Holiday Surprise Attack: Uncovering the "Happy New Year" Phishing Scam Disguised as MetaMask — How to Empty Hundreds of Wallets?

Well-known on-chain security researcher ZachXBT recently disclosed that a phishing attack targeting MetaMask wallet users has resulted in the loss of hundreds of wallets, with total losses exceeding $107,000 and still rising. The attacker exploited the New Year holiday, disguising as official communications to send “forced upgrade” phishing emails, tricking users into signing malicious contract approvals.

This incident, along with the recent Trust Wallet browser extension vulnerability that stole at least $8.5 million, once again highlights the extreme vulnerability of user-side security in the crypto world. This article will deeply analyze the attack methods, provide immediate emergency response guidelines, and build a future-oriented deep defense system.

Full picture of the attack: Precise hunting during the holiday

At the start of the New Year, when global developers and project support teams are on holiday with minimal staffing, a coordinated attack on cryptocurrency wallets quietly unfolded. Security researcher ZachXBT monitored on-chain that hundreds of wallet addresses across multiple EVM-compatible chains had assets being continuously stolen in small, dispersed amounts. The losses per victim were usually kept below $2,000, and all stolen funds eventually flowed into the same suspicious address. As of press time, the total stolen amount has exceeded $107,000, and this figure continues to grow.

Although the root cause of the attack is still under investigation, many user reports reveal the entry point: a phishing email disguised as a “mandatory update” sent by MetaMask. The email was well-crafted, featuring MetaMask’s iconic fox logo, even wearing a party hat, with the subject line “Happy New Year!” cleverly leveraging the festive atmosphere to lower user vigilance. The attacker chose to launch the attack at this time, precisely targeting the window of slow response and relaxed alertness.

This “small-amount, multiple-transaction” theft pattern is highly strategic. It strongly suggests that, in many cases, the attacker does not fully control the wallet by stealing the seed phrase but instead exploits malicious “contract approvals” previously induced by users signing. By default, many token approvals are set to “infinite,” but the attacker does not wipe out the wallet all at once; instead, they keep the single theft amount low. This approach avoids triggering immediate suspicion and action from victims, while allowing the attack to be scaled across hundreds of wallets, ultimately accumulating a significant six-figure total.

ZachXBT reveals key data of the phishing incident

Attack duration: During the New Year holiday, specific time window to be confirmed

Number of affected wallets: Hundreds (exact number continues to increase)

Average loss per wallet: Usually below $2,000

Total confirmed losses: Over $107,000

Networks involved: Multiple EVM-compatible chains (e.g., Ethereum, Polygon, Arbitrum, etc.)

Attack method: Phishing email inducing signing of malicious contract approvals

Analyzing the four flaws of “effective” phishing emails

Why do so many experienced crypto users fall for this? The phishing email themed around MetaMask is a textbook case of social engineering, whose success reveals common weaknesses in user security habits. However, no matter how sophisticated the disguise, such attacks always reveal clues in details. Recognizing the following four key signals can effectively intercept threats before losses occur.

First and most obvious is “serious mismatch between brand and sender”. In this incident, the sender displayed as “MetaLiveChain”—a name that sounds related to DeFi but is actually unrelated to MetaMask. This is a direct sign of attackers hijacking legitimate marketing email templates. The email header even contains an unsubscribe link pointing to “reviews@yotpo .com,” further exposing its spam nature.

Second, “artificial sense of urgency” is a classic tactic in phishing emails. The email emphasizes that this update is “mandatory,” requiring immediate action, or else it may affect wallet usage. This directly conflicts with MetaMask’s official security guidelines. MetaMask explicitly states that the official “will never” request verification or upgrades via unsolicited emails. Any urgent upgrade request claiming to be from the official should be treated as a red flag.

Third, the “misleading links”. The buttons or links in the phishing email often have display text like “Update Now” but point to domains that do not match the claimed organization. Users can hover over the link (on desktop) to see the real target URL. Any link not pointing to metamask.io or its official subdomains should raise suspicion.

Fourth, “asking for core sensitive information or permissions” is the ultimate red line. MetaMask and its legitimate representatives will never request your “Secret Recovery Phrase” via email, SMS, or phone call. Similarly, asking you to sign an off-chain message or transaction with unclear content or purpose is likely a trap. In the ZachXBT incident, victims who clicked the link were probably induced to sign a malicious token approval contract, effectively opening the door for attackers to transfer assets.

