Make connecting a wallet more safe from phishing attacks

**Description: There is a scam with bogus rewards tokens as described in this article:
h-t-t-p-s://www . vice . com/en/article/epxxe7/received-some-random-cryptocurrency-it-might-be-a-phishing-scam

I received a token that was nominally shown as worth $17,000 - which is obviously bogus. The name of the token was " BONUS. VISIT [H-T-T-P-S://STBONUS . SITE TO RECEIVE REWARD
(note I added ‘-’ and spaces to the address so I could include it here in this feature request

If you navigate to that site and connect your MetaMask wallet, it can drain the entire wallet. Or at least I believe so. I fortunately rejected the connection request, so I’m not sure. When you connect MetaMask asks you to approve a whole bunch of things including trading. I could tell it was iffy and rejected the request.

The point is that newbies like me learn that you first connect the wallet to web sites. THEN after you’ve connected, you are asked to approve/reject requests for each subsequent transaction. In this case, it seems you are approving transactions just by merely connecting the wallet to the site. That’s stupid. Newbies like me may approve the connection on the assumption that there is no way they would be approving having their whole wallet drained without even being asked permission. This is f’n NUTS. You need to add more security when connecting the wallet. You can’t make it this easy for hackers to steal everything out of your wallet. FIX THIS

**Purpose:**Make it harder to have your wallet drained by merely connecting to a web site

Extension/Mobile/Both: Both



Security for your wallet is as strong as your own knowledge base is and as strong as your ability to understand and avoid scams is. That involves dApps you interact with or smart contracts you approve and so on, which you need to double or triple-check to make sure they are legit and not scams. You should be really careful visiting unknown sites, malware or spyware could have be on your device, please run a scan.

Read these articles to start expanding your knowledge!:


I’m sorry but blaming the user or saying they should have known is not productive or helpful. If an application puts users funds at risk of unknowingly authorizing malicious activity on thier account, then thats a loophole in the app. While the knowlege/ experience of the user is important, it is a loophole scammers use to scam unsuspecting users,- especially newer ones. Much like the OP, I ended up on a fake beefy site (which looked identical to the real one) from a Google search because both CMC & Defi Llama had different addresses. Google is rife with scammers that can pay their way to the top of searches. Recently I’ve found ones for CMC as well (I rejected connection) and am sure any popular site. The user thinks they are on a legit site and connecting to sites is common as you enter them so fall into the trap. I knew what I fell into so rejected connection- CMC does not need access to my wallet to use it. MM should not allow/ or should warn the user what they are allowing the site to do before they click connect. MM should not allow connecting to sites that request moving funds without express permission for that token without the users saying that unlimited is ok (seperate from the normal connect wallet which only allows reading of balances. I do not know of any legit site that asks to do this.

The advice I was given was to use a browser such as duck duck go; only click on links from vetted and trusted sites and to bookmark legit sites.
If crypto is going to go main stream or get people to use self custody wallets, then we have to do as much as possible to defeat scammers. This involves education and apps & dApps building in safeguards to protect thier users. It will be a long road but small steps can help.

3 posts were split to a new topic: Hacked wallet from phishing link

I have wondered why there isn’t an option to accept or cancel deposits or withdrawals from your MetaMask. Just like exchanges ask for 2 step authentication and either a security number via email or txt message when withdrawing. I got hacked about 2 weeks ago and lost just over $1000 worth of eth because a hacker attached a sweeper bot to my address. I only knew because I saw the eth dissapear about 3 seconds after the funds cleared into my wallet. So i looked at the transaction and there was the withdrawal that I didn’t make. So I followed the path of transactions and wallet adresses and found a couple more withdrawals i didnt make. Whoever has this bot setup has made hundreds of transactions from all different addresses adding up to A LOT of stolen eth that has dates leading back to over 2 years ago. How theyre still doing this? Im not sure but it now makes me not want to use MetaMask anymore. Ive also noticed a lot of the same talk about phishing and sweeper bots from a couple of years ago and it seems that not much has been done about it. Whether the hacker got hold of my seed phrase through malware or another way, im not sure but when i opened my wallet 4 years ago i wrote down the seed phrase on a piece of paper and put it into my filing cabinet. Ive only connected to a handful of websites because i know that there are heaps of scam sites out there but it does make me think about how much access these hackers can actually have just sifting through blockchain transactions. All they have to do is find a wallet that some how has had its seed phrase leaked, add a bot command for a sweeper then steal whatever funds are put in there. Does the victim get the money back? No and its a crap feeling knowing that i lost money to some random when i didnt even connect to a website or give my details out. All i did was deposit eth from mexc exchange and then boom its gone. I also have tokens staked on project websites that have been there for over 2 years waiting for the next bull run that i now cant unstake and move to a new wallet because as soon as i unstake back to my compromised wallet those tokens will most likely be withdrawn from the bot.

1 Like

Agree 100%, just had $2500 stolen when all I thought I was doing was connecting to a web3 site.

Hey @AndyJ, sorry to hear this happened, if you would like more information on the next steps or more insight as to what happened, please reach out to MetaMask Support.

  • This will connect you to a bot at first, answer some questions and it will open a ticket for you with an agent.

Remember - NOBODY, including from support, will ask for your secret recovery phrase or for you to input it onto any website for confirmation.