Did MetaMask actually send a mandatory upgrade email in May 2026?

No. MetaMask does not push mandatory upgrades via email. The MetaMask browser extension updates itself through the Chrome Web Store, Firefox Add-ons, and Edge Add-ons. Any email claiming you need to take action to update MetaMask is phishing.

What sender domain does the fake MetaMask upgrade email use?

Variants observed include MetaLiveChain, metamask-support.net, metamask-team.io, and other lookalikes. Real MetaMask emails come from noreply@metamask.io or updates@metamask.io. If the sender is anything else, it is forged.

How much has been stolen by this phishing campaign?

Per ZachXBT, the campaign has drained over $107,000 from hundreds of wallets across multiple EVM chains as of May 2026, and the total is still rising. Individual victims lose under $2,000 each, which is deliberately calibrated to stay below the threshold that triggers public reporting.

What should I do if I clicked the email and signed something?

Go to revoke.cash immediately, connect your wallet, find any Permit2 allowance with a far-future expiration and unlimited amount, and revoke it. The attacker typically waits days or weeks to execute, so you may have a window. Also consider moving remaining funds to a freshly generated wallet to ensure no signatures you missed can still be executed.

Does MetaMask have 2FA?

No. MetaMask does not have a 2FA system. The wallet is secured by your seed phrase, which is stored locally in your browser. Any email or page claiming to set up MetaMask 2FA is a phishing attempt.

How does SafeBrowz catch this attack?

SafeBrowz runs a three-layer check on every page. Layer 1 is local pattern detection - URL patterns, brand-keyword-on-wrong-TLD, suspicious TLDs, free hosting destinations, and homograph lookalikes are caught offline. Layer 2 is API checks - Google Safe Browsing, community blacklist, domain age, and shortener-chain unwrap so URL shorteners cannot mask drainer destinations. Layer 3 is the AI deep scan - content-aware analysis catches brand impersonation when the page displays MetaMask UI on a non-metamask.io domain, and Premium users additionally get JavaScript drainer-library signature detection (Inferno, Pink, Angel, MS, Atomic).

MetaMask "Mandatory Upgrade" Email Scam: Hundreds of Wallets Drained for $107K+ (May 2026)

What ZachXBT spotted

The campaign first surfaced when blockchain investigator ZachXBT noticed an unusual transaction pattern: hundreds of small drains, all under $2,000 per victim, all funneling into a single suspicious address across multiple EVM chains. Most drainer attacks target whales because the per-transaction yield justifies the operational cost. This one was doing the opposite. The attacker was harvesting hundreds of low-value wallets in parallel, which is operationally expensive but psychologically clever.

The reason: a $1,500 drain does not make a victim post a viral thread on X. It makes them assume they fat-fingered a swap, double-check their browser history, find nothing obvious, and write off the loss. By the time anyone aggregates the pattern, the attacker has scaled across hundreds of wallets and over $100,000 in cumulative theft. Per memory: phishing and social engineering caused $594.1 million of the $3.1 billion stolen in H1 2025. This campaign is a textbook example of why those numbers keep rising.

The email itself

The phishing email shows up with a sender identity styled "MetaLiveChain" or variants like "MetaMask Support" and "MetaMask Team." The subject line for the May 2026 wave is a Happy New Year greeting. The body features:

The actual MetaMask fox logo, modified to wear a party hat for "seasonal cheer"
A "Mandatory Upgrade Required" header in MetaMask brand orange
A paragraph claiming security improvements require the user to re-verify their wallet
A button labeled "Upgrade Now" or "Verify Wallet"
Footer with fake MetaMask copyright, fake unsubscribe link, and a near-identical layout to real MetaMask product emails

The visual mimicry is high enough that the email passes a casual visual check. The party-hat fox is a memorable detail that makes the email feel hand-crafted by a real human team rather than generic phishing. That detail is exactly what makes the email persuasive. People recognize MetaMask, recognize the playful brand voice, and assume the email is legit.

What happens when you click "Upgrade"

The button links to a domain that follows one of three patterns:

Brand-hyphen-keyword: metamask-upgrade[.]xyz, metamask-verify[.]app, upgrade-metamask[.]com
Subdomain on free hosting: metamask.upgrade[.]vercel[.]app, metamask-2fa[.]netlify[.]app
Hidden behind a URL shortener: bit[.]ly, tinyurl[.]com, smaller branded shorteners like urlkub[.]co that hide the destination behind a 301 redirect

The landing page shows a near-perfect MetaMask UI clone. The branding, the colors, the fox mascot, the "Continue with MetaMask" button - all replicated. When the user clicks Continue, the page triggers a wallet connection prompt.

