MetaMask Phishing Scam Drains $107K: How Users Became Targets in a New Year Cyberattack

Phishing emails disguised as 'mandatory updates' from MetaMask have drained $107,000 from hundreds of wallets, exploiting a technical loophole in contract approvals rather than full seed-phrase compromises.

Attackers leveraged the same scalable model seen in Trust Wallet’s $8.5M Chrome extension exploit, routing stolen funds through a single suspicious address across multiple EVM chains.

MetaMask explicitly confirmed they never send unsolicited verification requests or upgrade notices.

ZachXBT’s analysis revealed the pattern mirrors the Trust Wallet v2.68 exploit, which was patched in v2.69. Chainalysis’ 2025 report documented 158,000 similar wallet compromises, with smaller average losses per incident.

The attack exploited holiday support lulls and New Year email clutter, using red flags like mismatched sender domains and urgent 'mandatory update' claims.

Revocation tools like Revoke.cash and Etherscan’s Token Approvals page remain critical for mitigating post-compromise damage, though they cannot recover already stolen assets.

Look, the key takeaway here is that phishing attacks are evolving to exploit technical nuances like contract approvals—users need to treat these as red flags just as aggressively as they would seed-phrase theft attempts.

⚠️ LEGAL DISCLAIMER: This article is for informational purposes only and does not constitute financial or investment advice.