Have you come across an email that says you have a frozen ETH transaction worth 6.36010082 ETH stuck in your MetaMask wallet? The message claims the sender tried to cancel the transfer because they typed the wrong wallet address and asks you to “Retrieve ETH” by clicking a button.
Question: Is this email from MetaMask real, and is it safe to click the “Retrieve ETH” link to get your money back?
Investigation Findings: This email is fake and is not sent by MetaMask. The “Retrieve ETH” button leads to a scam website (eonzeus.com) that tries to steal your personal information or cryptocurrency. MetaMask does not send emails like this, and your funds are not frozen or pending because of a sender’s cancellation request.
Answer: “MetaMask – Incoming Transaction Failure” is a fraudulent email pretending to be from MetaMask to trick you into giving away your private keys or login details. 💡 To protect yourself from scams like this, always check the sender’s email carefully and never click on suspicious links. Instead, open your MetaMask wallet app directly or visit the official website to check your account status. Additionally, never share your private keys or seed phrases with anyone.
A typical “MetaMask – Incoming Transaction Failure” scam email reads as follows:
Hello Trader,
The frozen ETH Transfer from a MetaMask user to your wallet is open for retrieve, your ETH transfer was held for review because sender’s filed for Transfer Cancellation/Refund on 2025-06-07 15:45:07 requesting for cancellation of executed ETH transfer base on wrong wallet address input.
MetaMask follows all frozen assets for 170 days only while awaiting further complaints from sender/receiver.
If intended receiver was not you, please keep this funds safe when you retrieve into your wallet.Deposit Amount: 6.36010082 ETH
Chain Type: Ethereum (ERC20)
Deposit Address: 0x750EF1D7a0b4Ab1c97B7A623D7917CcEb5ea779C
Transaction Hash: 0x966f3e76a75aacf611ea6f8df2354a6ba33e1cf7820453ff58c289a20894f5fc
Block #: 22653656
Status: Pending
Time : 2025 – 06 – 07 15:45:07 ( UTC)
Device : iPhone 16 Pro
IP Address : 194.146.213.16
Location: Zürich SwitzerlandRetrieve ETH
Note: *Transaction failure occurs due to the sender’s Mis-verification of the receiver’s wallet address*.
You can retrieve your pending assets into any existing crypto wallet now.
Click retrieve ETH button above to retrieve.©2025 MetaMask • A Consensys Formation
🕵️♂️ How the MetaMask Incoming Transaction Scam Operates
MetaMask Incoming Transaction Failure Scam is a fraudulent scheme targeting cryptocurrency users. 🚨 It tricks people into thinking they have a pending ETH transfer stuck due to a supposed error, prompting them to “retrieve” their funds via a malicious link that actually steals their crypto assets.
🔗 Step-by-Step Breakdown of the Scam:
🔒 Fake Transaction Notification
Victims receive an email claiming that an incoming Ethereum (ETH) transfer to their wallet has failed or is frozen. The message often appears highly technical, referencing transaction hashes, block numbers, timestamps, and wallet addresses to appear legitimate.
💬 Impersonating MetaMask or Other Reliable Platforms
The email mimics official MetaMask branding, including fake sender addresses such as info@jospo.de, and official-sounding language to build trust. It emphasizes urgency and confusion around the frozen transaction to prompt quick action.
🔗 Redirecting to Fake “Retrieve ETH” Websites
The email includes a prominent “Retrieve ETH” button or link directing users to spoofed websites like https://eonzeus.com//MetaMask/MetaMask.html, which then redirect further to domains such as lyonshub.com. These sites mimic the appearance of MetaMask but are designed to steal private keys or seed phrases entered by users.
⚠️ Social Engineering for Private Information
On these fraudulent sites, users are often asked to enter sensitive information — such as their MetaMask seed phrase, private keys, passwords, or wallet credentials — under the guise of recovering the “frozen” funds.
💸 Theft of Cryptocurrencies
Once victims enter their credentials, scammers gain full access to their wallets and drain all cryptocurrencies stored there. Victims lose their funds irreversibly with no way to recover them.
📧 Spoofed Details to Seem Legitimate
The scam email often includes detailed technical data, IP addresses, device info, and transaction metadata to convince recipients of the claim’s authenticity. This is purely fabricated to lower suspicion.
🚫 No Legitimate Support or Resolution
The scammers offer no real way to fix the problem or recover funds legitimately. Attempts to seek help or verify the email via official MetaMask channels reveal it as fraudulent.
In summary, the MetaMask Incoming Transaction Failure scam preys on crypto users’ fears about lost or stuck transfers. It falsely claims that ETH is frozen due to sender errors and urges victims to “retrieve” funds via a malicious link. The scam leverages fake emails, spoofed websites, phishing for private keys, and technical jargon to deceive users. Always verify crypto transaction messages directly within official wallet apps, never share your seed phrase or private keys, and treat unsolicited emails urging urgent wallet actions as suspicious.
