With over 30 million users worldwide, Metamask is the most popular crypto wallet for trading and storing digital assets. That doesn’t mean it can’t be hacked though. If you suspect your wallet has been hacked, you might question how it happened. So, how does Metamask get hacked?
Below we expose the most common Metamask hacks, tips to keep your wallet safe, what to do if your wallet is hacked, and we suggest a better storage solution.
How Does Metamask Get Hacked?
Metamask users are hacked daily. Scammers are on the prowl 24/7 coming up with new ways to steal your assets. Below we expose the most common hacks.
Malware or spyware compromisation
If you use your computer or phone on a daily basis, you’ve more than likely been exposed, or at the very least, came in close contact with some type of malware.
Malware, also known as spyware or keylogging software is used to disrupt your device, server, client, or network to gain access to your information. These viruses are usually attached to emails, embedded in links, and hidden in ads on websites across the internet.
It only takes one click for malware to install itself onto your device. The worst part is you might not even know it happened.
Some common signs of malware infection include:
- Your device is slower than usual, shuts down automatically, or displays error messages.
- You can’t restart or shut down your device.
- The software you installed won’t let you uninstall it.
- You see pop-ups that cover your screen and inappropriate ads.
- Random tabs and websites open on their own.
- Your battery life is reduced significantly.
- Emails are being sent without your doing.
So, how does this correlate to your Metamask account being hacked? Great question.
Scammers can use this spyware to watch your every move. That means they can see any passwords you type and find files in your system where you might have your wallet info stored.
From there, they use that info to access your wallet and transfer your funds into their possession.
Preventative action to take:
- Don’t connect your device to public wifi
- Avoid visiting sites that don’t use Secure Sockets Layer (SSL). A secure site begins with “https”, not “http”.
- Create strong passwords for all your online accounts.
- Enable extra security measures like two-factor authentication (2FA).
- Keep all your software and apps up-to-date.
- Monitor your accounts for unusual activity.
A phishing website stole your information
Phishing links are undoubtedly one of the most common scams in the crypto space. And no, I’m not talking about casting a line out into the water fishing.
I’m talking about a link that is sent to you, usually with some type of incentive, in hopes that you click on it and visit the malicious website. Once you’re on the website, there’s usually some action you’re required to take such as connecting your wallet.
By connecting Metamask to a malicious website and approving the connection, you’re literally enabling the scammer access to your wallet.
Then the scammer quickly sends all of your digital assets to their own wallet, eventually liquidating them for a nice profit.
So where do these phishing links appear? Here are a couple of spots to be aware of.
- In your DMs. Twitter, Instagram, Discord, and Telegram are the most common.
- Bots. Social media is notorious for scam bots that use “trigger” words to spam your posts with links and people with bad intentions.
- Your email. Bad actors pretend to be a notable brand and will tempt you to follow the link by invoking fear, excitement, or some sort of immediate action.
- On websites. Sketchy websites may have multiple phishing links scattered throughout.
I know some people might think the above seems obvious. But believe me, it’s not. Especially if you are new to web3 and everything that comes with it. It’s best to approach any links sent your way with extreme caution and hesitation.
Preventative action to take:
- Don’t click on random links that are sent to your email or DMs.
- Never connect your wallet to a site you don’t trust or recognize.
- Always double-check the URL of the sites you visit, all it takes is one letter to be off.
- If you receive a link to an offer that’s too good to be true, then it probably is.
- If you get a message requiring you to take immediate action, don’t. It’s more than likely a scam.
- Enable Privacy Mode in Metamask by going to Settings, Security & Privacy, then toggle to enable the mode.
Your wallet private key has been exposed
Your private key (secret recovery phrase) is the main layer of defense when it comes to your Metamask account.
Whoever has your private key also has complete control over your wallet. That said, if you expose it to the wrong person, it’s game over.
Of course, you wouldn’t willingly give out your secret phrase, right? WRONG. All too often people give out their phrase like they’re handing out candy on Halloween.
The question is, why?
It could be for a number of reasons, the most common being assistance. That’s right. When Metamask user has an issue, they look for help. The only problem is, they look in all the wrong places.
