Fake MetaMask QR-Code Quishing Scam
Fraudulent QR codes distributed at cryptocurrency events, online forums, and social media claim to link to MetaMask's wallet-connect or setup flow but instead direct users to phishing pages that harvest seed phrases or execute wallet-drainer approval transactions.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
MetaMask makes heavy use of QR codes in its normal operation: users scan QR codes to connect to decentralised applications, to sign transactions on mobile, and to transfer wallet addresses. This familiarity with QR-based interactions in the crypto ecosystem makes MetaMask users more likely to scan a code in a cryptocurrency context without careful verification.
Criminals print or embed fake 'MetaMask wallet setup' or 'MetaMask wallet connect' QR codes in conference materials, crypto-event guides, online tutorials, and social-media posts. Scanning the code either directs the user to a MetaMask-branded phishing page requesting the seed phrase, or opens a WalletConnect-style session that routes to a malicious dApp requesting token approvals.
The attack is particularly effective at physical cryptocurrency events where attendees are in a mindset of trying new tools and scanning QR codes is commonplace behaviour.
How this scam works on the MetaMask brand
Real MetaMask QR codes are generated within the MetaMask application itself — for wallet addresses, WalletConnect sessions, and mobile-to-desktop linking. MetaMask will never distribute a standalone QR code via paper, email, or social media for users to 'set up' or 'restore' a wallet.
At a cryptocurrency conference or meetup, a fraudulent flyer may advertise 'Scan to set up your MetaMask wallet securely.' The QR leads to a site replicating MetaMask's onboarding interface, which at the critical point asks the user to either create a wallet by entering a new seed phrase (which it logs) or to restore an existing wallet using a 12- or 24-word phrase (also transmitted to the attacker).
In online environments, fake QR codes appear in YouTube video descriptions purporting to link to MetaMask's official setup page, in crypto tutorial websites, and in Telegram groups. Once the user connects a wallet through the malicious QR session, a drainer contract attempts to harvest all transferable assets.
Common red flags
- A physical flyer, conference material, or social post provides a QR code to 'set up' or 'connect' MetaMask
- Scanning the QR code opens a site that asks you to enter a seed phrase — setup QR codes are not a feature MetaMask distributes externally
- The QR-linked site URL is not metamask.io or a verifiable dApp domain you intended to visit
- The WalletConnect prompt requests broad token approvals rather than a simple read-only connection
- The QR code was found in a YouTube description, Telegram message, or social-media post rather than generated within the MetaMask app itself
- The site claims your MetaMask is 'outdated' and you must 'verify your wallet' to continue
How to protect yourself
- Use MetaMask's native WalletConnect feature to generate your own QR codes — never scan externally distributed 'MetaMask' QR codes
- Read every wallet-connect approval prompt carefully before signing, especially at events where scanning is commonplace
- Verify any dApp URL independently by searching for the official site rather than relying on a provided QR
- Keep significant funds in a hardware wallet that requires physical confirmation for every transaction
- Revoke unnecessary approvals after every event at revoke.cash
- Report fake MetaMask QR materials to the event organisers and to MetaMask's security team
How to report it
- Report the phishing URL to MetaMask at metamask.io/security
- Submit the malicious URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- Alert event organisers if fake QR materials were distributed at a physical event
- Report malicious wallet addresses at ChainAbuse or similar community reporting tools
Frequently asked questions
Does MetaMask ever distribute QR codes for setup via flyers or social media?
No. MetaMask's official setup flow is initiated within the browser extension or mobile app — it does not use externally distributed QR codes. Any QR code directing you to set up or restore a MetaMask wallet is fraudulent.
Is WalletConnect itself safe to use?
WalletConnect is a legitimate open-source protocol. The risk arises when you use it to connect to malicious or compromised dApps. Always verify the dApp URL before connecting and read approval requests carefully. A WalletConnect session itself does not grant token transfer rights — those rights are granted only through explicit approval transactions you sign.
How can I tell if a QR code links to a malicious site before following it?
Your phone's camera will preview the URL before opening it. Carefully read the domain — it should exactly match the official service. If it contains extra words, hyphens, or unfamiliar subdomains, do not proceed. Some QR scanner apps also flag known phishing URLs.