# metamask-recovery.pages.dev — MALICIOUS

> metamask-recovery.pages.dev is a high-risk phishing site impersonating MetaMask. Avoid interaction and report suspicious activity immediately.

## Summary
PhishDestroy identifies metamask-recovery.pages.dev as a high-risk phishing domain designed to impersonate the MetaMask brand. The site uses deceptive branding with the page title "MainNet Project" to lure users into social engineering scams aimed at stealing sensitive wallet recovery information. This campaign poses a significant threat to cryptocurrency users relying on MetaMask for asset management.

The domain was registered on February 21, 2026, via Cloudflare, Inc., and resolves to IP address 188.114.96.3. It has been flagged by Google Safe Browsing under the category SOCIAL_ENGINEERING and appears on two security blocklists. Additionally, VirusTotal analysis indicates that 14 out of 95 security vendors detect malicious activity associated with this domain, reinforcing its dangerous nature. The use of Cloudflare as a registrar and the recent creation date are common traits in transient phishing infrastructure.

Currently, the domain metamask-recovery.pages.dev is offline, which limits immediate risk; however, attackers frequently resurrect or clone such sites under new domains. Users are advised to remain vigilant against unsolicited recovery requests and verify URLs carefully before entering any credentials. Reporting suspicious domains to security platforms and employing browser security tools can help mitigate exposure to similar brand impersonation threats. PhishDestroy continues to monitor for related activity using the unique seed 3a564d to track evolving phishing tactics.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 0)
- Target brand: MetaMask
- Page title: MainNet Project

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 188.114.96.3
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- SSL Issuer: none

## Detection Status
- VirusTotal: 14 vendors flagged
  Vendors: ["ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "Ermes", "Emsisoft", "Fortinet", "G-Data", "Google Safebrowsing", "Lionic", "Phishing Database", "Sophos", "Trustwave", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019baedc-1f21-75bb-8761-53cc3f3b5cd2.png
- PhishDestroy: https://phishdestroy.io/domain/metamask-recovery.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/metamask-recovery.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/metamask-recovery.pages.dev/
Last updated: 2026-03-19