New MetaMask Phishing Scheme Mimics 2FA Updates, Collects Seed Phrases

byAlex Reeve
New MetaMask Phishing Scheme Mimics 2FA Updates, Collects Seed Phrases
Listen 6:30
Takeaways
Hide
  • The Threat: Blockchain security firm SlowMist identified a sophisticated phishing campaign targeting MetaMask users via fraudulent "mandatory" 2FA security verifications.
  • The Method: Attackers utilize "typosquatting" domains (e.g., mertamask) and high-fidelity compliance workflows with countdown timers to pressure users into revealing their recovery phrases.
  • The Shift: This campaign marks a pivot from "spray and pray" tactics to psychological social engineering, weaponizing a user's desire for security to bypass skepticism during the 2026 market opening.

Security firm SlowMist warns of a sophisticated social engineering operation that weaponizes “mandatory” security updates to harvest wallet recovery phrases.

Attackers launched a targeted phishing campaign against MetaMask users by utilizing fraudulent Two-Factor Authentication (2FA) alerts. These high-fidelity look-alike domains aim to steal custodial secrets during the opening week of the 2026 market cycle. 

Blockchain security firm SlowMist identified the operation Monday. The method relies on mimicking the branding and compliance workflows of the popular wallet provider to deceive victims.

SlowMist’s Chief Information Security Officer, known as 23pds, documented the anatomy of the attack in an urgent public advisory. The firm noted that the scam leverages the growing public demand for enhanced security measures. 

Attackers ironically use the premise of “mandatory security upgrades” to lure users into surrendering their most sensitive data.

“New #metamask phishing scam alert,” the official SlowMist account posted on Monday] “Attackers are impersonating a ‘2FA security verification’ flow, redirecting users via look-alike domains to fake security warnings with countdown timers and ‘authenticity checks.’ The final step asks for your wallet recovery phrase, once entered, funds are stolen.”

Related: X Ban Wipes Out Crypto Rewards, Kaito Pivots To New Model After 20% Slump

The Anatomy of the ‘Compliance’ Exploit

The operation employs “typosquatting” by directing users to web domains that differ by a single character from the official MetaMask site. One common variant uses the spelling “mertamask” to bypass the natural skepticism of experienced participants. 

Once on the fraudulent portal, users follow a simulated security check featuring countdown timers and authenticity progress bars. The workflow culminates in a prompt requiring the user to enter their seed phrase to finalize the verification. 

Security analysts identify the seed phrase request as the critical breach point. 

A seed phrase serves as the master key to a self-custodial wallet. It allows attackers to regenerate private keys on a separate device and drain assets without needing passwords or further approvals. 

MetaMask currently serves over 100 million annual users. This makes its user base a primary target for such high-fidelity social engineering.

Chain Street’s Take

The sophistication of this campaign lies in its bureaucracy. By dressing up a robbery as a “mandatory compliance update,” attackers are hacking the user’s conditioning to obey security prompts. 

The “2FA” label is a brilliant bit of social engineering because it targets people who are actually trying to be responsible. The decline in total phishing volume suggests the “spray and pray” era ended. 

It’s been replaced by targeted, high-fidelity traps designed to catch active users during market rallies. The rule remains absolute. No legitimate wallet provider will ever ask for a seed phrase to enable 2FA. If the prompt asks for the keys, it’s a theft. 

Frequently Asked Questions

What is the new MetaMask "2FA" phishing scam?
Show

Attackers are sending alerts mimicking official MetaMask correspondence, claiming users must complete a "2FA security verification" or a mandatory update. These alerts redirect users to fake websites designed to steal wallet recovery phrases.

How does the "typosquatting" attack work?
Show

The scam uses web domains that look nearly identical to the official site but differ by a single character (e.g., "mertamask.io" instead of "metamask.io"). This slight variation often bypasses a user's quick visual check, tricking them into believing they are on a legitimate portal.

Will MetaMask ever ask for my seed phrase for 2FA?
Show

No. A legitimate wallet provider will never ask for your 12 or 24-word recovery phrase to enable 2-Factor Authentication or perform a security update. If a prompt asks for these words, it is a theft attempt.

What did SlowMist discover about this campaign?
Show

SlowMist’s CISO, 23pds, noted that the attackers use "authenticity checks" and countdown timers to create a false sense of urgency. The scam targets the user's conditioning to obey compliance requests, making it a "bureaucratic" hack rather than a technical exploit.

How can I protect my MetaMask wallet?
Show

Always verify the URL character-by-character before connecting your wallet. Bookmark official sites rather than clicking links in emails or social media. Most importantly, never enter your seed phrase into a browser window, pop-up, or "support" chat.

The author, a seasoned journalist with no cryptocurrency holdings, presents this article for informational purposes only. It does not constitute investment advice or an endorsement of any cryptocurrency, security, or other financial instrument. Readers should conduct their own research and, if needed, consult a licensed financial professional before making any financial decisions.

You May Also Like