The “Twin-Face” Trap: How Scammers Are Faking Your Wallet Window
Source: ShieldGuard Research / Community Intelligence. Threat Level: 🛑 CRITICAL (Active Drainer)
The Hook: It Started with a “Free” Airdrop It begins like any other Tuesday. You see a tweet about a Jupiter Exchange airdrop. The site looks perfect—the same colors, the same “Connect Wallet” button. You click it. The site instantly knows you have MetaMask and Phantom installed. Smart.
The Trap: The “Perfect” Pop-Up You click MetaMask. A window pops up. It looks exactly like the MetaMask extension you’ve used a thousand times. It has the fox logo, the password field, and the familiar layout.
But here is the twist: It is not your wallet.
It is a “Browser-in-the-Browser” attack. The scammers have coded a fake window inside the website that simply draws a picture of a pop-up. It isn’t a separate extension window; it’s just part of the malicious webpage.
The “Ghost” Check In our analysis (and testing by researcher @nft_dreww), the scam site ran a background check before attacking:
- If your wallet is empty: The fake window politely tells you “You are not eligible.” It doesn’t want to waste time on a $0 victim.
- If you have funds: The fake window screams “Approve Signature to Claim.” Since you think you are logging into MetaMask, you might sign it.
The Phantom Pivot When we tested with Phantom, the scam got even smarter.
- Because the user wasn’t logged in, the Fake Window appeared first.
- Then, the Real Phantom Extension popped up behind it, asking for a password.
- The victim thinks the Real prompt is just “unlocking” the Fake window.
- Once unlocked, the Fake window serves the drainer contract.
How to Survive The only flaw in this perfect trap is the URL Bar.
- Real Wallet: A real extension pop-up has no URL bar.
- Fake Wallet: This scam showed a “Vercel app” URL in the address bar of the pop-up.
ShieldGuard Advice: Always grab the pop-up window and try to drag it outside of your browser. A real window can leave the browser boundary. A fake “Browser-in-the-Browser” window cannot.
