4 Minutes
MetaMask users warned of convincing fake 2FA phishing
Blockchain security researchers have flagged a sophisticated phishing campaign targeting MetaMask users that impersonates a Two-Factor Authentication (2FA) verification flow to trick victims into revealing their seed phrase. The scam arrives as part of a wave of wallet exploits and malicious Chrome extension incidents that have hit multiple crypto wallets in recent weeks.
Reported by security firm SlowMist, the attack begins with a spoofed, MetaMask-branded email that pressures recipients to "enable 2FA" immediately. The message is designed to create urgency and confidence by mimicking official branding and including a countdown timer to force hurried action.
A spoof email sent by attackers
How the scam works: fake flow, real theft
When users click the "Enable 2FA Now" button, they are redirected to a malicious website controlled by the attacker. That site presents a mock verification process, but its sole aim is to coax users into entering their mnemonic seed phrase. Once provided, attackers can import the wallet and drain assets across EVM-compatible networks and other supported chains.
Malicious website asking users to input their seed phrase
Red flags and how to spot the fraud
Although the spoof email is convincing, several giveaways can expose it as a phishing attempt. Common indicators include subtle typos in the URL or email text — for example, victims were redirected to a URL spelled "mertamask" instead of "metamask" — design inconsistencies, and sender addresses that originate from unrelated or public domains like Gmail.
Typos within spoof emails
Importantly, MetaMask does not send unsolicited emails asking users to verify accounts, enable 2FA, or submit their seed phrase. Any request for mnemonic phrases or private keys is an immediate red flag: never share them. Users should verify emails by checking the sender domain, hovering over links to inspect the real URL, and navigating directly to official sites or extension stores rather than following links.
Context: other recent wallet attacks and extension exploits
This phishing campaign follows a string of wallet incidents. Cybersecurity researcher Vladimir S. recently highlighted a related fake MetaMask update pushed to victims, believed to be tied to a broader wallet-draining exploit. On-chain investigator ZachXBT noted that the exploit typically resulted in losses under $2,000 per wallet but affected many addresses across multiple chains.
Another major incident involved Trust Wallet’s browser extension. Attackers reportedly obtained the extension source code and uploaded a compromised version to the Chrome Web Store, leading to roughly $7 million in losses. Trust Wallet has since pledged to reimburse impacted users and to investigate how the malicious build was published.
Meanwhile, Cardano users were targeted by fraudulent emails promoting a fake Eternl Desktop app, demonstrating that phishing campaigns remain a cross-chain threat. Despite these events, Scam Sniffer’s recent report revealed that total losses from crypto phishing campaigns fell about 88% in 2025 compared with the previous year — indicating improvements in user awareness and defenses, even as threats persist.
Practical steps to protect your wallet
- Never enter your seed phrase or private keys on a website — legitimate wallets and services will not request them.
- Enable hardware wallets and use secure, verified extensions from official stores.
- Verify emails by checking sender domains and avoid clicking timed links; go directly to official websites.
- Use reputable blockchain security tools and follow advisories from firms like SlowMist.
- If you suspect compromise, move remaining funds to a new wallet created offline and revoke suspicious approvals on-chain.
As phishing techniques evolve, staying vigilant about spoofed emails, fake 2FA prompts, and fraudulent Chrome extensions is essential to protecting cryptocurrency holdings. Regularly review wallet security practices and rely on trusted sources for updates and incident reports.
Source: crypto
Comments
Tomas
wow, saw a friend get hit by this exact scam 😬 that fake 2FA flow is clever, the countdown tricks you into rushing. backup seed offline, hardware wallets!
coinpilot
Wait, MetaMask emails 2FA? feels shady. mertamask typo is obvious but the timer pressure is nasty, ppl panic and paste seed phrases. check sender headers first
Leave a Comment