Phishing Attacks Impersonating Popular Metaverse Projects Targeting MetaMask Users

Phishing Attacks Impersonating Popular Metaverse Projects Targeting MetaMask Users

The Guardio research team has discovered a broad and deep network of sophisticated phishing attacks chaining some of the sphere’s leading brands and targeted explicitly at MetaMask users exploring the developing metaverse space.

Hackers Target Metaverse Users using MetaMask

Guardio, a cyber-security startup dedicated to keeping users’ identity and information secure, revealed in their recent blog post how hackers have already cumulatively stolen hundreds of thousands of dollars from unsuspecting users, most of whom were in the sprawling NFTs and metaverse. 

Malicious actors could pull off this attack because of the high number of users reliant on MetaMask. The multi-browser plugin wallet is one of the most widely used hot wallets allowing users to connect to dApps and explore the base layer. 

As of early March 2022, there were more than 10 million downloads on the Chrome browser wallet alone. A ConsenSys finding revealed that there are, on average, 10 million monthly active users. However, considering how fast NFT solutions are adopted and the promise of the metaverse, it is expected that more users would download and install MetaMask as their choice browser wallet. Moreover, attackers reckon that metaverse users are tech-savvy, have been in the crypto space, and are most likely crypto holders.

Phishing Attacks on Crypto Wallets Are on The Rise

To pull off their heist, the research team discovered that hackers cloned famous websites of leading NFT and metaverse brands like Decentraland, OpenSea, and The Sandbox, before executing their phishing campaigns. 


Their attacks were successful because these sites often have a high level of functionality with complicated flows of connections requiring connecting MetaMask holders to manually approve transactions before posting them on-chain. By cloning the original website using age-old techniques like IDN attacks, some users were caught offside and gave their MetaMask private keys (Seed Phrase), thus allowing the hackers to access their wallets.

Hundreds of these cloned “low flying” websites were also ranked on the first page because hackers poured resources and used malvertising techniques, ranking them on the first page of Google search results. Some of them even managed to run some targeted Google Ads campaigns around specific Keywords:

Blockchain Cuts Both Ways

Even though crypto and blockchain solutions have real-world uses and have been massively disruptive, security remains a challenge as evidenced above. The situation is exacerbated by distributed ledger technology’s architecture which prioritizes power decentralization over everything else. As power is decentralized to ordinary end users—many of whom may not have the know-how and even basic techniques of safeguarding assets in an immutable public blockchain, billions of assets have been permanently lost or stolen. 

Notably, hackers have been historically wreaking havoc on crypto infrastructure, stealing assets. In recent years and as decentralized facilitators take charge, hackers have their guns trained on end-users in, among many fields, metaverse and NFTs. In response, users are urged to keep their private keys private and always practice due diligence to prevent losing assets. This means double-checking URLs before approving transactions through MetaMask and using up-to-date antivirus programs as a primary shield.