact with the blockchain in ways that leave a public record — wallet addresses and their transaction histories are visible on block explorers like Etherscan. AI tools can analyse this public on-chain data and combine it with off-chain information from social media or forum posts to build detailed profiles of individual wallet holders, then generate personalised phishing messages that reference specific tokens, NFT projects, or DeFi positions the victim actually holds.
This is a significant escalation over generic phishing. A message that reads 'We noticed your wallet 0x...b4a2 has not claimed your eligible USDC airdrop from the Uniswap migration contract' may reference the victim's real partial wallet address and a protocol they genuinely use — details that generic phishing cannot replicate.
The psychological effect is powerful: the message feels too specific to be random, lowering the victim's guard. The link, however, leads to a wallet-drainer site that requests the seed phrase or an approval signature that drains all available tokens.
How this scam works on the MetaMask brand
MetaMask's legitimate communications are limited: in-app notifications, updates pushed through the MetaMask extension itself, and announcements on metamask.io. MetaMask does not send personalised emails about specific wallet transactions, airdrop eligibility, or DeFi positions.
An AI-personalised phishing attack might arrive as a Twitter DM mentioning the victim's publicly visible NFT purchase, or as an email that references the user's wallet address (obtainable from any ENS name or forum post). The message presents a compelling narrative — an unclaimed airdrop, a smart-contract vulnerability that only affects this wallet, a gas-fee rebate programme — with a link to a site that looks exactly like MetaMask's interface or a partner protocol.
The site either requests the seed phrase directly ('enter your recovery phrase to claim') or presents a wallet-connect flow that asks the user to sign a transaction that grants a malicious contract full access to their token holdings.
Common red flags
- A message references your specific wallet address, token holdings, or recent on-chain transactions and claims a reward or security issue
- The sender is an email address or social account not officially associated with metamask.io
- The linked site asks for your MetaMask seed phrase as part of a 'claim' or 'migration' process
- The wallet-connect approval request in MetaMask uses unusual permissions or requests setApprovalForAll
- The communication is through an unexpected channel — email, Twitter DM, Discord — rather than through the MetaMask extension itself
- The message creates urgency: 'Your claim expires in 24 hours' or 'Act now to avoid losing your airdrop'
How to protect yourself
- Never enter your seed phrase in response to any external communication, regardless of how personalised it seems
- Read MetaMask transaction approval prompts carefully before signing — unfamiliar contract addresses warrant extra scrutiny
- Use a dedicated 'burner' wallet for new protocol interactions and keep your main holdings in a hardware wallet
- Revoke unnecessary token approvals at revoke.cash after interacting with unfamiliar dApps
- Treat any message referencing your specific wallet activity as a potential attack — public blockchain data makes personalisation easy for attackers
- Verify any claimed airdrop or migration by checking the official project's website and Discord through your own bookmarks
How to report it
- Report phishing sites to MetaMask's security team at metamask.io/security
- Submit the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Report the malicious wallet address on ChainAbuse or similar community reporting tools
- File a report with the FTC at reportfraud.ftc.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
Frequently asked questions
How can a phishing message know my wallet address and what tokens I hold?
Your wallet address is public on the blockchain. Anyone can look it up on Etherscan or a similar explorer and see your full transaction history, token balances, and NFT holdings. AI tools can process this data at scale and generate personalised messages — this does not mean MetaMask or any protocol sent the message.
Is there any legitimate reason MetaMask would email me about my specific wallet?
No. MetaMask does not track individual wallet activities and does not send personalised emails about specific wallets, positions, or airdrop eligibility. Any such email is a phishing attempt.
What should I do after approving a suspicious MetaMask transaction?
Go to revoke.cash immediately, connect your wallet, and revoke any approvals you do not recognise. If significant funds have already moved, they are likely unrecoverable, but revoking approvals stops ongoing or future drainage. Transfer remaining assets to a new wallet with a new seed phrase.