Skip to main content
Sign in
Fake MetaMask Update Phishing Campaign (May 2026)1 decision on this page

Audit log

Every state-changing event for Fake MetaMask Update Phishing Campaign (May 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-02 20:12:14Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,879,507
    sig
    3mzGTib3VdD4…pHwRf1L4explorer ↗
    hash
    8C1nLvZ6iMPw…uaLajwttsha256 → base58
    verifying row…full verify ↗
    canonical bytes (21589 B) ▸
    {"actor":"system:backfill","investigation_id":"21f8cdaa-79af-44fa-aed9-9888ad52e83e","kind":"publish","page_slug":"fake-metamask-update-phishing-campaign-may-2026","published_at":"2026-06-02T20:12:13.931Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake MetaMask Update Phishing Campaign (May 2026)","sections":[{"content":"In the final week of May 2026 a coordinated phishing campaign began delivering emails and push notifications impersonating MetaMask, the widely used self-custodial EVM wallet operated by Consensys. The messages claimed that a 'mandatory 2026 system upgrade' was required and that wallets would stop functioning if users did not validate before a stated deadline. On-chain investigator ZachXBT flagged the pattern on approximately May 28, 2026 after tracing a cluster of related drain transactions across Ethereum, Polygon, Arbitrum, and Base. By May 30, 2026, ZachXBT's running tally placed total losses above $9 million spread across more than 400 distinct victim addresses. Average per-wallet losses sat in the low five-figure range, indicating the campaign targeted users with meaningful holdings rather than sweeping indiscriminately for small balances. MetaMask is an impersonated victim in this incident and bears no operational responsibility for the losses.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"Hundreds of MetaMask Wallets Drained: What to Check Before You Update — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/hundreds-of-evm-wallets-drained-what-to-check-before-you-update/"}]},{"content":"The attack followed a five-step funnel. First, victims received an email or push notification impersonating MetaMask, using the MetaMask fox logo and official brand colors. The message stated that a 'mandatory 2026 system upgrade' was required and that failure to validate before a deadline would result in the wallet becoming non-functional. Second, clicking the embedded link directed victims to a typo-squatted domain (reported examples include metamasks-update.com, metamask-validator.io, and secure-metamask.app) hosting a pixel-accurate clone of MetaMask's interface. Third, the clone page triggered a WalletConnect modal prompting users to connect their wallet. Fourth, once connected, the site presented what appeared to be a routine upgrade confirmation but was in fact a Permit2 universal token-approval transaction granting the drainer contract unlimited ERC-20 allowances. Because Permit2 approvals are off-chain signatures, they do not appear as a visible on-chain transaction at the moment of signing, reducing the likelihood that the victim would notice via Etherscan or a block explorer. Fifth, the drainer contract executed the token transfers within seconds of the signature being submitted, emptying affected wallets across whichever EVM chain the victim's wallet was connected to at the time. Notably, the campaign did not ask for seed phrases; the social engineering required only a single signature that most users associate with routine wallet interactions, making it harder to detect than traditional seed-phrase harvesting.","heading":"Attack Mechanics","severity":"critical","sources":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"EVM Wallet Drainer: Technical Analysis 2026 — Quark Lab","type":"research","url":"https://quarklab.cc/technical-analysis-of-evm-wallet-drainers/"},{"credibility":1,"name":"Signature Phishing — MetaMask Help Center","type":"official","url":"https://support.metamask.io/stay-safe/protect-yourself/wallet-and-hardware/signature-phishing/"}]},{"content":"The phishing infrastructure demonstrated a level of operational maturity that security researchers attributed to an established drainer-as-a-service team rather