MetaMask and ChainPatrol Protect Users with Phishing Warnings

Phishing attacks on web3 wallet users have been a threat since the beginning of the crypto ecosystem. Early attacks included Secret Recovery Phrase theft, and Malware to steal user credentials. Attacks have since evolved to include complex wallet drainers that steal funds through malicious transactions.

Attacks take advantage of web3 users via many types of tactics, including crypto job scams. As the crypto space grows, so do employment opportunities, and with them scam targets. Scams in web3 have resulted in high financial losses for users. According to Chainanalysis, $24.2 billion dollars were received by illicit cryptocurrency addresses in 2023. These losses illustrate why it is crucial to protect users, brands, and communities in crypto.

The MetaMask security team recognizes the need for a fast response system to blocklist malicious sites. So, they created Eth-Phishing-Detect – a public GitHub repository that maintains a blocklist with over 205,000 malicious domains. This blocklist shows a warning from MetaMask the moment a user visits a new site, preventing attacks like seed phrase theft, malware downloads, fake support pages, and connecting to wallet-draining sites.

Dedicated MetaMask staff review contributions from ChainPatrol, the Security Alliance (SEAL), and over 100 community members providing threat intelligence. Eth-Phishing-Detect enables transparency, and fast responses to the growing volume of phishing attacks and scams. With MetaMask’s recent upgrades to blocklist distribution speed, malicious sites show a warning within minutes of detection.

ChainPatrol, a core contributor to Eth-Phishing-Detect

Each week, tens of thousands of new threats targeting Consensys, MetaMask, and Linea are blocked. As MetaMask’s phishing detection provider, ChainPatrol recognized the power of a blocklist approach early on.

While traditional takedowns are still important, in the worst cases it can take over a day to remove a phishing site entirely. MetaMask warnings protect users in real-time, before takedowns are processed. Phishing sites are taken down within 15 minutes of being added to the blocklist, after which time users receive a warning.

Phishing sites are taken down within 15 minutes of detection on MetaMask.

ChainPatrol’s goal is to identify all impersonators of Consensys and MetaMask before they reach users. ChainPatrol assesses millions of domains daily to identify phishing sites, such as fake MetaMask download links, and fake support portals. Image Recognition, LLM analysis, and malicious code detection are used to identify harmful domains.

Twitter, Facebook, LinkedIn, and other social platforms are also monitored, both for brand impersonation and fake staff accounts. Every time one of the official accounts post, ChainPatrol monitors the replies in real-time, immediately blocking phishing links and fake support accounts. Additionally, App Stores are monitored to ensure users are not led into downloading a fake version of the MetaMask extension.

Users in Consensys, MetaMask, and Linea communities are being protected from the thousands of threats that target them on a weekly basis. By addressing these threats with speed, users are protected from having their data and wallets compromised.

In 2024, ChainPatrol blocked over 29,000 threats targeting Consensys brands including Consensys, MetaMask, and Linea. Source: Consensys dashboard in ChainPatrol app.

How ChainPatrol’s search page enables transparency

To maintain the integrity of this fast blocklist approach, it is important for all the data to be transparent, and for fast resolution of any false positives. MetaMask has dedicated staff monitoring the issues of Eth-Phishing-Detect to ensure any disputes for false positives are resolved quickly.

To enhance visibility, ChainPatrol maintains a public search page. This search page gives visibility into the blocklist statuses across a number of crypto security systems, provides access to detailed reports, and reasons for blocking a given domain. Any blocked domain can be quickly disputed from the ChainPatrol search page. This dispute system instantly alerts the ChainPatrol team, ensuring any disputes are addressed within minutes.

The public search page also serves as a resource for users in the Consensys, MetaMask, and Linea communities. Users have the option to run a suspicious domain through the public search tool to see if it’s been flagged on the blocklist.

Keeping users safe with MetaMask and ChainPatrol

Crypto never sleeps, and security systems must act quickly based on real-time threat intelligence. MetaMask and ChainPatrol continue to innovate solutions for the unique security challenges that target the crypto ecosystem. Through further collaboration with the Security Alliance (SEAL), MetaMask and ChainPatrol are ensuring new threat signals from across a community of security exports can trigger warnings before users are impacted.

This is just the beginning of a growing security initiative across the crypto ecosystem. MetaMask and ChainPatrol have a shared goal of creating a web3 that users can confidently and safely browse every day.

To learn more about MetaMask ETH-phishing-detect, visit our support article or go to the MetaMask GitHub Page.