[Warning]: Fake MetaMask

[fullfitlarry]

What happened: Fake MetaMask

Code:

 https://metamaskio-com-ext.pages.dev/ 

Archived: https://web.archive.org/save/https://metamaskio-com-ext.pages.dev/



https://www.virustotal.com/gui/url/04d2da04c4091964f5fc4645dd11742cb4e9ab9cb5ace562bdcc08630fd80a23

[JeromeTash]

Yes, the link is highly suspicious, but I wonder what their endgame is at this point. The actual contents of the page have links to the actual metamask wallet official website so as things stand right now, they can't phish anything.
Maybe the plan is to change the links later once people start trusting the domain?

[virasog]

Yes, the link is highly suspicious, but I wonder what their endgame is at this point. The actual contents of the page have links to the actual metamask wallet official website so as things stand right now, they can't phish anything.
Maybe the plan is to change the links later once people start trusting the domain?

There must be more planning by the scammers in this case. Since they have the legit Metamask link, this could be to avoid blacklists as the Google Safe browsing will not flag it immediately. Even the antivirus softwares and other security services will inspect it as clean. Also, this can be an attempt to have the domain get indexed by Google and when people search "MetaMask download" or similar terms, their site can show up. However, later they can put the phishing link and launch a broader version of the scam. 

[PX-Z]

Great find! I'm curious where did you found this website? As I see the site uses pages.dev domain which is from cloudlflare itself. Can't they see those devs deploying phishing site on their platform.
And yes, they are using the correct links there, maybe this is just experimental site. Well, anyway, it's still bad practice to download any software from non official websites.

[SFR10]

https://www.talkimg.com/images/2025/08/31/UnwnXJ.png

At the time of this writing, five other security vendors have flagged it as well ^[screenshot].

Can't they see those devs deploying phishing site on their platform.
And yes, they are using the correct links there, maybe this is just experimental site.

Without users reporting it to them, it could take some time before they notice such things ^{[unfortunately]}. I ran a plagiarism test on its content and it led to another flagged website ^{[more than 50% of its content got matched]} with a similar-looking URL ^[screenshot], so I don't think it's for experimental purposes.

• For those who'd like to report them to Cloudflare, here's their "abuse report page".

[coin-investor]

Great find! I'm curious where did you found this website? As I see the site uses pages.dev domain which is from cloudlflare itself. Can't they see those devs deploying phishing site on their platform.
And yes, they are using the correct links there, maybe this is just experimental site. Well, anyway, it's still bad practice to download any software from non official websites.

It's a Cloudflare Pages, it's a script deployment service by Cloudflare
Their free service plan offers numerous perks, but this is problematic because scammers and hackers can exploit this feature to scam people at no cost.
They should employ parameters to prevent people from abusing their test trial features.

[PX-Z]

It's a Cloudflare Pages, it's a script deployment service by Cloudflare
Their free service plan offers numerous perks, but this is problematic because scammers and hackers can exploit this feature to scam people at no cost.
They should employ parameters to prevent people from abusing their test trial features.

Yes, just like any free script deployment site, all are prone and used to abuse, using different site, tools tend to get victims, etc.
Seriously, it's their responsibility to regularly check those free deployed site at least once a week or so on their platform especially for those sub domain that is similar to existing platforms.

[cryptomaniac_xxx]

It's a Cloudflare Pages, it's a script deployment service by Cloudflare
Their free service plan offers numerous perks, but this is problematic because scammers and hackers can exploit this feature to scam people at no cost.
They should employ parameters to prevent people from abusing their test trial features.

Yes, just like any free script deployment site, all are prone and used to abuse, using different site, tools tend to get victims, etc.
Seriously, it's their responsibility to regularly check those free deployed site at least once a week or so on their platform especially for those sub domain that is similar to existing platforms.

True, and now they are also being abused by this criminals. Maybe in the beginning, they didn't thought about it.

But now, it's different, scammers and criminals will take advantage of anything. So the whole ball game have change and hopefully Cloudfare will also adjust and take the responsibility.

Community will have to react as well to report this kind of sites.

Good find by the OP.

[robelneo]

It's a Cloudflare Pages, it's a script deployment service by Cloudflare
Their free service plan offers numerous perks, but this is problematic because scammers and hackers can exploit this feature to scam people at no cost.
They should employ parameters to prevent people from abusing their test trial features.

Yes, just like any free script deployment site, all are prone and used to abuse, using different site, tools tend to get victims, etc.
Seriously, it's their responsibility to regularly check those free deployed site at least once a week or so on their platform especially for those sub domain that is similar to existing platforms.

I'm not familiar with the KYC rules on Cloudflare. Still, if they allow unverified new users to try their free features, then it's likely to be abused. If you undergo verification before using the platform's features, you will be less likely to launch a phishing site because they have your vital information, which authorities could request in the event of an investigation.

They should implement strict verification for new users who want to test those services right away. This is what happened to the Ml domain, which hackers and scammers exploited because it can be used for free without undergoing KYC.

[PX-Z]

I'm not familiar with the KYC rules on Cloudflare. Still, if they allow unverified new users to try their free features, then it's likely to be abused. If you undergo verification before using the platform's features, you will be less likely to launch a phishing site because they have your vital information, which authorities could request in the event of an investigation.

They should implement strict verification for new users who want to test those services right away. This is what happened to the Ml domain, which hackers and scammers exploited because it can be used for free without undergoing KYC.

I don't think there is a KYC asking different personal info aside from name and email on that free service of cloudlflare. Actually you can even put different name and birthday etc. since there's no ID verification. Also, even it's not That's why its probably exploited.

There are already many reports about the site being exploited, they should do more work to avoid it or lessen those.

https://www.fortra.com/blog/cloudflare-pages-workers-domains-increasingly-abused-for-phishing