than opportunistic actors. Key infrastructure characteristics include: (1) Phishing domains were pre-registered weeks before the campaign launched, allowing them to build SSL reputation scores that bypassed common email security filters; (2) Valid TLS certificates were in place on all observed clone sites; (3) Drainer contracts were deployed simultaneously across Ethereum, Polygon, Arbitrum, and Base, with the destination address resolving correctly based on the victim's active chain at signature time; (4) The campaign was funded from a non-KYC offshore exchange, and proceeds were laundered via Tornado Cash alternatives with rapid cross-chain bridging. ZachXBT identified a single hot wallet that had dripped gas funding to the drainer contracts on all four chains, suggesting a single operator or tightly coordinated team controlled the on-chain infrastructure. ZachXBT's working hypothesis, as reported by Phemex, is that this represents an established drainer team that rents infrastructure to phishing affiliates under a revenue-sharing model, with affiliates paying approximately 20–30% of gross proceeds for access to the drainer contracts, domain rotation, and laundering pipeline. No law enforcement arrests or regulatory actions specifically related to this campaign have been publicly announced as of June 2026.","heading":"Infrastructure and Attribution","severity":"critical","sources":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"EVM Wallet Drainer: Technical Analysis 2026 — Quark Lab","type":"research","url":"https://quarklab.cc/technical-analysis-of-evm-wallet-drainers/"}]},{"content":"The May 2026 mandatory-upgrade campaign exists within a documented pattern of sustained MetaMask impersonation operations in 2026. Three related incidents have been identified: (1) January 2026 fake 2FA campaign: SlowMist chief security officer '23pds' flagged a campaign beginning around January 5, 2026 in which fraudulent emails impersonating MetaMask Support demanded that users activate 'mandatory two-factor authentication' before a stated deadline. Fake domains differing from the legitimate MetaMask domain by a single character directed victims to pages that ultimately requested the 12-word seed recovery phrase under the guise of completing 2FA setup. Seed-phrase compromise grants full wallet access. No aggregate loss figure was disclosed by SlowMist for this specific campaign. (2) March 2026 fake security report campaign: Researchers at the SANS Internet Storm Center reported a campaign beginning around March 9, 2026 in which phishing emails containing a PDF attachment titled 'Security_Reports.pdf' warned of suspicious login activity. The attachment, created using the legitimate Python library ReportLab, contained no malware but served as social proof to motivate victims to click an embedded link redirecting to a counterfeit MetaMask login page hosted on an Amazon Web Services S3 storage bucket (hxxps://access-authority-2fa7abff0e.s3.us-east-1.amazonaws.com/index.html). The AWS hosting was specifically chosen to exploit the 'inherited trust' that email security filters grant to major cloud providers. The goal was seed-phrase or credential harvest. (3) May 25, 2026 Indian broker incident: A real estate broker in Vijayawada, Andhra Pradesh, India lost approximately INR 1.4 crore (approximately $168,000 USD) to a separate MetaMask-related social engineering scheme in which fraudsters posed as cryptocurrency investment experts on social media, onboarded the victim into a legitimate MetaMask wallet, deposited fake tokens to simulate profits, and then extracted two real-money transfers via corporate mule bank accounts. Police investigations traced one phone number to the United Kingdom; an alleged female accomplice had fled the country. This incident is distinct in mechanics from the mandatory-upgrade drainer campaign but contributes to the documented threat landscape around MetaMask impersonation in the same period.","heading":"Parallel and Related Incidents","severity":"high","sources":[{"credibility":2,"name":"Fake MetaMask 2FA Phishing Scam Uses Polished Design — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/fake-metamask-2fa-phishing-scam-uses-polished-design-to-steal-wallet-seed-phrases/"},{"credibility":2,"name":"SlowMist Warns of Sophisticated 2FA Scam Targeting MetaMask Wallets — Yahoo Finance / CryptoNews","type":"news_article","url":"https://cryptonews.com/news/slowmist-warns-of-sophisticated-2fa-scam-targeting-metamask-wallets/"},{"credibility":2,"name":"MetaMask Users Targeted with Phishing Emails Containing Forged Security Report — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/metamask-users-targeted-with-phishing-emails/"},{"credibility":2,"name":"MetaMask Users Targeted with Fake Security Report Phishing Campaign — Paubox","type":"news_article","url":"https://www.paubox.com/blog/metamask-users-targeted-with-fake-security-report-phishing-campaign"},{"credibility":2,"name":"Fake MetaMask Returns Cost Indian Broker INR 1.4 Crore — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/25/fake-metamask-returns-cost-indian-broker-inr-1-4-crore/"}]},{"content":"The primary May 2026 mandatory-upgrade drainer campaign resulted in losses exceeding $9 million across more than 400 victim addresses, based on ZachXBT's publicly reported running tally as of May 30, 2026 (Tier 3 source via Phemex reporting; no independent Tier 1 court or regulatory filing has confirmed this figure as of this writing). Average per-wallet loss was reported in the low five-figure range. The campaign spanned four EVM networks — Ethereum, Polygon, Arbitrum, and Base — simultaneously. For broader context, Scam Sniffer data cited in coverage of the January 2026 2FA campaign showed that total crypto phishing losses across all vectors fell approximately 83% year-over-year in 2025 to $83.3 million. The May 2026 campaign alone, if the $9 million figure is confirmed, would represent a material reversal of that trend within a single event. The May 25 Indian broker incident added approximately $168,000 in separately attributed losses. No verified on-chain analytics or blockchain forensics firm (e.g., Chainalysis, Elliptic) has independently published a figure for the mandatory-upgrade campaign as of June 2026.","heading":"Scale and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"Fake MetaMask 2FA Phishing Scam — CoinJournal (Scam Sniffer 2025 figures)","type":"news_article","url":"https://coinjournal.net/news/fake-metamask-2fa-phishing-scam-uses-polished-design-to-steal-wallet-seed-phrases/"}]},{"content":"In October 2025, ahead of the 2026 campaign wave, MetaMask, Phantom, WalletConnect, and Backpack joined the Security Alliance (SEAL) to launch a real-time global phishing defense network. The system uses Verifiable Phishing Reports, allowing researchers and users to submit cryptographically attested reports that propagate warnings across member wallets within seconds of verification. The SEAL initiative was specifically designed to counter drainer campaigns including Inferno Drainer and Angel Drainer. MetaMask itself has consistently stated publicly that it never sends unsolicited emails, never requests 2FA activation via email, never asks for seed recovery phrases under any circumstances, and does not initiate email correspondence unless a user has opened a support ticket. MetaMask's own eth-phishing-detect GitHub repository (github.com/MetaMask/eth-phishing-detect) maintains a community-updated blocklist of phishing domains. Security researchers recommend that users revoke unused token approvals via tools such as Revoke.cash, use hardware wallets for significant holdings, and treat any 'mandatory upgrade' message arriving via email or push notification as phishing by default, since legitimate wallet software updates occur inside the extension itself.","heading":"Industry Defense Response","severity":"medium","sources":[{"credibility":1,"name":"SEAL Partners with MetaMask, Others to Strengthen Global Phishing Defense Network — SC World","type":"news_article","url":"https://www.scworld.com/brief/seal-partners-with-metamask-others-to-strengthen-global-phishing-defense-network"},{"credibility":2,"name":"Crypto's $400 Million Fightback: MetaMask, Phantom and SEAL Unite — Blockchain Magazine","type":"news_article","url":"https://blockchainmagazine.net/cryptos-400-million-fightback/"},{"credibility":1,"name":"MetaMask