On-chain security analyst ZachXBT highlighted hundreds of wallets across various EVM chains being emptied of small sums, usually below $2,000 per victim, with the funds directed to a single dubious address.
The total amount stolen exceeded $107,000 and continued to increase. The underlying cause remains unclear, but users reported receiving a phishing email masquerading as a required MetaMask upgrade, featuring a party-hat fox logo and a subject line stating “Happy New Year!”
This attack occurred during the holiday season when developers were away, support channels had minimal staffing, and users were sifting through inboxes filled with New Year promotions.
Attackers take advantage of this opportunity. The low amounts taken from each victim indicate that the drainer often utilizes contract approvals rather than fully compromising seed phrases, keeping individual losses below the threshold that would prompt immediate alarms while allowing the attacker to operate across numerous wallets.
The crypto industry is still dealing with a separate incident involving the Trust Wallet browser extension, where malicious code in Chrome extension v2.68 compromised private keys and drained at least $8.5 million from 2,520 wallets before Trust Wallet updated to v2.69.
Two distinct exploits share the same lesson: user endpoints remain the weakest link.
Anatomy of a phishing email that works
The MetaMask-themed phishing email illustrates the reasons these attacks are effective.
The sender’s identity shows “MetaLiveChain,” a name that sounds somewhat related to DeFi but has no affiliation with MetaMask.
The email header includes an unsubscribe link for “reviews@yotpo.com,” indicating that the attacker copied templates from authentic marketing campaigns. The body features MetaMask's fox logo adorned with a party hat, combining seasonal cheer with a false sense of urgency about a “mandatory update.”
This blend circumvents the heuristics most users apply to obvious scams.
The phishing email impersonates MetaMask with a party-hat fox logo, falsely asserting a “mandatory” 2026 system upgrade is necessary for account access.
MetaMask's official security documentation lays out clear guidelines. Support emails originate solely from verified addresses, such as support@metamask.io, and never from third-party domains.
The wallet provider does not send unsolicited emails demanding verification or upgrades.
Moreover, no representative will ever request a Secret Recovery Phrase. However, these emails are effective because they exploit the gap between what users know intellectually and how they react instinctively when presented with an official-looking message.
Four indicators can reveal phishing attempts before harm occurs.
First, the brand-sender mismatch, as the MetaMask branding from “MetaLiveChain” indicates template theft. Second, the false sense of urgency surrounding mandatory updates that MetaMask explicitly states it will not issue.
Third, the destination URLs that do not align with claimed domains; hovering before clicking reveals the true target. Fourth, requests that violate fundamental wallet principles, such as asking for seed phrases or prompting for signatures on unclear off-chain messages.
The ZachXBT case illustrates signature-phishing tactics. Victims who clicked the fraudulent upgrade link likely signed a contract approval that granted the drainer permission to transfer tokens.
This single signature opened the pathway to ongoing theft across various chains. The attacker opted for small amounts per wallet because contract approvals often come with unlimited spend caps by default, but draining the entirety would prompt immediate investigations.
Distributing theft across hundreds of victims at $2,000 each remains under the radar while accumulating substantial totals.
Revoking approvals and shrinking blast radius
Once a phishing link is clicked or a malicious approval is signed, the focus shifts to containment. MetaMask now allows users to view and revoke token allowances directly through MetaMask Portfolio.
Revoke.cash guides users through a straightforward process: connect your wallet, review approvals per network, and send revoke transactions for untrusted contracts.
Etherscan's Token Approvals page provides the same functionality for manual revocation of ERC-20, ERC-721, and ERC-1155 approvals. These tools are vital because victims who act quickly could cut off the drainer’s access before losing everything.
The difference between approval compromise and seed-phrase compromise determines whether a wallet can be saved. MetaMask's security guide sets a firm boundary: if you believe your Secret Recovery Phrase has been compromised, cease using that wallet immediately.
Establish a new wallet on a clean device, transfer leftover assets, and treat the original seed as permanently burnt. Revoking approvals is helpful when the attacker only has contract permissions; if your seed is compromised, the entire wallet must be abandoned.
Chainalysis recorded approximately 158,000 personal wallet compromises affecting at least 80,000 individuals in 2025, even as the total value stolen decreased to around $713 million.
Personal wallet losses as a share of total crypto theft increased from about 10% in 2022 to nearly 25% in 2025, according to Chainalysis data.
Attackers targeted more wallets for smaller amounts, following the pattern identified by ZachXBT. The practical implication: organizing wallets to limit exposure matters just as much as avoiding phishing.
A single compromised wallet should not lead to total portfolio loss.
Building defense-in-depth
Wallet providers have implemented features that could have contained this attack if adopted.
MetaMask now recommends setting spending caps on token approvals instead of accepting the default “unlimited” permissions. Revoke.cash and De.Fi's Shield dashboard encourage treating approval reviews as routine hygiene alongside using hardware wallets for long-term holdings.
MetaMask enables transaction security alerts from Blockaid by default, flagging suspicious contracts prior to executing signatures.
The Trust Wallet extension incident underscores the necessity for defense-in-depth. That exploit circumvented user decisions, and malicious code in an official Chrome listing automatically harvested keys.
Users who diversified their holdings across hardware wallets (cold storage), software wallets (warm transactions), and burner wallets (experimental protocols) minimized their exposure.
This three-tier model introduces friction, but that friction is the goal. A phishing email that compromises a burner wallet costs hundreds or a few thousand dollars. The same attack against a single wallet containing an entire portfolio results in life-changing losses.
The ZachXBT drainer succeeded because it exploited the gap between convenience and security. Most users keep everything in one MetaMask instance because managing multiple wallets seems cumbersome.
The attacker gambled that a professionally crafted email on New Year’s Day would catch enough individuals off guard to generate profitable volume. That gamble paid off, with $107,000 and counting.
MetaMask's official guidance identifies three phishing red flags: incorrect sender addresses, unsolicited urgent upgrade requests, and demands for Secret Recovery Phrases or passwords.
What's at stake
This incident raises a broader question: who is responsible for endpoint security in a self-custodial ecosystem?
Wallet providers create anti-phishing tools, researchers release threat reports, and regulators caution consumers. Yet the attacker required only a fraudulent email, a cloned logo, and a drainer contract to compromise hundreds of wallets.
The infrastructure that facilitates self-custody, permissionless transactions, pseudonymous addresses, and irreversible transfers also renders it unforgiving.
The industry views this as an educational issue: if users verified sender addresses, hovered over links, and revoked old approvals, attacks would fail.
However, Chainalysis's data on 158,000 compromises suggests education alone does not scale. Attackers adapt faster than users learn. The MetaMask phishing email evolved from rudimentary “Your wallet is locked!” templates to sophisticated seasonal campaigns.
The Trust Wallet extension exploit demonstrated that even cautious users can lose funds if distribution channels become compromised.
What works: hardware wallets for significant holdings, diligent approval revocation, wallet segregation based on risk profile, and skepticism toward any unsolicited communication from wallet providers.
What doesn’t work: assuming wallet interfaces are inherently safe, treating approvals as one-time decisions, or consolidating all assets in a single hot wallet for convenience. The ZachXBT drainer will be shut down because the address is flagged, and exchanges will freeze deposits.
But another drainer will arise next week with a slightly modified template and a new contract
address.
The cycle persists until users internalize that the convenience of crypto creates an attack surface that will eventually be exploited. The choice isn’t between security and usability, but rather between friction now and loss later.
The post Hundreds of MetaMask wallets drained: What to check before you ‘update’ appeared first on CryptoSlate.
