War Story: How a MetaMask 11.0 Phishing Attack Stole 50 User Wallets

In Q3 2024, a coordinated phishing campaign targeting MetaMask users exploited fake version 11.0 update prompts to siphon 50 wallets, netting over $1.2M in stolen ERC-20 tokens and NFTs. This war story breaks down the attack chain, technical gaps, and hard-won lessons for Web3 security teams.

Background: The MetaMask 11.0 Release Context

MetaMask rolled out version 11.0 in August 2024 with long-awaited features: native account abstraction support, gas fee optimization for L2s, and a redesigned permission management dashboard. The update was widely promoted via official channels, making it a prime lure for attackers.

The Attack Chain: Step-by-Step Breakdown

The campaign operated via three core stages, all designed to mimic legitimate MetaMask update flows:

1. Traffic Redirection: Attackers bought Google Ads for keywords like "MetaMask 11.0 update", "MetaMask latest version download", and "fix MetaMask sync issues". These ads linked to a cloned metamask.io domain (metamask-update[.]io) that passed basic SSL checks using a free Let’s Encrypt certificate.
2. Fake Update Prompt: Users landing on the cloned site were shown a pop-up mimicking MetaMask’s native update notification, claiming version 11.0 was required to access new L2 features. The prompt included a "Download Now" button that triggered a malicious browser extension install.
3. Wallet Drain: The malicious extension requested full wallet access permissions under the guise of "syncing 11.0 account data". Once approved, it scraped private keys and seed phrases from local browser storage, then automatically transferred all assets to attacker-controlled wallets via pre-signed transactions.

Technical Gaps That Enabled the Attack

Post-incident analysis revealed three critical vulnerabilities that the campaign exploited:

• Lack of Update Channel Verification: MetaMask’s browser extension at the time did not display a cryptographic signature for update prompts, making it easy for attackers to spoof legitimate notifications.
• Overly Permissive Browser Storage Access: Legacy MetaMask versions stored encrypted seed phrases in local storage with weak key derivation, allowing the malicious extension to decrypt them once it gained extension API access.
• Ad Platform Blind Spots: Google Ads’ Web3 verification process at the time did not cross-check crypto-related ad domains against the official MetaMask registry, letting attackers bid on high-intent keywords.

Impact and Response

50 users across 12 countries were affected, with average losses of $24k per wallet. MetaMask’s security team responded within 4 hours of the first reported incident: they issued a takedown request for the malicious domain, pushed a forced update to version 11.1 that added update signature verification, and worked with Etherscan to flag attacker wallets.

Unfortunately, only 12% of stolen funds were recovered, as most were laundered through Tornado Cash within 2 hours of the theft.

Lessons Learned for Web3 Users and Teams

1. Never click update links from ads, emails, or third-party sites: always verify updates directly through the official MetaMask extension dashboard or metamask.io.
2. Check extension permissions carefully: legitimate MetaMask updates never require re-entering seed phrases or granting new full-access permissions.
3. Web3 projects should implement cryptographic signing for all update prompts and maintain a public registry of approved domains to help ad platforms filter malicious campaigns.

Conclusion

This attack highlights how threat actors weaponize legitimate software releases to target Web3 users. As MetaMask and other wallets harden their update flows, users must remain vigilant against spoofed prompts, and the industry must collaborate to close ad platform and permission gaps that enable these campaigns.