eth-phishing-detect GitHub Repository","type":"official","url":"https://github.com/MetaMask/eth-phishing-detect"},{"credibility":1,"name":"What Is a Malicious Token Approval — MetaMask Help Center","type":"official","url":"https://support.metamask.io/stay-safe/safety-in-web3/what-is-a-malicious-token-approval/"}]},{"content":"The primary $9 million / 400+ wallet figures originate from ZachXBT's publicly stated tally as reported by Phemex and CryptoSlate — credibility Tier 2 outlets citing a credibility Tier 2/3 on-chain researcher. No Tier 1 court filing, SEC/CFTC action, or independent blockchain analytics firm report has corroborated the specific aggregate loss figure as of June 2026. Domain examples (metamasks-update.com, metamask-validator.io, secure-metamask.app) are cited in secondary reporting and cannot be confirmed as active or archived primary sources. The drainer-as-a-service revenue-sharing model (20–30% affiliate split) and funding attribution to a non-KYC offshore exchange are ZachXBT's stated hypotheses, not confirmed findings. The confidence score of 0.72 reflects: strong corroboration of the campaign's existence and mechanics from multiple independent Tier 2 sources, but absence of Tier 1 verification for the financial totals.","heading":"Source Confidence and Limitations","severity":"low","sources":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"}]}],"sources_used":[{"credibility":2,"name":"Fake MetaMask Update Drains EVM Wallets — Phemex Blog","type":"news_article","url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"credibility":2,"name":"Hundreds of MetaMask Wallets Drained: What to Check Before You Update — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/hundreds-of-evm-wallets-drained-what-to-check-before-you-update/"},{"credibility":2,"name":"Fake MetaMask Returns Cost Indian Broker INR 1.4 Crore — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/25/fake-metamask-returns-cost-indian-broker-inr-1-4-crore/"},{"credibility":2,"name":"MetaMask Users Targeted with Fake Security Report Phishing Campaign — Paubox","type":"news_article","url":"https://www.paubox.com/blog/metamask-users-targeted-with-fake-security-report-phishing-campaign"},{"credibility":2,"name":"Fake MetaMask 2FA Phishing Scam Uses Polished Design — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/fake-metamask-2fa-phishing-scam-uses-polished-design-to-steal-wallet-seed-phrases/"},{"credibility":2,"name":"SlowMist Warns of Sophisticated 2FA Scam Targeting MetaMask Wallets — Yahoo Finance","type":"news_article","url":"https://www.yahoo.com/news/articles/slowmist-warns-sophisticated-2fa-scam-081119905.html"},{"credibility":2,"name":"SlowMist Warns of Sophisticated 2FA Scam — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/slowmist-warns-of-sophisticated-2fa-scam-targeting-metamask-wallets/"},{"credibility":2,"name":"Security Firm SlowMist Warns of New MetaMask Phishing Attack — The Crypto Basic","type":"news_article","url":"https://thecryptobasic.com/2026/01/05/security-firm-slowmist-warns-of-new-metamask-phishing-attack/"},{"credibility":2,"name":"MetaMask Users Targeted with Phishing Emails Containing Forged Security Report — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/metamask-users-targeted-with-phishing-emails/"},{"credibility":2,"name":"Phishing Campaign Targets Crypto Investors with Fake MetaMask Alerts — Binance Square","type":"news_article","url":"https://www.binance.com/en/square/post/01-05-2026-phishing-campaign-targets-crypto-investors-with-fake-metamask-alerts-34674390987713"},{"credibility":2,"name":"EVM Wallet Drainer Technical Analysis 2026 — Quark Lab","type":"research","url":"https://quarklab.cc/technical-analysis-of-evm-wallet-drainers/"},{"credibility":1,"name":"MetaMask Crypto Security Report: January 2026 — MetaMask Official","type":"official","url":"https://metamask.io/news/metamask-crypto-security-report-january-2026"},{"credibility":1,"name":"Signature Phishing — MetaMask Help Center","type":"official","url":"https://support.metamask.io/stay-safe/protect-yourself/wallet-and-hardware/signature-phishing/"},{"credibility":1,"name":"What Is a Malicious Token