How do I report a scam or a fraudulent token to MetaMask?

Understanding MetaMask’s Role in the Ecosystem

MetaMask is a non-custodial cryptocurrency wallet that allows users to interact with the Ethereum blockchain and compatible networks. It does not act as a regulatory body, nor does it have authority over tokens, smart contracts, or decentralized applications (dApps). When users encounter a fraudulent token or scam, it's crucial to understand that MetaMask itself does not host or verify tokens. Instead, it enables access to the blockchain, where tokens are deployed by third parties. Therefore, reporting a scam does not involve removing a token from the blockchain but rather alerting MetaMask and the broader community to prevent further harm.

Identifying a Fraudulent Token or Scam

Before initiating a report, confirm that the token or interaction is indeed fraudulent. Common red flags include:

• Unsolicited token drops appearing in your wallet without approval.
• Phishing websites mimicking legitimate dApps but with slight URL variations.
• Fake token contracts with names and symbols resembling well-known projects.
• Inability to swap or transfer the token, indicating malicious code.
• Anonymous development teams and lack of documentation.

To verify, use tools like Etherscan to inspect the token contract. Check for:

• Ownership renouncement.
• Honeypot detection flags.
• Transaction history and holder distribution.

If the token contract contains functions that restrict selling or has suspicious code patterns, it may be malicious.

Reporting to MetaMask Through Official Channels

MetaMask provides a structured way to report scams and fraudulent tokens through its Support Portal. Follow these steps to submit a report:

• Navigate to the official MetaMask support website: https://support.metamask.io.
• Click on 'Submit a request' located in the top-right corner.
• Log in or create a guest account if necessary.
• Select the issue category: 'Security' or 'Phishing & Scams'.
• Provide detailed information, including:
  • The token contract address (found in your wallet or on Etherscan).
  • The network where the token resides (e.g., Ethereum, BSC).
  • Screenshots of suspicious transactions or dApp interactions.
  • URLs of any phishing sites encountered.
  • A clear description of how the scam occurred.

Ensure all data is accurate. MetaMask’s team uses this information to update its internal blocklist and security mechanisms.

Reporting to Third-Party Security Platforms

While MetaMask processes reports, it also relies on external blockchain analysis tools to detect threats. You can amplify your report by submitting the token to these platforms:

• Etherscan Token Verification Report:

  • Go to the token’s Etherscan page using its contract address.
  • Click 'Report Scam' or 'Suspicious Token'.
  • Fill in the reason and submit.

• Token Sniffer:

  • Visit tokensniffer.com.
  • Paste the token contract address.
  • Run the audit and use the platform’s reporting feature if vulnerabilities are detected.

• Honeypot.is:

  • Enter the contract address.
  • If flagged as a honeypot, use their reporting mechanism to alert others.

These platforms often share data with wallet providers, increasing the likelihood of the token being flagged across services.

Protecting Your Wallet After Exposure

If you’ve interacted with a scam token or dApp, take immediate steps to secure your assets:

• Revoke token permissions:

  • Open MetaMask and go to Settings > Security & Privacy > Connected sites.
  • Use the 'Connected Website Data' section to disconnect suspicious sites.
  • Alternatively, use https://revoke.cash:
    • Connect your wallet.
    • Search for the malicious token contract.
    • Click 'Revoke' to remove its spending allowance.

• Avoid interacting with the token:

  • Do not attempt to swap, send, or approve the token, as this may trigger malicious functions.

• Use a new wallet for sensitive operations:

  • Consider transferring funds to a new MetaMask wallet if you suspect compromise.
  • Never reuse the seed phrase.

• Enable phishing detection:

  • Ensure 'Block phishing sites' is enabled in MetaMask settings under Security.

Community and Developer Reporting

MetaMask collaborates with the Ethereum security community to identify threats. You can contribute by:

• Posting on MetaMask’s GitHub repository (https://github.com/MetaMask) under the appropriate issue tracker.
• Sharing details on Reddit communities like r/MetaMask or r/CryptoScams, ensuring you do not link to malicious URLs.
• Contacting Ethereum Abuse at abuse@ethereum.org with evidence.

These channels help aggregate data that may lead to broader warnings or integration into wallet-level protections.

Frequently Asked Questions

Can MetaMask remove a scam token from my wallet?No. MetaMask cannot delete tokens from your wallet because they exist on the blockchain. You can hide the token by removing it from your asset list in the wallet settings, but the balance will remain on-chain.

Will MetaMask refund me if I lose funds to a scam?MetaMask does not provide refunds. Since it is a non-custodial wallet, users are fully responsible for their transactions. Once a transaction is confirmed on the blockchain, it cannot be reversed.

How long does it take for MetaMask to respond to a scam report?Response times vary. Simple reports may be acknowledged within 48 hours, while complex cases involving contract analysis can take several days. Check your email regularly for updates from the support portal.

Can I report a scam token on networks other than Ethereum?Yes. MetaMask supports multiple networks (e.g., BSC, Polygon, Avalanche). When reporting, specify the correct network and provide the token contract address from that chain. The process remains the same regardless of the network.