Fake CAPTCHA Pages Delivering MetaMask Wallet-Drainer Malware
Criminals embed fake CAPTCHA challenges on sites mimicking MetaMask's download page or support portal. Completing the CAPTCHA triggers a clipboard-injection command that, when pasted into a system prompt, installs malware designed to steal seed phrases and drain connected wallets.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
MetaMask is the most widely used browser-based cryptocurrency wallet, which makes it an especially attractive impersonation target for malware distributors. A relatively new attack technique pairs a convincing MetaMask-branded page with a fake CAPTCHA — often a 'click and confirm you are human' widget — that covertly injects a malicious PowerShell or terminal command into the victim's clipboard.
The page instructs the victim to open their operating system's Run dialog or terminal and paste what they believe is a CAPTCHA verification code. In reality, they are pasting and executing a command that downloads and runs malware. This malware specifically targets browser-extension wallet data — including any MetaMask seed phrase cached in the browser — and also scans for password managers and crypto-related files.
Because the victim deliberately ran the command themselves, many endpoint security tools do not flag the initial execution. The first sign of compromise is often an empty wallet.
How this scam works on the MetaMask brand
Real MetaMask does not use CAPTCHA challenges for software downloads or wallet recovery. MetaMask is installed directly from the Chrome Web Store or Firefox Add-ons marketplace, or via metamask.io's official download links. No legitimate MetaMask page will ever ask you to run a command in your terminal or Windows Run dialog.
The attack surface is wide: victims encounter these fake pages via Google-Search ads for 'MetaMask download,' compromised Discord servers posting 'MetaMask security updates,' phishing DMs on Telegram, and malicious NFT project websites that claim MetaMask requires a 'compatibility update' before connecting.
After the malware installs, it looks for MetaMask's browser extension vault file, attempts to decrypt it using passwords found in the browser's password store, harvests any seed phrases the user has ever typed into the browser, and exfiltrates private keys. If the malware fails to crack the local vault, it may also install a keylogger to capture the seed phrase if the user opens MetaMask again.
Common red flags
- A page claiming to be MetaMask asks you to complete a CAPTCHA before downloading the app or restoring your wallet
- After completing the CAPTCHA, the page instructs you to open Windows Run (Win+R), Terminal, or PowerShell and paste something
- The URL of the page is not metamask.io or the official browser extension store
- The page arrived via a Discord link, Telegram DM, or paid search ad rather than your own bookmark
- The CAPTCHA looks different from standard Google reCAPTCHA or Cloudflare Turnstile designs
- Any page that asks you to type or paste a command after completing a CAPTCHA — legitimate CAPTCHAs never require this
How to protect yourself
- Never paste any command into your terminal, Run dialog, or PowerShell as part of a CAPTCHA or download process
- Install MetaMask only from the official Chrome Web Store, Firefox Add-ons, or metamask.io — use your own bookmarks
- Keep your MetaMask seed phrase written down offline only; never type it into any website or app
- Use a hardware wallet (Ledger or Trezor) as the signing device behind MetaMask for significant funds
- Keep your browser, operating system, and security software up to date
- If you ran a suspicious command, disconnect from the internet immediately and seek professional malware-removal help before reconnecting
How to report it
- Report the malicious URL to MetaMask's security team via metamask.io/security
- Submit the site to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- File a report with the FTC at reportfraud.ftc.gov
- Report the malware sample to your antivirus vendor's threat-intelligence team
Frequently asked questions
Why would a CAPTCHA need me to run a command on my computer?
It would not — this is the scam. Legitimate CAPTCHA systems verify you are human through interactive browser challenges. They never require you to execute code on your operating system. If a page asks you to do this, close it immediately.
Can MetaMask be compromised without me entering my seed phrase?
Yes. Malware can target the encrypted vault file stored by the MetaMask browser extension and attempt to decrypt it using credentials found on your device. Hardware wallets store private keys off the computer entirely, making this attack much less effective.
If my MetaMask was drained, can the funds be recovered?
Cryptocurrency transactions are irreversible. If a wallet drainer accessed your funds, they are very unlikely to be recovered. Report to law enforcement promptly, as transaction records on the blockchain are permanent and may assist future investigations.