Advanced phishing attack targets MetaMask users through fake 2FA security alerts

There is a new phishing scam targeting MetaMask users. It employs very realistic 'two-factor authentication (2FA)' steps to steal your wallet's recovery phrase.
This campaign shows that social engineering tricks are becoming increasingly sophisticated, even though reports indicate that losses from cryptocurrency phishing attacks have significantly decreased in 2025.
Anatomy of the MetaMask phishing scam
The CSO of blockchain security company SlowMist explained this scam on X (formerly Twitter). This phishing method uses various forms of deception to hack users' wallets.
Victims receive emails that appear to come from MetaMask Support. These emails state that two-factor authentication is mandatory. The emails look professional and use the MetaMask fox logo and company colors.
The message indicates that the attackers use domains that are almost identical to the official website. In the shown example, the fake domain differs by just one letter, making it difficult to recognize.
When users arrive at the phishing site, they are gradually taken through what appears to be a trustworthy security check. In the final step, they are asked to enter their recovery phrase, supposedly to complete the '2FA security verification.'
This is the crucial moment of the scam. A recovery phrase of a wallet (also known as a seed phrase or mnemonic phrase) is the master key to the wallet. Anyone who has this phrase can:
Transferring money without the owner's permission or knowledge
Creating the wallet again on another device
Gaining full control over all linked private keys
Signing and executing transactions themselves
If someone shares a recovery phrase, that person can access the wallet directly without a password, without two-factor authentication, and without approval via a device. Therefore, wallet providers always warn: never share your recovery phrase with others.
Two-factor authentication is intended to protect users, but the scammers exploit the trust in it to mislead people. Through psychology, clever tricks, and time pressure, this approach remains very dangerous.
This scam comes at a time when phishing losses have actually decreased. Figures show that the damage from crypto-phishing has dropped by about 83% to around $84 million in 2025, while it was nearly $494 million the year before.
"Phishing losses closely followed market behavior. In the third quarter, the strongest ETH rally and the highest phishing losses ($31 million) occurred. As the market becomes more active, more users participate — and a percentage becomes victims. Phishing is therefore a gamble, based on the number of users," according to a report from Scam Sniffer.
Now that market activity is showing signs of recovery at the beginning of 2026, including meme coin rallies and increased participation from retail investors, scammers are also becoming more active. Vigilance against phishing methods and careful handling of wallet information remain extra important.