$1.8M Lost to Fake MetaMask Token Honeypot Scam

It appears that almost 400 people have fallen victim to the scam. 

Shutterstock cover by Harry Wedzinga

Key Takeaways

  • A fake MetaMask token project has scammed traders out of $1.8 million worth of ETH.
  • The scammers hacked the DEXTools app's front end to convince users that their fake token was legitimate.
  • The fake MetaMask token is the third major scam to hit the crypto space over the holiday season.

Share this article

A fake MetaMask token has conned traders out of over $1.8 million. Hackers injected code into the DEXTools application’s front end, convincing traders that the token was verified.

The MetaMask Token Scam

A fake MetaMask token has left speculative traders reeling. 

Hundreds of traders fell victim to a MetaMask token honeypot scam Monday evening, with grifters making off with over $1.8 million.

The scam, which played on traders’ anticipation of a MetaMask wallet token, used a flaw in the popular DeFi trading app DEXTools to convince users of the token’s legitimacy. A scammer was able to inject code into the DEXTools app front end for the Uniswap WETH/MASK pair, which, when viewed, would launch a pop-up telling users that the MASK token was verified.

The fake MASK token pop-up. Source: @cobynft

After buying the fake MASK token, unsuspecting users found that they were unable to sell it. This style of scam is often referred to as a “honeypot,” allowing users to enter, only to find that the smart contract governing the token’s interactions prevents them from selling.

In the case of the fake MetaMask token, the scammer appears to have programmed the smart contract to wait until upward of $1 million worth of liquidity was traded into it, then to prevent holders from selling. The scammer pulled out 475 ETH from the token’s Uniswap liquidity pool, according to transaction data from Etherscan, worth $1.79 million at press time. The illicit gains were sent to Tornado Cash, a popular coin mixing application, and were laundered to an unconnected wallet. 

Reports of the scam first emerged on Twitter Monday evening, with several accounts warning that the MASK token was a scam despite the pop-up on DEXTools telling traders it was legitimate. Since then, Twitter user @cobynft has provided a breakdown of how the scam occurred, explaining how it was a “serious fault” of the DEXTools app developers that allowed the scam to convince so many people to buy the tokens. 

An additional reason that the MetaMask token scam was so effective is the current anticipation for a legitimate MetaMask token. The MetaMask team have repeatedly hinted at decentralizing the popular EVM wallet by issuing a token, with many speculating it could be done through an airdrop. 

The fake MetaMask token is the third major scam to hit the crypto space over the holiday season. On Sunday, Binance Smart Chain project MetaSwapMGAS stole 1,100 BNB from users in an apparent rug pull. Just yesterday another Ethereum project called MetaDAO appears to have executed a rug pull on its investors, making off with 800 ETH, worth over $3.2 million.

Crypto Briefing contacted DEXTools for comment on the attack on its application’s front end but did not receive a reply by press time.

Disclosure: At the time of writing this feature, the author owned ETH and several other cryptocurrencies. 

Share this article

Loading...