Summary Table
| Name | MetaMask Incoming Transaction Failure Scam |
| Type | Phishing / Crypto Scam |
| Method | Fake email claiming a failed ETH transaction with a link to retrieve frozen funds |
| Email Sender | From: MetaMask.io info@jospo.de (fake/impersonated) |
| Claimed Issue | Frozen ETH transfer pending due to sender’s cancellation request |
| Amount Mentioned | 6.36010082 ETH |
| Transaction Details | Transaction Hash: 0x966f3e76a75aacf611ea6f8df2354a6ba33e1cf7820453ff58c289a20894f5fc Block #: 22653656 Status: Pending |
| Call to Action | Click “Retrieve ETH” button to recover funds |
| Malicious Links | hxxps://eonzeus.com//MetaMask/MetaMask.html (redirects to lyonshub.com) |
| Scam Mechanics | Redirect to phishing site designed to steal private keys or credentials |
| Protection | Always verify sender’s email address and domain. Check on official MetaMask or ConsenSys channels. Never click links from suspicious emails. Do not enter private keys or seed phrases on unknown websites. Check transaction status directly via blockchain explorers. Beware of urgent emails about pending transactions or refunds. |
📧 What to Do When You Receive the “MetaMask – Incoming Transaction Failure” Scam Email
We advise everyone who receives this email to follow the simple steps below to protect yourself from potential scams:
- ❌ Do not believe this email.
- 🔒 NEVER share your personal information and login credentials.
- 📎 Do not open unverified email attachments.
- 🚫 If there’s a link in the scam email, do not click it.
- 🔍 Do not enter your login credentials before examining the URL.
- 📣 Report the scam email to the FTC at www.ftc.gov.
If you accidentally click a phishing link or button in the “MetaMask – Incoming Transaction Failure” Email, suspect that your computer is infected with malware, or simply want to scan your computer for threats, use one of the free malware removal tools. Additionally, consider taking the following steps:
- 🔑 Change your passwords: Update passwords for your email, banking, and other important accounts.
- 🛡️ Enable two-factor authentication (2FA): Add an extra layer of security to your accounts.
- 📞 Contact your financial institutions: Inform them of any suspicious activity.
- 🔄 Monitor your accounts: Keep an eye on your bank statements and credit reports for any unusual activity.
🔍 How to Spot a Phishing Email
Phishing emails often share common characteristics; they are designed to trick victims into clicking on a phishing link or opening a malicious attachment. By recognizing these signs, you can detect phishing emails and prevent identity theft:
💡 Here Are Some Ways to Recognize a Phishing Email
- ✉️ Inconsistencies in Email Addresses: The most obvious way to spot a scam email is by finding inconsistencies in email addresses and domain names. If the email claims to be from a reputable company, like Amazon or PayPal, but is sent from a public email domain such as “gmail.com”, it’s probably a scam.
- 🔠 Misspelled Domain Names: Look carefully for any subtle misspellings in the domain name, such as “arnazon.com” where the “m” is replaced by “rn,” or “paypa1.com,” where the “l” is replaced by “1.” These are common tricks used by scammers.
- 👋 Generic Greetings: If the email starts with a generic “Dear Customer”, “Dear Sir”, or “Dear Madam”, it may not be from your actual shopping site or bank.
- 🔗 Suspicious Links: If you suspect an email may be a scam, do not click on any links. Instead, hover over the link without clicking to see the actual URL in a small popup. This works for both image links and text links.
- 📎 Unexpected Attachments: Email attachments should always be verified before opening. Scan any attachments for viruses, especially if they have unfamiliar extensions or are commonly associated with malware (e.g., .zip, .exe, .scr).
- ⏰ Sense of Urgency: Creating a false sense of urgency is a common tactic in phishing emails. Be wary of emails that claim you must act immediately by calling, opening an attachment, or clicking a link.
- 📝 Spelling and Grammar Errors: Many phishing emails contain spelling mistakes or grammatical errors. Professional companies usually proofread their communications carefully.
- 🔒 Requests for Sensitive Information: Legitimate organizations typically do not ask for sensitive information (like passwords or Social Security numbers) via email.
Conclusion
The MetaMask – Incoming Transaction Failure email is a phishing scam designed to trick you into visiting fraudulent websites and potentially stealing your crypto assets. This scam uses alarming language about a “frozen” or “failed” ETH transaction that is supposedly pending recovery due to a sender’s request for cancellation or refund based on an incorrect wallet address.
The email impersonates MetaMask and ConsenSys, including fake technical details such as transaction hashes, wallet addresses, and blockchain information to appear convincing. It urges you to click a “Retrieve ETH” button that leads to suspicious domains (like eonzeus.com and lyonshub.com), which are not affiliated with MetaMask or any legitimate crypto service.
Bottom Line: Avoid clicking any links or buttons in this email. MetaMask and reputable wallets never notify users this way or ask you to “retrieve” funds through unknown websites. Always verify transaction issues directly through your official wallet or blockchain explorer. If you receive unsolicited emails warning of transaction failures or refunds, be extremely cautious, as they are very likely phishing attempts aiming to compromise your private keys or personal data.