Once the wallet connects, the page asks for "verification" or "2FA setup." This step is the actual attack. The page constructs a signature request that the wallet treats as a routine connection step but which actually grants the attacker permission to move tokens from the user's wallet. In most cases this is a Permit2 signature with the attacker as spender, an unlimited amount, and a far-future expiration. The user sees what looks like a "sign in" popup. They sign. Nothing immediate happens. They close the tab assuming the upgrade is complete.

Days later, the attacker executes permitTransferFrom across hundreds of compromised wallets in batched transactions. The user sees a single $1,500 transfer leave their wallet, has no clue which page caused it, and writes it off as a mystery loss.

Why this version succeeded where earlier MetaMask phishing failed

MetaMask has been a phishing target since 2020. Older campaigns relied on cruder lures: "Click here to claim your airdrop," "Your wallet has been compromised," "Verify or your funds will be frozen." Users have been trained to ignore these. The May 2026 wave is different in three specific ways.

Timing. The campaign launched during a holiday period when developers were on leave, security researcher follow-up was slow, and users were processing inboxes full of legitimate "year-end summary" and "happy new year" emails from real services. A phishing email blending in with that volume is statistically more likely to be opened.

Visual fidelity. Earlier phishing emails had obvious typos, low-resolution logos, or off-brand colors. The May 2026 wave uses the actual MetaMask logo with a party-hat overlay, the actual brand orange, the actual button styling, and copy that mimics real MetaMask product update emails. The party hat is the only "off" detail and it reads as seasonal branding, not a red flag.

Sub-detection threshold per victim. The drainer is deliberately tuned to take under $2,000 per wallet. This keeps individual losses below the threshold where most users would file a chargeback dispute, file with a chain monitoring firm, or post publicly. The attack scales horizontally instead of vertically.

How to recognize the email before you click

Sender domain is not metamask.io. Real MetaMask emails come from noreply@metamask.io or updates@metamask.io. Anything else - metalivechain.com, metamask-support.net, metamask-team.io - is a forgery. Hover over the sender name in your inbox to see the actual domain.
MetaMask does not push "mandatory upgrades" via email. The MetaMask browser extension updates itself through the Chrome Web Store, Firefox Add-ons, and Edge Add-ons. There is no email step. If you receive an email asking you to take action to update MetaMask, it is phishing.
Real MetaMask never asks you to "verify your wallet" or "set up 2FA." MetaMask does not have a 2FA system. The wallet is secured by your seed phrase, which is stored locally. Any email or page claiming to set up MetaMask 2FA is a drainer.
Real MetaMask emails do not ask for a wallet signature. Marketing emails, security advisories, and product updates from MetaMask link to documentation or blog posts. They never link to a page that asks you to connect your wallet and sign anything.
The link does not go to metamask.io. Hover over the "Upgrade" button without clicking. The destination URL should match metamask.io exactly. Anything else - any subdomain on a free hosting provider, any URL shortener, any close-but-different domain - is a forgery.

What to do if you already clicked and signed

If you signed something on the phishing page and your funds have not moved yet, there is a window to revoke. The window is measured in days because the attacker is sitting on signatures and batch-executing later. Act in the next 24 hours, not next week.

Go to revoke.cash and connect the wallet that signed. Read-only connection is enough for the listing step.
Look at the "Permit2 allowances" section. Sort by expiration descending. Any row with a far-future expiration (years out) combined with an unlimited amount and an unfamiliar spender address is the attacker's signature.
Click Revoke on each suspicious row. This costs gas - usually $1 to $5 per chain. Revoke on every chain you may have interacted with: Ethereum, Base, Arbitrum, Optimism, Polygon, BNB.
If the drainer used PermitBatch (multiple tokens in one signature), revoke each token separately. revoke.cash shows them as individual rows.
Move remaining funds to a fresh wallet. If the attacker has any active signature you missed, draining will continue. The safest play is to migrate to a new wallet with a freshly generated seed phrase, then revoke at leisure on the old one.
Report the email to phishing@metamask.io. Forward the original email as an attachment so the headers are preserved. MetaMask's security team aggregates reports to push domain takedowns.

For the full step-by-step on drained-wallet recovery beyond Permit2, see our companion guide: My crypto wallet got drained. What do I do?

