A new and highly sophisticated phishing campaign is targeting MetaMask wallet users, employing fake two-factor authentication (2FA) verification pages designed to steal wallet recovery phrases. The attack, detailed in urgent warnings from security experts including SlowMist Chief Security Officer "23pds," mimics MetaMask's official security interface with convincing precision.
The scam begins with a professionally crafted email, purportedly from MetaMask Support, alerting users to an impending requirement for 2FA. The message uses appropriate branding and creates a false sense of urgency with a deadline to prompt immediate action. The link within the email, however, directs users to a spoofed domain with subtle misspellings like "matamask" or "mertamask," which can be easily overlooked, especially on mobile devices.
Victims are then taken to a well-designed website that perfectly clones MetaMask's layout, even incorporating elements like Cloudflare security badges to boost legitimacy. The site guides users through a multi-stage process, including a fake "human verification" step and messages confirming 2FA activation, complete with countdown timers and progress bars labeled "Security Layer Complete." The final and critical step requests the user's 12 or 24-word seed phrase under the guise of a "final security verification" or "checksum validation." Any seed phrase entered is instantly transmitted to the attackers, granting them full control to drain the wallet.
This attack emerges against a backdrop of evolving phishing tactics. While overall phishing losses declined sharply in 2025—dropping 83% to $83.85 million from nearly $494 million in 2024—attackers have shifted strategies. They are now focusing more on mass retail campaigns rather than large-scale heists, with the average loss per victim falling to $790. The third quarter of 2025, coinciding with Ethereum's strong rally, saw the highest losses at $31 million, highlighting that phishing activity often tracks with broader market cycles and user transaction volumes.
In response to the persistent threat, major wallet providers including MetaMask, Phantom, WalletConnect, and Backpack have partnered with the Security Alliance (SEAL) to launch a global phishing defense network. This system, described as a "decentralized immune system," allows for the submission of verifiable phishing reports that are automatically validated and broadcast to all participating wallets for quicker threat response.
