A new phishing scam targeting MetaMask users is spreading, using a highly realistic “two-factor authentication (2FA)” flow to steal wallet recovery phrases.
The campaign highlights a growing level of sophistication in social engineering tactics, even as reported losses from cryptocurrency phishing attacks dropped sharply in 2025.
Anatomy of the MetaMask Phishing Scheme
Blockchain security firm SlowMist’s CSO highlighted the scam in a recent post on X (formerly Twitter). This phishing operation uses multiple layers of deception to compromise user wallets.
Victims receive emails that appear to come from MetaMask Support, which announce mandatory two-factor authentication requirements. The emails use professional branding, including the MetaMask fox logo and color scheme.
The post revealed that attackers are using domains that closely resemble the official one. In the documented case, the fake domain differed by only a single letter, making it difficult to spot at first glance.
MetaMask Phishing Scam. Source: X/im23pds
Once users land on the phishing site, they are guided through what appears to be a legitimate security process. At the final stage, victims are asked to enter their seed phrase under the pretense of completing a “2FA security verification.”
This is the critical point of the scam. A wallet’s seed phrase (also called a recovery phrase or mnemonic phrase) is the master key to the wallet. Anyone who has access to it can:
Transfer funds without the original owner’s knowledge or approval
Recreate the wallet on another device
Gain full control over all associated private keys
Sign and execute transactions independently
Once someone obtains a seed phrase, they can access the wallet without requiring passwords, two-factor authentication, or device approval. As a result, wallet providers consistently warn users never to share their seed phrases under any circumstances.
While two-factor authentication is designed to protect users, attackers exploit its reputation to deceive them. This psychological tactic, coupled with technical tricks and urgency, remains a potent threat.
The scam follows a broader slowdown in phishing-related losses. Data shows that losses linked to cryptocurrency phishing dropped sharply in 2025, decreasing by around 83% to about $84 million, compared with nearly $494 million in the prior year.
“Phishing losses tracked closely with market activity. Q3 saw both the strongest ETH rally and the highest phishing losses ($31M). When markets are active, overall user activity increases, and a percentage fall victim — phishing operates as a probability function of user activity,” Scam Sniffer’s report read.
As market activity shows early signs of recovery in early 2026, including meme coin rallies and indications of increased retail participation, attackers are also re-emerging. As a result, heightened awareness of phishing methods and cautious handling of wallet credentials remain crucial.
