🔐🚨 There's a common misconception about MetaMask and security:
After interacting with a malicious website merely disconnecting your MetaMask wallet WILL NOT protect you.
It's a popular recommendation, but it hardly does anything and provides a false sense of security.
Connecting your Metamask to a site simply allows it to see your public address (and all the public blockchain data related to it), and suggest transactions (each of which you still need to approve)
Yes, you should disconnect your Metamask wallet so the site cannot initiate further transactions you don't want to approve anyway.
But there's a protential bigger threat that's way more important go after:
Any contract can request permission to transfer your NFTs on your behalf. This is how market places like OpenSea function.
A malicious contract might request permission to transfer your most valuable NFTs. Once granted, this permission (or "allowance") is stored on-chain.
Disconnecting Metamask (or whatever wallet you use) doesn't change this. That's the common misconception. The permission is still granted until revoked!
This is where revoke.cash comes in
The site makes it easy to see which contracts you've granted access to manage your NFTs on your behalf. And easily revoke those privileges.
This is the only thing that will have any effect once you've interacted with a malicious contract.
Of course there's a decent chance it's already too late.
A smart scammer would automatically transfer the NFTs away the moment you grant permission to do so. But not all of them are smart and sometimes quickly revoking these permissions will prevent your NFTs from getting stolen
Hope that clears things up. I often see people repeating the advice to disconnect MetaMask, but the first advice should be to revoke any on-chain permissions.
Stay safe!