Emergency response guidelines: revoke approvals and minimize losses

Once you realize you may have clicked a phishing link or signed a suspicious approval, panicking is useless. You should immediately focus on controlling the damage. The primary task is to “cut off the attacker’s access”. Fortunately, there are now various tools that facilitate managing and revoking contract approvals.

MetaMask users can now directly view and manage all token approvals in the MetaMask Portfolio interface. Additionally, specialized websites like Revoke.cash offer extremely simple procedures: connect your wallet, select the network, and it will clearly list all smart contract approvals for that wallet address. You can review each and revoke any untrusted or unused approvals by sending a “Revoke” transaction. Similarly, Etherscan and other block explorers provide Token Approvals pages, supporting manual revocation of approvals for ERC-20, ERC-721, and other token standards. Acting quickly with these tools can help preserve remaining assets before attackers drain the wallet.

However, the correct measures depend on accurately assessing the extent of the intrusion. There is a fundamental distinction: “contract approval theft” vs. “seed phrase fully leaked”. If it’s the former, attackers only have permission to transfer specific tokens; revoking approvals promptly can preserve wallet control, and further security measures should be taken to continue using the wallet. But if it’s the latter, it means the attacker has full control of your wallet, and any operation (including revoking approvals) could be intercepted or repeated thefts.

MetaMask’s official security guidelines make this clear: if you suspect your seed phrase has been leaked, stop using that wallet immediately. You must create a new wallet on a completely clean, virus-free device and securely transfer all remaining assets from the old wallet to the new address. The old seed phrase must be considered “permanently destroyed” and never used again. This “cutting off” approach is the only way to handle the worst-case scenario.

Building a deep defense: from single-point protection to a security system

Whether it’s this phishing attack or the previous Trust Wallet extension vulnerability that led to $8.5 million in losses, they point to the same conclusion: relying on a single protective measure is dangerous. Facing evolving threats, ordinary users must establish a “Defense-in-Depth” system, setting up multiple layers of barriers to limit potential losses within tolerable ranges.

First layer: Wallet configuration and daily habits. Wallet providers are actively integrating security features. For example, MetaMask now encourages users to set spending limits manually during approval rather than defaulting to “infinite.” Also, develop the habit of regularly reviewing and cleaning old approvals, treating it as equally important as using hardware wallets for security hygiene. MetaMask’s default enabled Blockaid security alerts can pop up warnings before you sign suspicious transactions—an underestimated line of defense.

Second layer: Asset risk grading and wallet isolation. This is one of the most effective methods to counter various intrusions. It is recommended to adopt a “cold-warm-hot” three-layer wallet model:

• Cold wallet (long-term storage): Use hardware wallets (like Ledger, Trezor) to store core assets and large holdings that are rarely moved.
• Warm wallet (daily transactions): Use software wallets (like MetaMask) on mobile or desktop for trading, staking, etc.
• Hot wallet (experimental interactions): Create a “burner” wallet for interacting with new, unverified DeFi protocols or NFT projects.

This approach indeed adds management friction, but friction is the core of security. A successful phishing attack that only compromises your “burner” wallet might result in a loss of a few hundred or thousand dollars. But the same attack targeting your single software wallet holding all your assets could be catastrophic.

Third layer: Continuous education and mindset building. The industry often blames user education gaps for security vulnerabilities. However, Chainalysis data shows that in 2025 alone, there were about 158,000 personal wallet thefts affecting at least 80,000 people. This indicates that attacker evolution often outpaces user learning. Therefore, internalize a “continuous suspicion” mindset: be inherently distrustful of any unsolicited information from wallet providers; treat all contract approvals as dangerous unless you fully understand and trust them; always remember that the convenience of crypto itself constitutes an attack surface that will eventually be exploited.

The attack vector exposed by ZachXBT will eventually become ineffective as addresses are flagged and mainstream CEXs freeze deposits. But next week, another attacker will return with slightly modified templates and new contract addresses. In this relentless cycle of offense and defense, the user’s real choice is not between security and convenience but between “actively managing security now at some inconvenience” and “suffering huge pain from asset loss in the future.” Building and practicing your deep defense system is choosing the former, keeping your assets firmly in your own control.