MetaMask phishing scam UK 2026

MetaMask is the most-targeted Web3 wallet because it's the most-used. Attackers use fake support DMs, fake popups, fake emails, and fake recovery pages to extract seed phrases. Once they have the seed, they drain the wallet within minutes. This page covers every variant + what to do if compromised.

Last reviewed: 14 May 2026 · ScamSupport research

The 5 MetaMask phishing patterns

1. Fake support — Twitter/Discord/Reddit DM

You post a question or complaint about MetaMask in public. A "support agent" DMs you within minutes offering to help. They direct you to a website "validation form" or "support dashboard" asking for your seed phrase to resolve the issue. The website is a credential-harvesting page; your seed goes to the attacker.

Common impersonator handles include @MetaMask_Help, @ConsenSys_Support, @MM_Support, variant spellings of legitimate names. MetaMask doesn't operate proactive Twitter/Discord support — only the support.metamask.io site is real.

2. Fake popup on malicious dApp

You connect MetaMask to a dApp; the dApp displays a popup that looks like a MetaMask UI prompt asking you to "verify your wallet" or "enter your recovery phrase". The popup is rendered by the website's HTML, not by MetaMask. The text field captures your seed and sends it to the attacker.

Real MetaMask popups are rendered by the browser extension and appear in a specific extension-controlled overlay. They're never asking for the seed phrase to access an already-installed wallet.

3. Fake email — "MetaMask Security Team"

Email purports to be from MetaMask/ConsenSys claiming your wallet is at risk and requires "verification" via a link. The link goes to a clone of the MetaMask page with a seed-entry field.

MetaMask doesn't have your email. It's a self-custody wallet that doesn't require email signup. Any email claiming to be from MetaMask is fake.

4. Fake browser extension or wallet update

Search-engine ads or browser-extension store entries for "MetaMask" that aren't the real extension. Once installed, the fake extension either captures the seed during use or replaces transaction recipient addresses silently.

Real MetaMask is at metamask.io and the official extension is by "MetaMask" publisher in Chrome Web Store. Verify publisher name before installing.

5. Fake airdrop / claim page (drainer variant)

"Claim your free [TOKEN] airdrop" page asks you to connect MetaMask and sign a transaction. The transaction is a drainer signature, not a real claim. Covered in detail at crypto wallet drainer.

Verify the real MetaMask

  • Website: metamask.io (and only metamask.io — variant spellings like metamask-help.com or metamask.support are fake).
  • Browser extension: Chrome Web Store publisher "MetaMask"; Firefox publisher "MetaMask"; both must show "Verified" indicator. Other extensions claiming to be MetaMask are fake.
  • Mobile app: "MetaMask" by ConsenSys in App Store (Apple) and Google Play. Check developer = ConsenSys.
  • Twitter: @MetaMask is the official. Helpers and support claims from any other handle are not official.
  • Support: only at support.metamask.io — a knowledge-base site, not a live chat with humans. No one will DM you offering help.

If you've shared your seed phrase

  1. Move funds immediately. Open MetaMask, generate a new wallet (new seed phrase), transfer everything from the compromised wallet to the new wallet. Pay high gas to outrun the attacker. Some victims save substantial value by acting in the first 60 seconds.
  2. Don't reuse the compromised seed phrase for any wallet. Treat it as permanently burned.
  3. Save evidence — the conversation with the scammer, the website used, transaction hashes after the drain, attacker wallet addresses for tracing.
  4. Revoke approvals on the compromised wallet at revoke.cash. The attacker has seed-level access so this is defence-in-depth, but worth doing.
  5. Treat the device as potentially malware-infected. Reinstall MetaMask on a fresh device, or do a clean OS install on the current device.
  6. File Report Fraud report at reportfraud.police.uk.
  7. Blockchain forensics + specialist solicitor for tracing/recovery. Chainalysis, TRM Labs, OXT for tracing; TLW, CEL, Hugh James for legal action on no-win-no-fee.
  8. If funds originally came from UK bank transfer: start PSR claim with our PSR claim wizard.
  9. Watch for recovery scams — drained MetaMask victims are heavily targeted. Recovery scam warning.

