On-chain security researcher ZachXBT noted that hundreds of wallets across multiple EVM chains were being emptied for small amounts of money, typically less than $2,000 per victim, which were funneled to a single suspicious address.
Total thefts rose above $107,000 and continued to rise. The cause is still unknown, but users reported receiving a phishing email disguised as a mandatory MetaMask upgrade, complete with a fox logo with a party hat and a “Happy New Year!” subject line.
This attack occurred when developers were on vacation, support channels had a skeleton crew, and users were scrolling through their inboxes crammed with New Year’s promotions.
Attackers abuse that window. The small amounts per victim suggest that in many cases the drainer is operating outside contract approvals rather than making full compromises, keeping individual losses below the threshold where victims immediately raise alarm but allowing the attacker to cover hundreds of wallets.
The industry is still processing a separate Trust Wallet browser extension incident in which malicious code in the Chrome extension v2.68 collected private keys and leaked at least $8.5 million from 2,520 wallets before Trust Wallet was patched to v2.69.
Two different exploits, same lesson: user endpoints remain the weakest link.
Anatomy of a phishing email that works
The MetaMask-themed phishing email shows why these attacks succeed.
The sender’s identity shows ‘MetaLiveChain’, a name that sounds vaguely DeFi-adjacent, but has no connection to MetaMask.
The email header contains an unsubscribe link for “[email protected]”, showing that the attacker took templates from legitimate marketing campaigns. The body features MetaMask’s fox logo wearing a party hat, mixing seasonal cheer with manufactured urgency about a “mandatory update.”
That combination bypasses the heuristics that most users apply to obvious scams.
MetaMask’s official security documentation sets clear rules. Support emails only come from verified addresses, such as [email protected]and never from third-party domains.
The wallet provider does not send unsolicited emails requesting verification or upgrades.
Furthermore, no representative will ever ask for a secret recovery phrase. Yet these emails work because they exploit the gap between what users know intellectually and what they reflexively do when an official-looking message arrives.
Four signals expose phishing before damage occurs.
First, the sender brand mismatch, as the MetaMask branding of “MetaLiveChain” signals template theft. Second, manufactured urgency around mandatory updates that MetaMask explicitly says it won’t send.
Third, destination URLs that don’t match claimed domains will show the actual destination if you hover over them before clicking. Fourth, requests that violate core wallet rules, such as asking for seed phrases or asking for signatures on opaque off-chain messages.
The ZachXBT case demonstrates distinctive phishing mechanisms. Victims who clicked on the fake upgrade link likely signed a contract approval granting the drainer permission to move tokens.
That one signature opened the door to continued theft at multiple chains. The attacker opted for small amounts per wallet because contract approvals often come with unlimited spending limits by default, but emptying everything would result in immediate investigations.
Spreading theft to hundreds of victims at $2,000 each flies under the individual radar as the total reaches six figures.
Withdraw approvals and reduce blast radius
Once a phishing link is clicked or a malicious endorsement is signed, the priority shifts to containment. MetaMask now allows users to view and revoke token permissions directly in MetaMask Portfolio.
Revoke.cash guides users through a simple process: connect your wallet, inspect approvals by network, and send revocation transactions for untrusted contracts.
Etherscan’s Token Approvals page provides the same functionality for manually revoking ERC-20, ERC-721, and ERC-1155 approvals. These tools are important because victims who act quickly can cut off access to the dish drainer before they lose everything.
The distinction between Endorsement Compromise and Seed-Phrase Compromise determines whether a wallet can be saved. MetaMask’s security guide draws a hard line: If you suspect your secret recovery phrase has been exposed, stop using that wallet immediately.
Create a new wallet on a new device, transfer the remaining assets, and treat the original seed as permanently burned. Revoking approvals helps when the attacker only has contract rights; if your seed is gone, the whole wallet must be left behind.
Chainalysis documented roughly 158,000 personal wallet compromises affecting at least 80,000 people in 2025, even as the total stolen value fell to approximately $713 million.
Attackers are hitting more wallets for smaller amounts, the pattern ZachXBT has identified. The practical implication: organizing wallets to limit blast radius is as important as avoiding phishing.
A single compromised wallet does not have to lead to a total wallet loss.
Building a defense in depth
Wallet providers have provided features that could have stopped this attack had they been adopted.
MetaMask now encourages setting spending limits for token approvals instead of accepting the default “unlimited” permissions. Revoke.cash and De.Fi’s Shield dashboard attorney consider approval ratings as routine hygiene in addition to using hardware wallets for long-term investing.
MetaMask enables standard Blockaid transaction security alerts, flagging suspicious contracts before executing signatures.
The Trust Wallet expansion incident reinforces the need for defense in depth. That exploit bypassed users’ decisions, and malicious code in an official Chrome list automatically collected keys.
Users who divided their assets between hardware wallets (cold storage), software wallets (warm transactions), and burner wallets (experimental protocols) limited exposure.
That three-tiered model creates friction, but friction is what matters. A phishing email that intercepts a burner wallet costs hundreds or several thousand dollars. The same attack on one wallet containing an entire wallet costs life-changing money.
The ZachXBT dish rack was successful because it addressed the line between convenience and safety. Most users keep everything in one MetaMask instance because managing multiple wallets feels cumbersome.
The attacker bet that a professional-looking email on New Year’s Day would catch enough people off guard to generate profitable volume. That bet paid off, with $107,000 and more.
What’s at stake?
This incident raises a deeper question: who bears responsibility for endpoint security in a self-protective world?
Wallet providers are building anti-phishing tools, researchers are publishing threat reports and regulators are warning consumers. Yet all the attacker needed was a fake email, a cloned logo, and a drainer contract to compromise hundreds of wallets.
The infrastructure that enables self-management, permissionless transactions, pseudonymous addresses, and irreversible transfers also makes it unforgiving.
The industry sees this as an educational problem: if users verified sender addresses, hovered over links, and revoked old approvals, attacks would fail.
Yet Chainalysis’s data on 158,000 compromises suggests that education alone does not scale. Attackers adapt faster than users learn. The MetaMask phishing email has evolved from the crude “Your wallet has been locked!” templates to sophisticated seasonal campaigns.
The Trust Wallet extension exploit proved that even cautious users can lose money when distribution channels are compromised.
What works: Hardware wallets for meaningful holdings, brutal withdrawal of approval, segregation of wallets based on risk profile, and skepticism towards unsolicited messages from wallet providers.
What doesn’t work: Assuming wallet interfaces are secure by default, treating approvals as one-time decisions, or consolidating all assets into a single hot wallet for convenience. The ZachXBT drain will be shut down as the address is flagged, and exchanges will freeze deposits.
But next week another dish rack will be launched with a slightly different template and a new contract
address.
The cycle continues until users realize that the ease of crypto creates an attack surface that is ultimately exploited. The choice is not between security and usability, but somewhat between friction now and loss later.