A phishing campaign that ran through the last week of May 2026 drained hundreds of EVM wallets by impersonating MetaMask and claiming a "mandatory" 2026 system upgrade was required. The on-chain investigator ZachXBTflagged the pattern on May 28 after tracing a cluster of related drain transactions across Ethereum, Polygon, Arbitrum, and Base. The per-wallet losses are smaller than the headline-grabbing eight-figure hacks of the past, but the victim count is high and the playbook is unusually clean.
The average per-wallet loss across the documented cases sits in the low five figures, and ZachXBT's running tally as of May 30 placed the campaign's total haul north of $9 million across more than 400 distinct addresses. The attack matters less because of the dollar figure and more because of the playbook. A fake email or push notification told users their wallet would stop working if they did not "validate" an upgrade. The validation page asked them to connect their wallet and sign a single transaction. That signature was a token approval to a drainer contract. The wallet was empty within seconds.
How the Phishing Funnel Actually Works
The attack chain has five steps and is depressingly straightforward. The victim receives an email or a push notification that looks like it comes from MetaMask. The text says a 2026 system upgrade is required to keep the wallet functional and warns that failure to upgrade by a specific date will cause the wallet to lose access to funds. The notification carries a link to a domain that visually mimics metamask.io. The actual URL is a typo-squat (metamasks-update.com, metamask-validator.io, secure-metamask.app, and similar variations rotate through the campaign).
The landing page is a near-perfect visual clone of the MetaMask website. It prompts the user to "verify" their wallet by clicking a button that opens the WalletConnect modal. The user signs a transaction without reading it. The transaction is a setApprovalForAll for ERC-20 tokens, an NFT transfer approval, or a permit signature that allows the drainer contract to spend the wallet's full balance.
Within seconds of the signature, the drainer contract executes a sweep, transferring every token the wallet holds into an attacker-controlled address. The funds are then bridged across chains within minutes, mixed through Tornado Cash alternatives, and moved into a small set of destination wallets that are still active as of this writing.
What Made This Campaign Effective
Three things separate this campaign from the typical wallet-drainer attempts. The first is the impersonation quality. Earlier MetaMask phishing attempts used obviously fake email templates with broken HTML, misspellings, and unconvincing domains. This campaign used pixel-accurate clones, well-written copy, and domains registered weeks in advance with SSL certificates and clean reputations.
The second is the use of legitimate-sounding urgency. "Mandatory 2026 upgrade" is a category of message users have seen for years from real software products. Browser updates, OS updates, banking app updates. The language is normal enough to pass a quick mental filter. The fake notification did not threaten the user, did not promise free tokens, and did not ask for a seed phrase. It just told them to validate.
The third is the cross-chain coverage. The drainer contracts were deployed on Ethereum, Polygon, Arbitrum, and Base simultaneously, with the destination address resolving correctly based on which chain the victim was connected to at the moment of signature. Earlier campaigns typically targeted Ethereum only and missed victims operating on L2s.
How ZachXBT Traced the Cluster
The on-chain forensics that linked the attacks together followed a standard pattern. ZachXBT identified the initial drainer contract on Ethereum and used its transaction history to find the funding wallet. The funding wallet had received small "gas drip" transfers from a single hot wallet that also funded the corresponding drainer contracts on Polygon, Arbitrum, and Base. That hot wallet had been topped up from a centralized exchange withdrawal three weeks before the campaign began.
The exchange withdrawal trail is where attribution typically stalls. The exchange in question is a non-KYC offshore venue that does not respond to law enforcement subpoenas. Without subpoena power against that exchange, the chain of evidence stops at the withdrawal. ZachXBT's working hypothesis is that the campaign was run by an established drainer team that rents out the infrastructure to phishing affiliates, with the affiliate paying the team 20-30% of the gross take in exchange for the drainer contract, the domain rotation, and the laundering pipeline.
Why Hardware Wallets Would Have Saved Most of These Victims
The single largest commonality across the victim addresses is that almost all of them were hot wallets. Browser-extension MetaMask installs, mobile wallet apps, and software custody solutions. A hardware wallet (Ledger or Trezor) connected to MetaMask still requires the user to physically confirm transaction details on the device screen before any signature is broadcast. A user who reads the device screen and sees a setApprovalForAll for an unfamiliar contract has the chance to reject before any damage is done.
This is the core argument for hardware custody. The drainer contract still gets the signature request, but the user has to actively approve it on a separate trusted display. Most users who keep hardware wallets connected for daily DeFi use simply do not click through the device confirmation as fast as they click through a browser pop-up. The friction is the feature.
There is also a software-side mitigation. MetaMask and most major wallet front-ends now show a transaction-simulation preview that decodes the approval request and flags unlimited spending allowances. The preview is enabled by default in the latest versions. Users running older versions, or who clicked through the preview without reading, were the ones who lost funds.
What Every EVM User Should Do This Week
The defensive playbook is short and not new. The Phemex crypto security checklist walks through the full version. Treat any "mandatory upgrade" or "validation" message that arrives by email or notification as a phishing attempt by default. Real wallet software updates happen inside the wallet itself, not through links in external messages. If you ever doubt if a request is real, type the official URL into your browser by hand, not by clicking a link.
Revoke unused token approvals. The free Revoke.cash tool scans your wallet and shows every active approval. Approvals you set up months ago for protocols you no longer use are sitting attack surface. Revoke them and reset on the protocols you actively need. Use a hardware wallet for any address that holds more than a trivial amount of crypto. If you cannot use a hardware wallet, at least use a separate browser profile for crypto with no other extensions installed.
Sign transactions only after reading what is being signed. The full text of a setApprovalForAll or permit signature shows the contract address being approved and the scope of the approval. If the contract address is unfamiliar and the scope is unlimited, the only correct answer is to reject.
Frequently Asked Questions
How do I know if I am one of the victims?
Check your wallet's transaction history for any outbound approval or transfer you do not recognize from the last 10 days. The Etherscan token approvals tool lists every active approval on your address. Any approval to a contract you do not recognize is a red flag. If you see a drain transaction, the funds are almost certainly already laundered, but you should still report to ZachXBT and to your local law enforcement.
Why does MetaMask more than block these domains?
MetaMask does maintain a phishing domain blocklist, and the team adds new domains as they are reported. The campaign rotates through new domains faster than the blocklist updates. The blocklist is a partial defense, not a complete one.
Are L2 wallets safer than mainnet wallets?
No. The drainer contracts in this campaign work on every EVM chain. L2s have cheaper gas, which makes them attractive for users with smaller balances, but the attack surface is identical.
Should I move my funds to a centralized exchange to be safer?
It depends on your threat model. A reputable centralized custodian with insurance, cold storage, and proof of reserves removes the self-custody risk of phishing, but adds counterparty risk and platform risk. The best practice for most users is a hardware wallet for long-term storage, a small hot wallet for active DeFi use, and a reputable custodian for the portion of holdings you actively trade.
Bottom Line
The campaign cleared over $9 million across more than 400 wallets in about a week. The drainer infrastructure is still active, the domain rotation is ongoing, and the impersonation quality is high enough that the playbook is going to keep working until the affiliate community moves on to a different lure. The defensive moves are not new. Hardware wallets, default skepticism on any "mandatory upgrade" message, periodic approval revocations, transaction-preview reading. The next two weeks will likely see the campaign shift to impersonating other major wallets (Rabby, Phantom, Trust) once the MetaMask lure burns out. Treat the next email about a wallet upgrade exactly the way you would treat a stranger asking for your bank PIN.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
