How To Use Metamask Safely – Don’t Get Hacked!

Spread the love

Your Metamask wallet is an easy target for cyber criminals.  Follow the rules below and keep your Metamask safe!



November 3rd, 2021| Mike Humphrey


  1. Keep Your Private Keys Private

    Your private keys are your last line of defense. Keeping your keys secure and out of the hands of malicious parties is critical to keeping your crypto in your wallet and secure.  Read our article about crypto wallets for more info about private keys.

    How To Keep Your Private Keys Safe

    1. Get a Hardware Wallet

      A hardware wallet adds another layer of security. It makes it that much harder to have your funds stolen.  Your private keys are stored on the hardware wallet and require your approval before your key is sent from your device. Ledger and Trezor both offer great hardware wallet options that can be used with Metamask.


    2. Keep Metamask Locked

      When you aren’t using Metamask, you should keep it locked at all times. When left open, any site you are browsing can see your wallet address. Nefarious websites can take advantage of this and send you fraudulent pop-ups or sign-in pages that will give them access to your account.  To lock Metamask, click on the account icon circle and select lock.

      How To Use Metamask Safely - Lock Metamask

    3. Use a Dedicated Crypto Only Browser

      Fully separate your crypto activities from your normal web browsing. Reduce the chances of someone getting access to your wallet by using a dedicated browser for De-Fi apps. For example, use Chrome for crypto transactions and Firefox for your normal browsing.

    4. Limit Open Tabs

      Metamask does not differentiate between tabs in your browser. If you have more than one tab open, either tab could be the one sending you the approval request for your wallet. If you have multiple tabs open a dubious site could take advantage and get access to your wallet. Keep tabs to a minimum and only keep open the tabs you need, to perform your transactions.

    5. Confirm Your Connections

      When you approve a transaction always confirm the source of the transaction in the approval window.

      How To Use Metamask Safely - Confirm Connections 1

      How To Use Metamask Safely - Confirm Connections 2a

  2. Keep Your Secret Recovery Phrase… SECRET

    Keep your secret recovery phase offline and in a secure space. Never tell anyone your recovery phrase, whether that’s your best friend or the support tech trying to help you solve your problem. Your recovery phrase would allow anyone access your wallet and give them free reign of your account. Second to this don’t, use your recovery phrase unless you absolutely have to. Hackers can install keyloggers on your computer and record your recover phrase when you enter it. Thirdly, no one wants to think about horrible things happening, but they do happen. Make sure you have a way of getting your recovery phrase in the hands of loved ones in the case of the unthinkable.

    How To Use Metamask Safely - Keep Recovery Phrase Locked Up

  3. Disconnect Metamask From Dapps

    Once you’ve completed a transaction, you should close the connection between Metamask and the site.  This will prevent the site from sending any further requests until you reconnect your wallet. This reduces the chances of funds being drained from your wallets.  To disconnect from a site, click on the three vertical dots, select connected sites and click on the trashcan.

    How To Use Metamask Safely - Disconnect Metamask

  4. Set Token Approval Limits

    When you first connect with a Defi site you will be asked to sign a contract giving approval for the protocol to manage funds on your behalf. Many people are unaware, but most of these requests allow protocols to manage unlimited amounts. This is great for ease of use, but it essentially gives the DApp full access to the approved coin in your wallet, even if you disconnect your wallet. If there is a flaw in the contract, that either the developers, or a third party can take advantage of, it leaves your funds wide open. To prevent this, when giving approval, click edit permissions and set a token limit.  Always set token limits when giving approvals to contracts.

    How To Use Metamask Safely - Limit Token Approval 1a

    How To Use Metamask Safely - Limit Token Approval 2

    How To Use Metamask Safely - Limit Token Approval 3

    How To Remove Contract Approvals

    If you are like us, and didn’t realize you were approving unlimited access to your wallet, don’t worry there is a way to fix it.  Unrekt is a protocol that allows you to review all the contracts you have signed and to edit them.  It works on Ethereum, BSC, HECO, Fantom, and Polygon. Go to in your browser, connect your wallet and review your contracts. Look for any contract with the infinity sign beside the approval and then click Revoke.  Metamask will pop-up asking for approval. Check the site name, click on edit permissions to confirm the transaction approval is being set to zero and then approve the transaction.

    How To Use Metamask Safely - Remove Token Limits 1a

    How To Use Metamask Safely - Remove Token Limits 2a

    How To Use Metamask Safely - Remove Token Limits 3

  5. Conclusion

    Hackers are continuously looking for new and insidious ways to get access to your funds. The key is skepticism and vigilance. It’s easy to let your guard down and think it’s never going to happen to me.  As you become more successful with your crypto investing you become a more likely target. Start implementing and maintaining safe practices now and keep your crypto in your wallet and not in theirs.


What safe practices do you use? Let us know in the comments.

6 thoughts on “How To Use Metamask Safely – Don’t Get Hacked!

  1. Thank younfir this guide.

    Dedicated OS
    Complete remodel of about:config
    Solid firewall rules
    VPN with always on and KS
    Private DNS
    Routted dhcs
    No cex, only one trusted for fiat exchange
    No social appearance
    … Are just a few of many privacy and security measures everyone should educate himself with if crypto is involved

  2. Hello,

    Thank you for a very informative article! I think things do happen for a reason and I recently got scammed. :/
    I’ll make this scenario short and sweet and I have a question.

    Situation: PC + MetaMask Chrome Extension. Left connected sites and had many tabs open for about 5 days ( rookie here )
    Within those 5 days, everything was normal and nothing happened. Then on the 5th day I was hacked. My ETH was drained from $250 —- $0.79

    The next day ( I was at my girlfriends house ), I finally updated my computer, reset it, and closed out all of the tabs and then connected to the same hacked MetaMask wallet and disconnected all the sites within the MetaMask Chrome Extension.

    QUESTION: After disconnecting the sites both from the app and PC version, will I still get hacked?
    I need to move staked rewards to another wallet. DO you think this will be possible If I move the value right away to another new wallet? ( Trust Wallet )

    1. Hi Luis,

      I’m sorry to hear that you got hacked. Whether you will get hacked again really depends on how you were hacked in the first place. If someone has access to your private key then they have full access to your wallet. If your PC has been hacked, then they have access to your wallet through your PC. I recommend moving anything you have left from the compromised wallet to a new wallet. I would make sure that the new wallet is set up with a hardware wallet(Ledger or Trezor ) to secure your keys and make it that much harder to get hacked again.

      Good Luck

  3. Hi, is there a way to transfer smart contracts to another wallet? I have a wallet that was hacked and I have some contracts with some funds that are locked for some time. Can I just transfer that to another wallet so I don’t have to use this one anymore? I would like to keep compounding but if I add BNB for gas it gets swiped out right away by the hacker. so aggravating!

    1. Generally no. This type of ability in a contract could add safety issues as it would allow the caller of the function to essentially move funds from one wallet to another. You could try talking with the developer of the protocol directly through their website or discord. Though, if the developer has the ability to switch wallets for anyone then they could easily rug pull the whole project by transferring all the funds to their private wallet…

      If someone is swiping your funds you likely signed a malicious contract that gave the hacker access. Have you tried using unRekt to check which contracts you have given approval to? Try removing access to all contracts you have signed and see if that makes a difference.

      Good Luck

Leave a Reply

Your email address will not be published.