Six-layer prevention setup

  1. Hardware wallet (Ledger, Trezor) connected to MetaMask for serious balances. The seed never leaves the hardware device; even a compromised computer can't extract it.
  2. Separate hot and cold wallets. Cold (hardware) for storage; hot (browser) for active trading with small amounts only.
  3. Security plugin always installed. Pocket Universe, Wallet Guard, ScamSniffer, or Web3 Antivirus.
  4. Bookmark MetaMask and major dApp URLs. Never reach them via search ads or social-media links.
  5. Multi-sig for treasury or shared funds. Gnosis Safe — 2-of-3 multi-sig means a single compromised signature can't drain.
  6. Seed phrase storage offline. Paper, metal plate (Cryptotag, Cryptosteel), or encrypted offline backup. Never store the seed phrase digitally — no screenshots, no cloud notes, no email drafts. Never share it.

Frequently asked questions

What does MetaMask never ask for?

MetaMask never asks for your seed phrase outside the initial wallet-setup flow or wallet-recovery flow that YOU initiate. Specifically: (1) MetaMask doesn't have a support team that contacts users; if you receive support contact from 'MetaMask', it's a scammer. (2) MetaMask never asks for your seed phrase to 'validate', 'sync', 'verify', 'upgrade', or 'unlock' your wallet. (3) MetaMask never sends emails asking for your seed phrase — never. The seed phrase is only required when you're setting up a new wallet or restoring an existing one on a fresh device, and you initiate the process from within MetaMask itself. Anyone asking for your seed phrase via any channel is trying to steal your funds.

What's the fake-support phishing pattern?

You post about a MetaMask problem on Twitter/X, Discord, Reddit, or Telegram. Within minutes, someone DMs you offering to help. They claim to be MetaMask support or a community helper. They guide you to a website (form, dashboard, or 'validator') asking you to enter your seed phrase to fix the issue. The website is a credential-harvesting page. Your seed phrase goes to the attacker; the attacker drains your wallet within minutes. Variants: fake support tickets on Discord servers, fake bots in Telegram channels, fake @ConsenSys support accounts on Twitter.

What about fake MetaMask popups?

Some malicious websites display fake MetaMask UI popups that mimic the real extension popup. The fake popup asks you to 'sign in', 'verify your wallet', or 'enter your recovery phrase'. The real MetaMask popup is initiated only by the extension itself — never by a website asking. If a website displays what looks like a MetaMask login prompt asking for your seed phrase, it's fake. Real MetaMask shows wallet content via the extension popup (click the fox icon in your browser); it doesn't ask you to enter the seed phrase to access an already-installed wallet.

What about MetaMask emails?

MetaMask doesn't have your email address. The wallet is self-custody and doesn't require email signup. Any email claiming to be from MetaMask, ConsenSys, or 'MetaMask Security Team' is fake. Common variants: (1) 'Your wallet has been compromised — verify here.' (2) 'New MetaMask security update required — install here.' (3) 'Your wallet will be locked unless you confirm within 24 hours.' All fake. Delete and don't click. If you've clicked: change passwords on associated accounts; scan device for malware; treat as if wallet may be compromised.

I gave my seed phrase to someone — what now?

Assume the wallet is fully compromised. Act in this order. (1) IMMEDIATELY move any remaining funds to a fresh wallet with a different seed phrase. Race the attacker; pay high gas to front-run their drains. (2) Don't reuse the compromised seed phrase for any wallet. (3) Save evidence — the conversation, the website used, any transaction hashes after your drain. (4) Revoke any approvals on the compromised wallet at revoke.cash (defence-in-depth, though if seed phrase was leaked the attacker can do everything anyway). (5) File Report Fraud report. (6) If funds originally came from UK bank transfer, start PSR claim. (7) Watch for recovery scams targeting drained wallet victims. (8) Treat the compromised device as potentially malware-infected; reinstall MetaMask on a fresh device or after a clean OS install.

How do I protect MetaMask properly?

Six layers. (1) Hardware wallet (Ledger, Trezor) connected to MetaMask for any meaningful balance — the seed phrase never leaves the hardware device. (2) Separate hot and cold wallets — cold for storage, hot for daily interactions. (3) Security plugin (Pocket Universe, Wallet Guard, ScamSniffer, Web3 Antivirus). (4) Never enter your seed phrase anywhere except into the MetaMask extension itself during setup/restore. (5) Bookmark dApp URLs; don't reach them via search ads or social-media links. (6) Habit: if anyone is asking for your seed phrase, the answer is no. There is no exception. No legitimate process needs your seed phrase to be shared.

Related scam guides

Related scam guides