A new phishing scam targeting MetaMask users is spreading. It uses a highly realistic 'two-factor authentication (2FA)' procedure to steal wallet recovery phrases.
This campaign demonstrates that social engineering techniques are becoming increasingly sophisticated. Reported losses due to cryptocurrency phishing attacks significantly decreased in 2025.
MetaMask phishing tactic structure
SlowMist's CSO recently posted a warning about this scam on X (formerly Twitter). This phishing crime targets user wallets through multiple layers of deception.
Victims receive emails that appear to be sent by the MetaMask support team. This email announces mandatory two-factor authentication. It utilizes the MetaMask fox logo and colors, creating a professional brand image.
The post revealed that attackers are using domains very similar to official ones. In actual cases, the fake domain differed by just one character, making it difficult to recognize.
When users access the phishing site, they receive prompts that appear to be legitimate security procedures. At the final stage, victims are asked to enter their seed phrase under the pretense of completing a '2FA security verification.'
This point is the most critical part of the scam. The wallet's seed phrase (recovery phrase, mnemonic phrase) acts as the master key to the wallet. Anyone who has access to it can perform the following actions.
Funds can be transferred without the original owner's permission or awareness.
The wallet can be recreated on other devices.
All related private keys can be fully controlled.
Can directly sign and execute transactions.
If someone obtains the seed phrase, they can access the wallet without a password, two-factor authentication, or device approval. Therefore, wallet providers continue to warn against sharing seed phrases with anyone under any circumstances.
Two-factor authentication was originally designed to protect legitimate users. However, attackers exploit this trust to deceive users. Psychological techniques that combine technical deception and urgency remain a powerful threat.
This scam emerged in a situation where losses related to phishing were generally decreasing. According to data, losses related to cryptocurrency phishing decreased by about 83% in 2025 to approximately $84 million, down from nearly $494 million the previous year.
"Losses due to phishing are closely linked to market activity. In the third quarter, the Ethereum (ETH) rally was the strongest, and phishing losses reached a peak of $31 million. When the market is active, overall user activity increases, and some become victims. Phishing operates like a probability function of user activity." – Scam Sniffer report
In early 2026, signs of market recovery, such as the meme coin rally and increased investor participation, are leading to the re-emergence of attackers. Therefore, it is crucial to heighten vigilance against phishing tactics and to manage wallet information carefully.