Hundreds of MetaMask wallets drained: What to check before you ‘update’
News

Hundreds of MetaMask wallets drained: What to check before you ‘update’

Posted on by Josh Taylor

What happened (short and weird)

Over the holidays a wave of phishing shenanigans hit MetaMask users: hundreds of wallets across multiple EVM chains were lightly drained — typically a couple thousand dollars or less per wallet — and the loot funneled into a single suspicious address. The total quickly climbed into six figures. The attack looked simple and nasty: a fake “mandatory update” email dressed up with a party-hat fox logo and a cheery subject line that tricked people into clicking.

This wasn’t always a full seed-phrase theft. Instead, most victims appear to have signed contract approvals that granted a drainer contract permission to move tokens. A single signature can open the door across many chains if allowances are left wide open, so the attacker took small bites from lots of wallets rather than one big bite from one giant wallet.

In another, separate mess, a malicious browser extension was found transmitting private keys and siphoning funds — demonstrating a different attack vector where code, not a button click, did the stealing. Both cases show the same moral: user endpoints (emails, browsers, devices) are the weak link.

What to check right now — and what to do if you clicked

Okay, deep breath. If you got a suspicious email or clicked something that looked like an update, here’s a checklist that’s quick to run and actually useful.

1) Don’t panic and don’t paste your Secret Recovery Phrase anywhere. No legitimate wallet team will ever ask for it. If any message asks for your phrase, stop immediately and assume compromise.

2) Check for brand-sender mismatches and weird domains. If the email seems to come from an odd name or a domain that doesn’t match the wallet provider, treat it as fake. Hover over links (don’t click) and look at where they actually point.

3) Inspect and revoke approvals. If you clicked a fake update and signed something, you may have given contract approval to move tokens. Open your wallet’s approvals screen and revoke any unknown allowances. MetaMask now surfaces token allowances in the portfolio UI. Community tools like Revoke.cash and the token approvals page on block explorers let you review and cancel approvals per network.

4) Decide whether the seed phrase was exposed. If you suspect your Secret Recovery Phrase was ever revealed or pasted into a site, consider that wallet burned: create a fresh wallet on a clean device, move remaining assets, and abandon the compromised seed. If only approvals were granted (and your seed remains secret), revoking approvals can cut off the drainer.

5) Limit approvals going forward. When prompted for contract permissions, don’t accept “unlimited” by default. Set concrete spending caps and only approve what you need for the task at hand.

6) Use wallet hygiene: enable transaction alerts or safety features, use a hardware wallet for meaningful holdings, and segregate funds across a three-tier setup — cold storage for savings, a secure software wallet for regular use, and small burner wallets for experiments and risky dApps.

7) If you suspect malicious extension activity, remove the extension, rotate keys, and move funds from any affected wallets. Extensions can exfiltrate keys silently, so treat a compromised extension like a stolen seed phrase.

Final thought: attackers are playing volume. They rely on polished-looking templates, holiday timing, and tiny per-wallet losses to avoid immediate panic. A little friction — spending caps, multiple wallets, and the occasional manual check — is annoying now but way less annoying than an empty balance later. Go check your approvals, please. Your future self will high-five you.