Halborn warns of new phishing attack on MetaMask customers
Users receive emails with a link to a fake website where they are prompted to enter a seed phrase to confirm their identity
01.08.2022 - 08:15
1158
2 min
0
What’s new? Users of MetaMask, a decentralized crypto wallet, are under the threat of phishing attacks. Fake messages are sent out on behalf of the company, asking them to provide a seed phrase on a third-party website, supposedly to confirm that the wallet belongs to the owner. The scammers then gain access to the victims’ accounts, reported representatives of Halborn, a blockchain security company.
A seed phrase is a key secret phrase needed to regain access to a cryptocurrency wallet. It is usually generated automatically when creating a wallet and contains 12, 18, or 24 words.
How does the attack work? Halborn’s technical education specialist Luis Lubeck reported that users receive emails with MetaMask logos telling them of the need to comply with the KYC procedure. When attempting to go to a page with the verification procedure, a fake website opens asking the user to enter a seed phrase. After entering the phrase the victim is redirected to the real MetaMask website, which misleads the user, but by that time the scammers have already accessed the wallet and stolen money.
Lubeck emphasized that there are several alarming signals in such emails at once. Firstly, there are spelling errors. Secondly, a fake email address (it may differ from the original one by just one letter). Thirdly, is the lack of personalization when contacting users.
Experts do not recommend following the link contained in the email — in this case, it is safer to visit the official website and find the desired page on it.
In June, Halborn reported that MetaMask and Phantom wallets fixed a critical vulnerability in a browser software extension. Seed phrases generated by wallet providers were stored on users’ computers in plain text as part of the “Restore Session” feature. This meant that attackers could get into the system using malware or physical access.
Useful material?
Telegram 
Twitter Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Incidents
According to Blockaid, the attack may have been carried out by the same hacker behind the 1inch Fusion V1 exploit.
May 7, 2026
Incidents
The attacker gained administrative access and altered contracts to drain user funds
Apr 30, 2026
Cryptocurrency rates
-
Bitcoin
$65 269
BTC
-2.8%
-
Ethereum
$1 835.49
ETH
-2.77%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.21
XRP
-0.53%
-
Dogecoin
$0.092581
DOGE
-1.06%
-
TRON
$0.160134
TRX
-1.59%
-
Zcash
$622.99
ZEC
+3.08%
-
Cardano
$0.204316
ADA
-5.06%
-
Stellar XLM
$0.213443
XLM
-2.92%
-
Polkadot
$3.32
DOT
+5.27%