Ice Phishing EIP-712 Signature Scams Impersonating MetaMask
Fake 'MetaMask Security Update' pages and counterfeit dApps trick users into signing EIP-712 messages that grant attackers unlimited token spending rights without requiring a seed phrase.
Part of: Ice Phishing and EIP-712 Signature Scams
Last reviewed: 8 June 2026
MetaMask is the world's most widely used Ethereum wallet extension, which makes it an obvious target for ice phishing impersonation. Unlike seed-phrase phishing, ice phishing does not need the victim's secret recovery phrase — it only needs the victim to sign a specific on-chain message. Criminals build pages that impersonate MetaMask's interface and frame the signature request as a routine security check or wallet upgrade.
Because MetaMask itself presents EIP-712 messages in a structured popup that many users have come to accept without reading carefully, a convincing surrounding page claiming to be a MetaMask product significantly increases the sign-through rate. The message may appear to simply verify wallet ownership, but the underlying data grants the attacker's contract a spending allowance covering the victim's entire token balance.
MetaMask does not push security updates that require users to sign an on-chain or off-chain message via a web page. Genuine MetaMask updates are delivered automatically through the browser extension update mechanism with no user action required on an external site.
How this scam works on the MetaMask brand
Victims encounter the fake MetaMask page through a search engine ad for 'MetaMask wallet update,' a phishing email warning of a 'critical vulnerability,' or a social media post claiming MetaMask is issuing a security patch. The landing page mirrors MetaMask's purple-and-fox branding exactly and presents a step-by-step 'security verification' flow.
Step one asks the user to connect their wallet. Step two presents an EIP-712 structured-data signature request framed as 'confirming wallet ownership.' The actual data in the signature contains fields like 'spender': '[attacker address]' and 'amount': '[maximum uint256 value].' Most users click 'Sign' without reading these fields.
Once the signature is captured by the attacker's backend, it is submitted to any ERC-20 contract that supports the permit() function, instantly granting unlimited token spending authority. Assets are typically drained within seconds. MetaMask provides educational resources at support.metamask.io about how to read signature requests safely.
Common red flags
- URL is not metamask.io — fake domains include metamask-update.com, metamask-security.io, and similar
- Prompted to sign a 'security verification' message that contains numeric fields with very large values and an unfamiliar spender address
- The page arrived via a search ad or unsolicited message rather than from the MetaMask browser extension itself
- The flow involves multiple steps culminating in a signature rather than just an extension update confirmation
- No corresponding update notification appears in the browser extension badge or the Chrome Web Store release notes
- The 'spender' field in the EIP-712 data is not an address you recognize as a legitimate dApp you use
How to protect yourself
- Always read the full contents of any EIP-712 signature popup before signing, paying particular attention to 'spender' and 'amount' fields
- Update MetaMask only through the browser's built-in extension update mechanism — never by visiting an external web page
- Use a transaction simulation tool (e.g., Pocket Universe, Fire, or Wallet Guard) that previews the effect of a signature before you confirm it
- After any unexpected signature request, check revoke.cash for new approvals and revoke any you did not intentionally grant
- Keep a hardware wallet for high-value assets — hardware wallets require physical button confirmation for signatures and display the full data on the device screen
How to report it
- Report phishing sites to MetaMask via the in-wallet phishing report button or at support.metamask.io
- Submit the domain to MetaMask's community-maintained phishing list at github.com/MetaMask/eth-phishing-detect
- File a complaint with IC3.gov (US) or Action Fraud (UK) at actionfraud.police.uk
- Report fake MetaMask browser extensions to the Chrome Web Store using the extension's report-abuse link
Frequently asked questions
How does a MetaMask update actually get delivered?
MetaMask updates are delivered automatically by your browser's extension update system. You do not need to visit any website, sign any message, or click any link to receive a MetaMask update. Any page claiming to be a required 'MetaMask update' is fraudulent.
What does the permit() ERC-20 function do and why is it dangerous in this context?
The permit() function lets a wallet owner authorize a third-party spender by signing an off-chain message, rather than submitting a gas-costing approval transaction. This convenience feature is exploited by ice phishing because no on-chain approval transaction is visible to the victim until after the signed message has been submitted by the attacker.
I signed a message on a fake MetaMask page — how quickly might my funds disappear?
The attacker can submit the signed permit message immediately and drain token balances within seconds of receiving your signature. If you realize you signed in error, act immediately: revoke approvals at revoke.cash and transfer remaining assets to a new wallet.