How SafeBrowz catches this attack

The phishing email itself is not something a browser extension can intercept - that is your email client's job. But the moment you click the "Upgrade" button and land on the drainer page, SafeBrowz takes over with its three-layer detection model.

Layer 1 - Local checks (offline, instant). A bundled rule set runs entirely inside the extension before any network call. It looks for known drainer URL patterns, brand keywords on the wrong TLD (metamask on anything other than metamask.io), suspicious TLDs (.xyz, .click, .live, .app on lookalike names), free-hosting destinations (*.vercel.app, *.netlify.app, *.pages.dev), and homograph or hyphen-stitched lookalikes (metamask-upgrade, upgrade-metamask). A page on metamask-verify.xyz never even gets to step two.

Layer 2 - API checks (community + shortener unwrap + page fetch). If the URL slips past the local layer, SafeBrowz cross-references it against Google Safe Browsing, recent community-reported scam URLs, and a domain age lookup. If the link is a shortener (bit.ly, tinyurl.com, urlkub.co, or any path-pattern-detected shortener including ones we have not seen before), the redirect chain is followed server-side and the verdict runs against the final destination, not the shortener interstitial. The page content is also fetched server-side so the next layer has full HTML to analyze.

Layer 3 - AI deep scan (content + brand + signature). The fetched page content is analyzed by a content-aware model trained on phishing patterns in 100+ languages. The check that matters most here is content-based brand impersonation: if the page displays MetaMask UI, the MetaMask logo, or text like "Continue with MetaMask" or "MetaMask 2FA" on a domain that is not metamask.io, the page is flagged regardless of whether the brand keyword appears in the URL. For Premium users, the same layer also runs JavaScript signature inspection - looking for known drainer libraries (Inferno, Pink, Angel, MS, Atomic) and Permit2 payload construction patterns - so attacks with novel UI but reused drainer code are still caught.

For wallet apps and security platforms that want to pre-check URLs at scale, the same detection is available as an API at api.safebrowz.com/v1/detect at $0.001 USDC per call via x402 on Solana or Base, or via enterprise Bearer keys for high-volume customers.

For developers: how to email your users without training them to be phished

If you operate a wallet, a DEX, or a Web3 product, the May 2026 MetaMask wave is a warning. Your users get phishing emails that look exactly like your real emails. The mitigations you control:

Never ask users to sign anything via email. Real product emails should link to documentation, not to interactive flows. Any action that requires a wallet signature should originate from your app, not from an external email link.
Set up DMARC, DKIM, and SPF with strict alignment. Without these, attackers can spoof your sending domain. The MetaMask scam uses MetaLiveChain because real metamask.io has DMARC enforced - the attacker had to invent a similar-looking sender domain instead of spoofing the real one. Strict email auth pushes attackers to weaker forgeries that are easier for users to spot.
Publish your real sender domains publicly. Put "We email from noreply@yourdomain.com only" on your security page. Train users to check sender domains.
Use BIMI to display your logo in compatible email clients. BIMI requires DMARC enforcement and a verified VMC certificate, but the result is your logo appearing next to your real emails in Apple Mail, Fastmail, Yahoo, and others. Phishing emails without BIMI clearance display a generic placeholder instead. This is a visual auth signal users can learn.
Run periodic phishing simulations for your own users. Send a low-stakes "you are about to receive a fake security email next week, watch for the difference" notification. Users primed to look critically catch phishing they would have missed otherwise.

The bigger picture

The May 2026 wave is part of a broader pattern. Drainer crews are no longer trying to win on volume of victims - they are trying to win on yield per victim while staying under detection thresholds. The $1,500 cutoff is calibrated to avoid the social signals that drove earlier campaigns to die fast: viral threads, mainstream coverage, takedown notices.

For users, the lesson is that any single email or link that asks for a wallet signature is a potential drainer regardless of how legitimate it looks. The visual fidelity bar has been crossed. The only remaining defense is checking the sender domain, the destination URL, and the signature payload before signing.

For the industry, the lesson is that signature-based attacks are now the dominant vector and that wallet UI improvements - signature simulation, spender allowlists, default-narrow expirations - need to ship faster than drainers can iterate.

Block MetaMask phishing pages automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects brand impersonation, unwraps URL shorteners, and blocks Permit2 drainer pages before the wallet signature popup appears. The core protection is free forever. Premium adds wallet drainer JavaScript signature detection for the major drainer libraries at $14.99 per year - or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access.

Install SafeBrowz Free Check a URL Now