Approval — MetaMask Help Center","type":"official","url":"https://support.metamask.io/stay-safe/safety-in-web3/what-is-a-malicious-token-approval/"},{"credibility":1,"name":"MetaMask eth-phishing-detect GitHub Repository","type":"official","url":"https://github.com/MetaMask/eth-phishing-detect"},{"credibility":1,"name":"SEAL Partners with MetaMask to Strengthen Global Phishing Defense Network — SC World","type":"news_article","url":"https://www.scworld.com/brief/seal-partners-with-metamask-others-to-strengthen-global-phishing-defense-network"},{"credibility":2,"name":"Crypto's $400 Million Fightback: MetaMask, Phantom and SEAL Unite — Blockchain Magazine","type":"news_article","url":"https://blockchainmagazine.net/cryptos-400-million-fightback/"}],"summary":"A coordinated phishing campaign active in late May 2026 impersonated MetaMask by sending fake 'mandatory 2026 system upgrade' notifications via email and push alerts, directing victims to pixel-accurate clone sites that solicited a single Permit/token-approval signature draining wallets within seconds. On-chain investigator ZachXBT placed total losses at more than $9 million across 400+ addresses on Ethereum, Polygon, Arbitrum, and Base as of May 30, 2026. The campaign is part of a sustained multi-variant operation against MetaMask users that began at least as early as January 2026; MetaMask itself is an impersonation victim and is not at fault.","timeline":[{"date":"2025-10-15","event":"MetaMask, Phantom, WalletConnect, and Backpack join Security Alliance (SEAL) to launch a real-time global phishing defense network.","source":"Blockchain Magazine / SC World","source_url":"https://blockchainmagazine.net/cryptos-400-million-fightback/"},{"date":"2026-01-03","event":"New Year-themed phishing email impersonating MetaMask ('Happy New Year!' subject line, party-hat fox logo) delivers a fake 'mandatory 2026 system upgrade' lure and drains hundreds of small EVM wallets across Ethereum and BNB Chain; ZachXBT identifies a suspicious aggregator address with losses passing $107,000.","source":"CryptoSlate","source_url":"https://cryptoslate.com/hundreds-of-evm-wallets-drained-what-to-check-before-you-update/"},{"date":"2026-01-05","event":"SlowMist chief security officer '23pds' publicly warns of a separate fake-2FA MetaMask phishing campaign harvesting 12-word seed recovery phrases via counterfeit 2FA verification pages.","source":"The Crypto Basic / CoinJournal","source_url":"https://thecryptobasic.com/2026/01/05/security-firm-slowmist-warns-of-new-metamask-phishing-attack/"},{"date":"2026-03-09","event":"SANS Internet Storm Center researchers identify a MetaMask phishing campaign delivering emails with fake 'Security_Reports.pdf' attachments (created via ReportLab) and a malicious link to an AWS S3-hosted credential-harvest page.","source":"Paubox / CyberSecurityNews","source_url":"https://www.paubox.com/blog/metamask-users-targeted-with-fake-security-report-phishing-campaign"},{"date":"2026-05-25","event":"A real estate broker in Vijayawada, India loses approximately INR 1.4 crore (~$168,000 USD) to a separate MetaMask-related social engineering scheme involving fake investment experts and mule bank accounts; police trace one number to the UK and report a female accomplice has fled the country.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/25/fake-metamask-returns-cost-indian-broker-inr-1-4-crore/"},{"date":"2026-05-28","event":"ZachXBT flags a cluster of drain transactions across Ethereum, Polygon, Arbitrum, and Base linked to a fake 'mandatory MetaMask 2026 system upgrade' phishing campaign; identifies a common hot-wallet gas funding source for drainer contracts on all four chains.","source":"Phemex Blog","source_url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"},{"date":"2026-05-30","event":"ZachXBT's running tally for the mandatory-upgrade drainer campaign reaches $9 million+ across 400+ distinct victim addresses.","source":"Phemex Blog","source_url":"https://phemex.com/blogs/evm-wallets-drained-fake-metamask-update-phishing"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 40a31e6a-e163-4a44-856d-6ee1e0487bf7
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.