Over the previous week, customers of the MetaMask cryptocurrency pockets have been shedding funds to a phishing rip-off that lured potential victims via Google search adverts.
MetaMask has a group of a couple of million customers. The positioning provides an Ethereum cryptocurrency pockets within the browser by way of a browser extension that lets distributed functions learn from the blockchain.
When putting in the official extension, you possibly can both import an present pockets or create a brand new one together with the key seed phrase that permits entry to the pockets.
MetaMask customers discover empty wallets
Though it’s unclear what number of MetaMask customers fell for the rip-off, some say they ended up with empty wallets after clicking on a fraudulent search advert being promoted because the MetaMask website.
The phishing/advert rip-off remains to be lively, with a brand new area always being promoted by way of Google search adverts.
On Wednesday, MetaMask alerted its group of the rip-off and really helpful the usage of direct hyperlinks to the official metamask.io URL and to steer clear of sponsored adverts.
The warning got here too late for some customers, although, as some customers reported losses of tens of hundreds of U.S. {dollars}.
Complaints began pouring on this week, all tales describing the identical state of affairs: the cash was gone after attempting to put in the MetaMask browser extension.
It was decided that the customers have been going to a pretend MetaMask phishing web page via Google adverts. As soon as on the web page, they’re prompted to put in the extension, which is able to give them an choice to both import an present pockets or create a brand new one.

In the event that they click on on the ‘Create Pockets’ button, they’re dropped at the actual MetaMask.io website as there are not any cryptocurrency to steal. Nonetheless, in the event that they click on on the ‘Import a pockets’ possibility, they are going to be requested to enter the important thing phrase of their present pockets, which is then despatched to the attacker.

As quickly because the scammer received the seed phrase, they proceeded to empty the victims’ wallets. In replies to MetaMask’s warning on Twitter, one person mentioned they have been robbed of practically $30,000.
A number of domains pushed in Google search adverts
The scammers bought Google adverts to focus on customers looking for MetaMask within the Google search engine. These adverts led to a fraudulent area impersonating the cryptocurrency service.
They registered a number of domains for the rip-off, which is presently ongoing, as seen within the screenshot beneath taken by BleepingComputer:

The area maskmefa[.]io is presently promoted in search adverts when searching for MetaMask on Google. The spelling of the service within the title advert needs to be a pink flag, however most customers are more likely to miss this (be aware the Russian “к” and house earlier than the top-level area). A whois lookup on Domaintools reveals that it was registered solely yesterday.
Blockchain forensics firm CipherTrace in a submit this week mentions three different domains used for the rip-off:
- maskmeha[.]io
- installmetamask[.]com
- meramaks[.]io
The primary two are ten and 9 days outdated, respectively, whereas the third was registered yesterday. All have been registered via the identical registrar, NameCheap.
Customers touchdown on the fraudulent websites would have problem recognizing the fraud as a result of it seems to be virtually an identical to the official MetaMask web page. Even when they examine the area within the tackle bar, there’s a excessive likelihood of falling for the trick.
![]() |
![]() |
The one distinction between the unique MetaMask website and the pretend one is unnoticeable for many customers (the writing on the button for getting the extension).
Scams and malware assaults improve in frequency in the course of the vacation season when customers spend extra enticed by reductions or particular provides and are extra simply distracted.
Paying further consideration to obtain sources reduces the possibility of changing into a sufferer. MetaMask’s recommendation to entry assets from direct, official hyperlinks (e.g., firm accounts on LinkedIn, Twitter, Fb) and avoiding redirects from third events (e.g., URLs in messages) is an effective strategy to not fall for a rip-off.