MetaMask hit by new phishing attack disguised as mandatory 2FA
Attackers pose phishing as a required security check, ultimately gaining full control of users’ wallets
05.01.2026 - 08:55
418
3 min
0
Key points:
- A phishing campaign targets MetaMask users under the guise of mandatory 2FA verification.
- Victims are redirected to fake websites with an interface nearly identical to MetaMask.
- By entering their seed phrase, users hand over full access to their funds.
Security firm SlowMist has warned of a new wave of phishing attacks targeting MetaMask users. The attack typically begins with an email or notification claiming that two-factor authentication must be enabled. The message mimics MetaMask branding and uses language about “enhanced security.”
The link in the message leads to a spoofed domain that closely resembles the official site. Attackers rely on look-alike addresses — such as mertamask instead of metamask — to reduce the chance of detection.
Hackers have built a market for reselling stolen crypto data
Prices depend on the balance, age of the account, and 2FA protection.
How the scheme works
After clicking the link, users are taken to a page that imitates a security check and CAPTCHA. They are then shown a seemingly “official” MetaMask interface with a step-by-step 2FA setup, including a QR code and a confirmation screen indicating successful activation.
The final step prompts users to enter their seed phrase, allegedly to complete the security setup. At that point, victims effectively grant scammers full control over their wallets.
The attack does not rely on malware or browser exploits. Instead, users complete all actions themselves, believing the process to be legitimate. The fake site even simulates a checksum verification of the seed phrase, creating an illusion of technical authenticity.
According to SlowMist, these phishing pages often remain active only briefly and rotate domains frequently, making takedowns more difficult.
Previously, independent blockchain investigator ZachXBT reported uncovering a chain of digital asset thefts totaling roughly $2 million. He said the attacker posed as a customer support agent for Coinbase, linking multiple incidents through on-chain fund movements and activity in social media and private Telegram chats where the stolen funds were openly showcased.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$62 509
BTC
-3.12%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.11
XRP
-3.32%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.079409
DOGE
-5.64%
-
Zcash
$424.63
ZEC
-7.04%
-
Stellar XLM
$0.193241
XLM
-9.16%
-
Cardano
$0.153743
ADA
-5.05%
-
Polkadot
$3.32
DOT
+5.27%