Generally, users turn to social platforms in search of a solution. Although some people genuinely want to help, most of the help you find is from scam accounts. These accounts contact you via comments and DMs promising you a simple solution.
Sometimes these accounts look like normal people. Other times it’s a fake Metamask Support account that seems legitimate. They go as far as talking with you and listening to your issue.
Then, they ask you to chat with them over a video call before requesting that you share your screen and sign into your account using your secret phrase.
Or, they might just ask you to give them your secret phrase so they can better assist you.
All of these scenarios are red flags. If you find yourself in a similar situation, get away as fast as you can, and don’t share any of your private info.
Metamask or anyone else would never need your private key to assist you, it’s always a scam.
Preventative action to take:
- Never share your private key with anyone.
- Don’t accept help from random accounts.
- Don’t respond to DMs. Metamask would never send you a private message.
- Always be cautious of emails. Especially if you didn’t reach out directly.
Installed a fake Metamask Extension/App
Installing a fake Metamask extension or app isn’t as common as the other hacks we’ve mentioned, however, it has happened before and it can happen again.
Hackers have created fake, malicious, websites that are spelled similarly to the official site. Then using Google Ads, they get these sites sponsored so they appear at the top of the search results.
Without realizing the site is fake, people create wallets and fund it, just to have their funds sent to the scammers.
The same thing has happened with NFT marketplaces like Opensea. Scammers would create a fake marketplace that allowed users to connect their wallets.
Using Google Ads, they got it to appear first on Google so everyone clicked on it, just to have their wallets hacked.
I haven’t seen this as often lately, but it’s still a possibility.
Preventative action to take:
- Only download Metamask from the official site.
- Always verify you are visiting the correct URL.
- Don’t trust websites just because they appear first on Google.
- Pay close attention to any suspicious warning messages when visiting a site.
Dust attack (fake airdrops)
A dust attack is where a scammer sends numerous digital assets (crypto and NFTs) to multiple wallet addresses in hopes the user will somehow interact with the asset.
Depending on the attack, the token itself could lead you to be hacked if you sign any kind of transaction associated with that token using your wallet.
Or an error message will appear when you try to interact with the asset (this includes sending, selling, or any interaction that requires a blockchain transaction).
The aim is to lead you to a link that directs you to a malicious website (there’s that dang phishing link again).
Oftentimes, scammers will send an NFT to your wallet that has a bid on it. But, when you go to accept the bid it doesn’t work. Instead, a message appears prompting you to take action by visiting a website for the solution. Upon visiting this site, you’re hacked.
In an attempt to prevent users from falling for this scam, MetaMask doesn’t display any tokens that you didn’t manually add to your wallet yourself.
However, these tokens are still there, and in the case of NFTs, you will see them displayed on your profile when you visit an NFT marketplace like Opensea.
Preventative action to take:
- Don’t interact with any tokens in your wallet you didn’t directly buy yourself.
- Monitor your wallet’s balance at all times.
- Turn on Enhanced Token Detection in Metamask for better monitoring by going to Settings, Advanced, and toggle to enable.
What to Do If You’ve Been Hacked
Perhaps it’s too late and your Metamask account has already been hacked. If this is the case, here’s what you should do next.
1. Install Metamask on a different browser or device
Choosing to simply use a different browser versus a completely separate device depends on how you were hacked.
If you suspect that malware played a role in the hack, do not use that device when creating your new account. You must use a different device that hasn’t been compromised. Otherwise, you could be hacked again.
If you’ve determined that you are the victim of a phishing scam or you voluntarily handed over your secret phrase, you can get away with using a different browser to set up your new wallet.
Since your device isn’t compromised and only your wallet is affected, use a new browser to create a new account.
2. Create a new wallet and seed phrase
If your hacked wallet still has funds in it, make sure you don’t delete the app or extension that’s signed into that wallet just yet. You might be able to save some of your assets in the next steps.
Using a different browser or device, create your new Metamask account and seed phrase. Also, make sure to create a new password that you’ve never used before. You want to start fresh.
