- A fake two-factor authentication (2FA) phishing campaign is targeting MetaMask users.
- A sophisticated phishing scam aimed at MetaMask users exploits fake 2FA prompts to steal wallet recovery phrases.
- The MetaMask phishing campaign highlights the growing role of social engineering in cryptocurrency security threats.
A new phishing campaign targeting MetaMask users underscores how quickly crypto scams are evolving.
The scheme uses a convincing two-factor authentication flow to trick users into revealing their wallet seed phrases.
Although overall losses from crypto phishing declined sharply in 2025, the tactics behind these attacks are becoming increasingly refined and harder to detect.
Security researchers say the campaign reflects a shift away from crude spam messages toward carefully crafted impersonations that combine familiar branding, technical precision, and psychological pressure.
The result is a threat that looks routine at first glance but can lead to full wallet takeover within minutes.
How the scam works
The campaign was reported by the head of security at SlowMist, who shared details on X.
Phishing emails are designed to appear as official messages from MetaMask Support, claiming that users must enable mandatory two-factor authentication.
They closely mirror the wallet provider’s branding, using the logo, color palette, and fox-themed layout that many users recognize.
A key element of the deception is the web domains used by attackers. In documented cases the fake domain differs from the real one by only a single character.
Such a small change is easy to miss, especially on mobile screens or when users act quickly.
Once the link is opened, victims are taken to a site that closely imitates the MetaMask interface.
The fake 2FA process
On the phishing site, users are guided through what appears to be a standard security procedure.
Each step reinforces the impression that the process is legitimate and designed to protect the account.
In the final stage, the site asks users to enter their wallet seed phrase, presenting it as a required step to complete two-factor authentication.
This is the decisive moment of the scam. A seed phrase—also called a recovery phrase or mnemonic—serves as the wallet’s master key.
With it, an attacker can recreate the wallet on another device, move funds without approval, and sign transactions independently.
Passwords, two-factor codes, and device confirmations become irrelevant once the seed phrase is compromised.
For this reason, wallet providers repeatedly warn users never to share recovery phrases under any circumstances.
Using 2FA as bait is intentional.
2FA is widely associated with stronger security, which lowers suspicion.
When combined with urgency and a professional presentation, it creates a false sense of safety.
Even experienced users can be caught off guard when a familiar security feature is turned into a tool of deception.
Early 2026 already showed signs of renewed market activity, including meme coin rallies and increased retail trading participation.
As activity rises, attackers appear to be returning with more sophisticated methods rather than a higher volume of low-quality scams.
The MetaMask phishing campaign suggests that future threats may rely less on scale and more on credibility.
For MetaMask users and crypto wallet holders in general, the episode highlights the need for constant vigilance.
Security tools remain essential, but understanding how they can be abused is as important as using them correctly.