Fake MetaMask Update Phishing Campaign (May 2026)
Summary
A coordinated phishing campaign active in late May 2026 impersonated MetaMask by sending fake 'mandatory 2026 system upgrade' notifications via email and push alerts, directing victims to pixel-accurate clone sites that solicited a single Permit/token-approval signature draining wallets within seconds. On-chain investigator ZachXBT placed total losses at more than $9 million across 400+ addresses on Ethereum, Polygon, Arbitrum, and Base as of May 30, 2026. The campaign is part of a sustained multi-variant operation against MetaMask users that began at least as early as January 2026; MetaMask itself is an impersonation victim and is not at fault.
Connected Entities
1 entities · 10 linked investigationsTimeline(7 events)
2025-10-15
MetaMask, Phantom, WalletConnect, and Backpack join Security Alliance (SEAL) to launch a real-time global phishing defense network.
Blockchain Magazine / SC World2026-01-03
New Year-themed phishing email impersonating MetaMask ('Happy New Year!' subject line, party-hat fox logo) delivers a fake 'mandatory 2026 system upgrade' lure and drains hundreds of small EVM wallets across Ethereum and BNB Chain; ZachXBT identifies a suspicious aggregator address with losses passing $107,000.
CryptoSlate2026-01-05
SlowMist chief security officer '23pds' publicly warns of a separate fake-2FA MetaMask phishing campaign harvesting 12-word seed recovery phrases via counterfeit 2FA verification pages.
The Crypto Basic / CoinJournal2026-03-09
SANS Internet Storm Center researchers identify a MetaMask phishing campaign delivering emails with fake 'Security_Reports.pdf' attachments (created via ReportLab) and a malicious link to an AWS S3-hosted credential-harvest page.
Paubox / CyberSecurityNews2026-05-25
A real estate broker in Vijayawada, India loses approximately INR 1.4 crore (~$168,000 USD) to a separate MetaMask-related social engineering scheme involving fake investment experts and mule bank accounts; police trace one number to the UK and report a female accomplice has fled the country.
Crypto Times2026-05-28
ZachXBT flags a cluster of drain transactions across Ethereum, Polygon, Arbitrum, and Base linked to a fake 'mandatory MetaMask 2026 system upgrade' phishing campaign; identifies a common hot-wallet gas funding source for drainer contracts on all four chains.
Phemex Blog2026-05-30
ZachXBT's running tally for the mandatory-upgrade drainer campaign reaches $9 million+ across 400+ distinct victim addresses.
Phemex BlogDecision Log
- hash: 8C1nLvZ6iMPwmVzgiGG3WQLU5kAndHvXCwpruaLajwtt
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/2/2026, 8:11:47 PM
last updated: 6/2/2026, 8:12:14 PM
avoid.net — verified advice for a post-truth world