MetaMask Users Targeted by Fake 2FA Emails in New Scam Stealing Wallet Seed Phrases

MetaMask Users Targeted By Sophisticated 2FA Phishing Scam Threatening Wallet Security

Crypto wallet users are facing a new wave of phishing attacks that exploit the trust around two-factor authentication (2FA) to steal their seed phrases and gain full control over wallets.

The latest scam demonstrates how attackers are adopting increasingly sophisticated methods to trick even cautious users, despite overall crypto phishing losses falling sharply in 2025.

How The MetaMask Scam Tricks Users

Blockchain security firm SlowMist highlighted the scam, explaining that victims receive emails appearing to come from MetaMask Support.

These messages claim users must update their 2FA credentials immediately or risk losing access to essential wallet features.

The emails include MetaMask branding, the fox logo, and professional colour schemes, making them highly convincing.

Once a user clicks the “Enable 2FA Now” button, they are redirected to a fake site that closely resembles MetaMask’s official platform.

In documented cases, the attacker’s domain differed by just a single letter, such as “mertamask” instead of “metamask,” making detection difficult.

The site guides users through what looks like a legitimate security verification process, ultimately requesting their seed phrase.

SlowMist’s CSO warned on X (formerly Twitter) that the scam uses the appearance of a legitimate 2FA process to deceive users.

The attackers are relying on urgency and technical manipulation to convince victims to share sensitive information.

Why Seed Phrases Are The Ultimate Target

Seed phrases, also known as recovery or mnemonic phrases, are the master keys to a wallet.

Anyone who obtains them can transfer funds, recreate the wallet on another device, and sign transactions independently.

Unlike passwords or 2FA codes, these phrases provide unrestricted access, making them extremely valuable to attackers.

MetaMask and security experts repeatedly caution users never to share their seed phrases under any circumstances.

Yet, this phishing campaign uses a false sense of urgency, countdown timers, and professional branding to deceive even experienced users.

Warnings From Security Experts And MetaMask

Security professionals have shared guidance on spotting these scams.

Malware researcher Tomas Meskauskas emphasised checking sender email addresses carefully and being cautious of urgent messages requesting verification.

Similarly, MailGuard, an Australian cybersecurity provider, highlighted that a single cleverly worded email could steal sensitive data or spread malware.

They urged recipients to delete suspicious emails immediately.

MetaMask reinforced its stance, stating the company never sends unsolicited emails asking for recovery phrases, Apple or Google account details, or random confirmations.

Any such request should be treated as fraudulent.

Recent History Of Wallet Phishing Attacks

This latest campaign follows a series of attacks on MetaMask and other crypto wallets.

In 2022, MetaMask reported stolen assets including NFTs worth 132.86 ETH (~$402,980) and $250,000 in Apecoin, totalling over $650,000.

Other recent incidents include fake app updates and malicious wallet extensions affecting Trust Wallet users, with losses of up to $7 million, and fraudulent software campaigns targeting Cardano users.

Despite these incidents, overall phishing losses fell nearly 88% in 2025, down to about $84 million from nearly $494 million the previous year.

Scam Sniffer noted,

“Phishing losses tracked closely with market activity. Q3 saw both the strongest ETH rally and the highest phishing losses ($31M). When markets are active, user activity increases, and a percentage fall victim — phishing operates as a probability function of user activity.”

How Users Can Protect Themselves

Experts advise activating 2FA only through official platforms and keeping credentials up to date.

Email security systems can help detect and block phishing attempts, while multi-factor authentication limits the impact of compromised accounts.

Halborn, a blockchain security firm, stressed the importance of proactive anti-phishing measures, incident response teams, and immediate action when attacks are detected to minimise damage.

With market activity showing early signs of recovery in 2026, including meme coin rallies and increased retail participation, security awareness remains critical.

MetaMask users are urged to remain vigilant and verify any communication before taking action, particularly when it involves their wallet credentials.