MetaMask 2FA phishing wave funnels users to fake sites
SlowMist flags a phishing wave posing as MetaMask 2FA emails that drive users to fake sites and request 12-word recovery phrases, allowing attackers to drain funds from crypto wallets.
Blockchain security firm SlowMist warned Monday that scammers are spoofing MetaMask two-factor authentication notices, directing recipients to fake domains that capture 12-word seed phrases and empty wallets.
In a post on X, SlowMist chief security officer 23pds described emails framed as urgent security alerts with short deadlines to enable 2FA. Links lead to look-alike MetaMask pages that walk users through a bogus verification and then prompt for the recovery phrase to “complete” setup.
Once the phrase is entered, control over the wallet shifts to the attacker, enabling transfers of assets. SlowMist emphasized that decentralized wallet providers never ask for a secret recovery phrase during security checks.
Despite ongoing attempts, phishing losses have fallen year over year. A report from Web3 security tool Scam Sniffer tallied $83.3 million lost in 2025, down 83% from $494 million in 2024. The number of victims declined 68% to 106,000 from 332,000.
The report noted a spike in the third quarter during heavy market activity. “When markets are active, overall user activity increases, and a percentage fall victim — phishing operates as a probability function of user activity,” the report stated.
MetaMask, from Consensys, is among the most used self-custodial wallets, with more than 100 million annual users and 244,000 connected decentralized applications. The brand is a frequent target for impersonation.
SlowMist underscored that any request for a 12-word seed phrase as part of 2FA or email verification is fraudulent. Recovery phrases are meant for offline backup and account restoration, and entering them on a website or through an email link gives attackers the ability to move funds.
As we covered previously, Trust Wallet disclosed on Dec. 26 that its browser extension was compromised in a targeted attack on desktop users, causing about $7 million in losses. SlowMist said the malicious extension exported users’ personal information. Co-founder Yu Xiam said the attacker prepared weeks in advance and showed deep familiarity with the source code.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
