# mettsmask-hlp.gitbook.io — MALICIOUS

> mettsmask-hlp.gitbook.io impersonates MetaMask to distribute fake Chrome extensions. 5/95 security vendors flag this domain as malicious.

## Summary
PhishDestroy identifies mettsmask-hlp.gitbook.io as an active brand impersonation scam targeting MetaMask users. This domain mimics the legitimate MetaMask branding to deceive victims into downloading malicious Chrome extensions, posing an elevated risk of credential theft and cryptocurrency compromise. The threat actor leverages a GitBook.io subdomain to host fraudulent installation pages, exploiting user trust in the MetaMask name to propagate malware under the guise of a legitimate browser extension.

This domain was flagged by 5 out of 95 security vendors on VirusTotal, indicating a high likelihood of malicious activity. It is registered through Cloudflare, Inc., resolving to IP address 172.64.147.209, and was created on March 30, 2014. The page title, 'Metamask Chrome Extension | us,' directly impersonates MetaMask’s legitimate offerings. Despite hosting on a trusted CDN (Cloudflare) and using a Google Trust Services SSL certificate, the domain’s malicious intent is further evidenced by its inclusion in multiple threat intelligence feeds. The combination of a legitimate-looking domain, high-risk indicator counts, and direct brand impersonation amplifies the danger to unsuspecting users seeking MetaMask extensions.

Mitigation requires immediate blacklisting of this domain and its IP address (172.64.147.209) in corporate firewalls and endpoint protection systems. Users should verify extension sources by cross-referencing with MetaMask’s official website (metamask.io) and only download extensions from verified publishers. Admins should enforce browser policies blocking unauthorized extension installations. Organizations should conduct user awareness training to highlight the risks of third-party extension repositories. Affected systems must be scanned for malware, and any compromised credentials should be rotated immediately. Given the elevated risk, this domain should be treated as a confirmed threat and blocked proactively to prevent further exploitation.

## Threat Details
- Verdict: MALICIOUS
- Site status: cloaking (HTTP ?)
- Target brand: MetaMask
- Page title: Metamask Chrome Extension | us

## Domain Intelligence
- Registered: 2014-03-30 06:09:09
- Registrar: Cloudflare, Inc
- IP: 172.64.147.209

## Detection Status
- VirusTotal: 5 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/9d1ca957-ac56-4617-86a4-60887a3554d5
- PhishDestroy: https://phishdestroy.io/domain/mettsmask-hlp.gitbook.io/
- LLM endpoint: https://phishdestroy.io/domain/mettsmask-hlp.gitbook.io/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/mettsmask-hlp.gitbook.io/
Last updated: 2026-04-14