A sophisticated phishing operation is targeting MetaMask users, utilizing a deceptive two-factor authentication (2FA) process to extract wallet recovery phrases. This incident underscores an advanced level of social engineering in phishing tactics, despite a significant drop in reported cryptocurrency phishing losses in 2025.
Blockchain security firm SlowMist’s Chief Security Officer recently highlighted this scam via a post on X (formerly Twitter). The operation employs multiple deceptive techniques to compromise user wallets. Targeted individuals receive emails seemingly from MetaMask Support, announcing a mandatory 2FA requirement. These emails feature professional branding, including the MetaMask fox logo and color scheme, to add authenticity.
Attackers are using domains that closely resemble MetaMask’s official domain, differing by only a single letter, making them challenging to discern at first glance. Once users reach the fraudulent website, they are led through what appears to be a legitimate security process. At the final stage, victims are prompted to enter their seed phrase under the guise of completing a “2FA security verification.”
The seed phrase, also known as a recovery or mnemonic phrase, is essentially the master key to a wallet. Possessing it allows an individual to transfer funds, recreate the wallet on another device, and gain full control over private keys. It enables transaction execution and signing without the original owner’s knowledge or approval. Consequently, wallet providers advise users never to share their seed phrases under any circumstances.
Two-factor authentication is generally designed to enhance security for users. However, attackers exploit its reputation to deceive individuals. This combination of psychological manipulation and technical deception poses a significant threat.
The scam emerges amid a broader decline in phishing-related financial losses. In 2025, losses associated with cryptocurrency phishing decreased by approximately 83%, totaling around $84 million, compared to nearly $494 million the previous year. According to a report by Scam Sniffer, phishing losses typically correlate with market activity. For instance, the third quarter saw the strongest Ethereum rally and the highest phishing losses, approximately $31 million. Increased market activity leads to greater user engagement, elevating the risk of phishing incidents.
As market activity shows signs of recovery in early 2026, including meme coin rallies and increased retail participation, attackers are also making a comeback. Thus, maintaining vigilance against phishing tactics and carefully handling wallet credentials remain essential.
Nashi Sakamoto, a dedicated crypto journalist from the Virgin Islands, brings expert analysis and insight into the ever-evolving world of cryptocurrencies and blockchain technology. Appreciate the work? Send a tip to: 0x82705CF4bc50Ec886878D25EAA7BE38C44Fbd51b
Get the latest Crypto & Blockchain News in your inbox.