Make sure to record and store your seed phrase in a safe place (not online or on your device). Rather, write it down using pen and paper and tuck it away in a fireproof safe.
Better yet, get yourself a metal seed phrase card to compliment a safe. That way if anything does happen, you aren’t relying on a piece of paper to keep your phrase intact.
3. Send funds from your compromised account to your new account
If you still have any assets sitting in your hacked account, you should immediately send those items to your new wallet.
But remember, transferring digital assets like NFTs and crypto incurs a transaction fee, so you will have to have some money in your wallet.
If the assets remaining in your wallet are of value, it might be worth loading that wallet with a couple of dollars so you can send your assets to your new wallet.
It’s possible your account could contain a sweeper script. If that’s the case, your funds would be instantly intercepted and never arrive in your wallet.
If you don’t care for the assets remaining in your hacked account, skip this step and move on.
4. Stop using your hacked account
Once you have either transferred any remaining assets out of your hacked account or if you determined it’s a complete loss, discontinue using that wallet and never use it again.
In fact, you should even get rid of the secret phrase so that you don’t accidentally access that wallet again in the future.
To get rid of the wallet on your desktop device, simply uninstall the browser extension.
To delete your wallet from your mobile app, either uninstall the app and reinstall it or reset it by pressing “Reset Wallet” on the login screen.
Can You Recover Hacked Funds?
There is no way to recover funds if your Metamask account has been hacked. Your best option is to report the scam to relevant authorities using the steps outlined below.
Contact Metamask support
You can report an incident to Metamask’s support team by opening a ticket. To do this, you can start a conversation on their support page. You will need to provide the following info for better assistance:
- Your email address
- Your public wallet address beginning with “0x” (NOT your key phrase)
- The suspected scammer’s public address
- The website, email, or another medium through which the scam reached you
Report the scammer’s address on the block explorer
If the scammer used an Ethereum address, you can report their address on the block explorer via Etherscan.
If the block explorer finds that the address you submitted shows signs of fraudulent activity, it will be flagged. By doing this you will help other users avoid this malicious address.
Alert your local cybercrime authority
The last step is to report the activity to your local authorities. This is important because more likely than not, the scammer will continue to carry out their criminal activities.
You can help prevent this by providing valuable information to the authorities.
Below is a list of authorities by country:
- United States: the FBI’s IC3 service
- European Union: Europol portal (redirects to your chosen country)
- United Kingdom: Action Fraud
- Philippines: CICC form
- Brazil: This varies depending on the state. You will likely have to contact your state’s specialized cybercrime unit.
- Indonesia: Directorate of Cyber Crime
Is Metamask a Safe Wallet?
Metamask is safe when used correctly. It’s a self-custody wallet secured by a private key, password, and biometric authentication. But if you aren’t careful you can easily expose your account to potential scams and hacks. Since it’s always connected to the internet it’s not a good storage solution.
In other words, it’s a software wallet. These types of wallets are easy to use but they aren’t secure as hardware wallets.
Software wallets and hardware wallets are both used for trading and storing digital goods, but only one should be used as a storage solution.
Metamask remains a good option for buying and selling crypto and NFTs, but you should never store anything of value on a software wallet.
Since it’s always connected to the internet it has a much higher risk of being hacked.
What’s a Better Storage Solution?
The best option for storing digital assets on the blockchain is a hardware wallet like Ledger. This device keeps your account’s private info like your seed phrase, PIN, and password on the device itself. And since it’s not connected to the internet, it’s unlikely a Ledger wallet would be hacked.
There is a slight learning curve to setting up a Ledger wallet but it’s easy with proper instructions. Additionally, it’s more than worth the added security.
But does that mean you shouldn’t use Metamask at all? Not quite.
You can still use Metamask to buy and sell digital assets. The important thing is to not store anything on it. Instead, you should immediately transfer any assets you buy to your hardware wallet for safekeeping.
And if you decide to sell, it’s best to send that asset back to your Metamask wallet to complete the sale.
By keeping all your assets stored on your hardware wallet, you don’t have to worry about your assets being stolen even if your Metamask account is hacked, because there won’t be anything to steal.