The NJCCIC observed a phishing campaign targeting MetaMask cryptocurrency wallets. The message appears to come from MetaMask, but the actual originating email address can be found in the header information. The threat actor also uses Punycode in the “From” field, likely to evade word-based detection in email protection systems. To prompt quick action, the messages state that funds will be lost if no action is taken, and the subject lines sound urgent, such as:

• Don’t Lose Access – Act Now
• ⚠️FINAL WARNING: account deletion & permanent fund loss
• Account On HOLD
• Final Notice: Review Required

The messages include a URL that directs users to a CAPTCHA-protected fake MetaMask page. When the “Update Now” button is clicked, a prompt requests the user’s recovery phrase to confirm account ownership. If the recovery phrase is shared, the threat actor gains full control of the associated wallet.

Recommendations

• Avoid clicking links, opening attachments, responding to, or acting on unsolicited communications.
• Confirm messages from senders by verifying their contact information obtained from trusted and official sources before taking action, such as clicking on links or opening attachments.
• Always refrain from sharing your private key, seed phrase, or secret recovery phrase with anyone.
• Keep systems and apps up to date.
• Report these scams and other malicious cyber activity to the NJCCIC , the FBI’s IC3, and the FTC.
• Review the NJCCIC Cryptocurrency Scams webpage for additional information, recommendations, and resources.