MetaMask Wallet-Drainer Scams
Fraudsters create fake MetaMask sites and pop-ups that trick users into signing malicious transactions, instantly emptying their wallet. MetaMask never asks you to re-enter your seed phrase to fix an error.
Part of: Wallet Drainer Scams
Last reviewed: 7 June 2026
MetaMask is the most widely used Ethereum browser wallet, which makes it a prime target for wallet-draining attacks. Unlike exchange hacks that require breaching server infrastructure, wallet-drainer attacks exploit the user directly — the victim authorizes the malicious transaction themselves, often believing they are completing a routine action like connecting a wallet or claiming a reward.
The MetaMask brand is exploited in several ways: fake browser extensions that look identical to the genuine MetaMask extension, phishing sites that mimic the MetaMask onboarding flow, and pop-up windows triggered by compromised websites that ask users to 'reconnect' or 'restore' their wallet.
Understanding how MetaMask actually behaves is essential. The real MetaMask extension — published on the Chrome, Firefox, and Brave extension stores by the verified 'MetaMask' publisher — will never display a website pop-up asking you to enter your seed phrase. It will never email you. And a legitimate dApp interaction will only present a transaction signature request, not an 'update wallet' overlay asking for recovery words.
How this scam works on the MetaMask brand
One widespread attack pattern involves malicious search ads. A user types 'MetaMask' into Google and clicks the top result, which is actually a paid ad pointing to a convincing MetaMask lookalike. The fake site prompts them to 'set up' or 'restore' their wallet by entering their 12 or 24-word seed phrase. Upon entry, the phrase is immediately forwarded to the attacker, who sweeps the wallet.
A subtler attack uses what the security community calls an 'ice-phishing' approach. The victim visits a legitimate-looking NFT marketplace or DeFi protocol that has embedded a wallet-drainer script. When they connect their MetaMask wallet, a signature request appears that, in its fine print, grants the attacker unlimited approval to spend all tokens in the wallet. The user approves it thinking it is a routine connection.
The real MetaMask extension communicates only through the browser extension UI. It does not send emails, does not display alerts outside the browser extension popup, and does not have a support team that contacts users. Any MetaMask communication appearing outside these channels should be treated with extreme suspicion.
Common red flags
- A website asking you to enter your MetaMask seed phrase to 'restore' or 'reconnect' your wallet
- A browser pop-up that appears outside the MetaMask extension frame asking for recovery words
- A MetaMask extension that was not installed from the official Chrome Web Store, Firefox Add-ons, or Brave Extensions
- An email claiming to be from MetaMask asking you to verify your wallet
- A token approval request that grants permission to move unlimited amounts of multiple tokens
- A 'MetaMask support' contact on Telegram, Discord, or social media offering to help fix a wallet error
- The extension publisher name on the browser's add-on store is not exactly 'MetaMask'
How to protect yourself
- Install MetaMask only from metamask.io or directly from your browser's official extension store, verifying the publisher
- Bookmark metamask.io and never search for it through a search engine when installing
- Never enter your seed phrase on any website or in response to any prompt — only use it to restore MetaMask on a new device
- Before approving any transaction, read the full details including token approval limits in the MetaMask confirmation window
- Use Revoke.cash or a similar tool periodically to review and revoke unnecessary token approvals
- Consider a hardware wallet (Ledger or Trezor) as the signing layer for MetaMask for large holdings
- Report suspicious extensions or sites to MetaMask via metamask.io/contact
How to report it
- Report phishing sites to MetaMask via their support portal at support.metamask.io
- Report malicious Chrome extensions to Google at chrome.google.com/webstore/report
- Report to IC3.gov (US), Action Fraud (UK), or equivalent national cybercrime body
- Submit the phishing domain to Google Safe Browsing and PhishTank
Frequently asked questions
How can I tell if a MetaMask extension is genuine?
In the Chrome Web Store, search for MetaMask and check that the publisher is 'MetaMask' (a verified developer), it has millions of users, and the extension ID matches the official one listed at metamask.io. Never install from a third-party website.
What is an ice-phishing attack on MetaMask?
Ice phishing tricks you into signing a legitimate-looking transaction that actually grants an attacker approval to move your tokens. Unlike seed-phrase theft, your wallet key is never compromised — but the attacker gains spending authority over your assets.
Can MetaMask freeze a wallet if it detects suspicious activity?
MetaMask is a non-custodial wallet — it does not have the ability to freeze wallets or reverse transactions. There is no 'MetaMask team' monitoring your wallet and calling to warn you.