MetaMask Phishing Campaign Drains $107K via ‘Party Hat’ Exploit
A targeted phishing campaign impersonating MetaMask has drained hundreds of wallets using fake ‘New Year’ upgrade emails.
A sophisticated phishing campaign targeting MetaMask users has siphoned over $107,000 across multiple EVM chains, exploiting the post-holiday lull to bypass user vigilance. On-chain investigator ZachXBT flagged the activity late Friday, identifying hundreds of victims who lost funds after interacting with a fraudulent "mandatory upgrade" email.
The "MetaLiveChain" Vector
The attack vector is social engineering wrapped in technical camouflage. Victims received emails from "MetaLiveChain," a sender entity with no relation to the wallet provider, featuring the official MetaMask fox logo donning a party hat. The message urged users to perform a "mandatory" security update for the New Year.
Those who clicked the link did not download malware. Instead, they likely signed a malicious contract approval. This permission grants the attacker’s drainer contract unlimited spend authority over specific tokens. The method bypasses the need for a seed phrase compromise, allowing the attacker to sweep funds instantly or at a later date.
"It appears hundreds of wallets are currently being drained on various EVM chains for small amounts (<$2k total per victim) with a root cause not yet unidentified. So far ~$107K has been drained from them with the theft total still increasing." ZachXBT via Telegram.
Strategy: The Low-Value Drain
The attacker is deliberately effectively structuring thefts to avoid detection. By limiting individual drains to under $2,000 (roughly 0.6 ETH at current prices), the campaign avoids triggering automated whale alerts that monitor large movements.
Funds are being funneled into a single aggregation address: 0xAc2e…9bFB. This address currently holds assets across Ethereum, BNB Chain, and Base, indicating a cross-chain infrastructure designed to sweep dust and small balances efficiently.
This campaign operates separately from the recent Trust Wallet vulnerability, which involved a compromised browser extension (v2.68). Unlike that supply-chain attack, the MetaMask incident relies entirely on user error induced by deceptive UI.
Immediate Defense
MetaMask does not send emails regarding account updates or compliance. Users who interacted with any "party hat" or "New Year" themed communication should assume their wallet permissions are compromised. Use tools like Revoke.cash to inspect and cancel open token allowances immediately.
