Hundreds of MetaMask Wallets Drained — Scam Emails Disguised as “Mandatory Updates”
Crypto users are warning about a large phishing campaign that drained hundreds of MetaMask wallets across EVM chains, with losses totaling over $107,000 — mostly small amounts per wallet but large in aggregate.
According to on-chain researcher ZachXBT, attackers sent phishing emails mimicking MetaMask branded messages (with playful holiday logos) claiming a “mandatory update” was required. When victims clicked the link and signed a contract approval, malicious permissions let the attacker withdraw tokens later — often under $2,000 per address.
This isn’t a seed-phrase hack; it’s a smart contract approval exploit that leverages default unlimited allowances, making it easy for attackers to sweep funds once permission is granted.
So what should users check before interacting with a MetaMask update prompt, and how can you protect yourself if you ever suspect a phishing attack? Let’s break it down
4 Answer
Never click unsolicited wallet update links. MetaMask will not send “mandatory update” emails. Double-check sender domains — anything not from official MetaMask domains .
What happened with these MetaMask drains isn’t a traditional wallet hack where attackers steal private keys — it’s a phishing-driven contract approval exploit. The scam emails impersonated MetaMask branding and pushed victims to click links that lead to malicious smart contract interactions. Once a wallet owner signs a single deceptive approval, the attacker gains the ability to move tokens under that contract’s permissions — often without further pop-ups or obvious warnings.
This kind of attack works because by default many ERC-20 and ERC-721 tokens allow “unlimited approvals.” That means once an approval is given, the approved contract can withdraw any amount until revoked. Attackers count on users blindly signing approvals without inspecting them. Even a seemingly harmless “update” notice can trick someone into accepting a full-spend allowance.
If you’ve suffered a similar drain: first determine whether the seed phrase was compromised or whether it was just a malicious contract approval. If it’s the latter, you can still salvage control of the wallet by revoking dangerous approvals via MetaMask Portfolio, Revoke.cash, or Etherscan’s token approval tools. That won’t recover stolen funds, but it blocks further access by the malicious contract.
If you shared your seed phrase or suspect device compromise, the wallet is effectively burned; you should create a new wallet on a fresh device, transfer remaining safe assets immediately, and never reuse the old seed anywhere.
Finally, adopting best practices — such as limiting approvals, freezing unlimited allowances, and segregating funds across wallets — greatly reduces the risk of broad theft if a phishing attempt succeeds.
For daily or experimental interactions, consider using a “hot wallet” with limited funds, and keep your main holdings in a separate wallet or hardware device. That way, even if one wallet is drained, your core assets stay safe.
Bruh can old people stop clicking anything from an email
Create Answer
BYDFi Official Blog
Related Questions
Popular Questions
How to Use Bappam TV to Watch Telugu, Tamil, and Hindi Movies?
How to Withdraw Money from Binance to a Bank Account in the UAE?
ISO 20022 Coins: What They Are, Which Cryptos Qualify, and Why It Matters for Global Finance
Bitcoin Dominance Chart: Your Guide to Crypto Market Trends in 2025
The Best DeFi Yield Farming Aggregators: A Trader's Guide