Fake 2FA Setup Used in New MetaMask Phishing, Warns SlowMist

TLDR

• Cybersecurity firm SlowMist has issued a warning about a new phishing scam targeting MetaMask users.
• The scam tricks victims by imitating two-factor authentication prompts on fake MetaMask websites.
• Users receive fake emails claiming 2FA is required and are directed to phishing pages that mimic MetaMask.
• Attackers request the wallet’s seed phrase under the false pretense of verifying account ownership.
• Once the seed phrase is entered, scammers immediately gain full control and drain the wallet.

Cybersecurity firm SlowMist has warned of an active phishing campaign targeting MetaMask users through fake 2FA prompts that trick victims into exposing their wallet seed phrases, resulting in immediate fund losses across Ethereum-based wallets and EVM chains.

Attackers Exploit 2FA Interface to Steal MetaMask Wallets

Scammers are using fake MetaMask websites to impersonate security tools while urging users to enter seed phrases for 2FA setup. The phishing scheme begins with fake emails claiming 2FA is now required and urging urgent action to secure user wallets.

These emails include subject lines like “2FA – Protect Your Wallet” and use the MetaMask logo to look authentic. Victims are directed to domains mimicking MetaMask’s official site, often using minor typos like “matamask” to deceive visitors.

Clicking the link opens a fake MetaMask interface warning users of fake security risks and pushing urgent verification steps. The fake page includes countdown timers and false warnings, creating pressure to complete a “security setup” immediately.

Attackers then request the wallet’s 12- or 24-word seed phrase under the pretext of verifying ownership or enabling 2FA. Once submitted, scammers import the wallet elsewhere and drain assets, often within seconds, without requiring additional approval.

Emails Pretend to Be MetaMask Support to Induce Urgency

Victims report receiving emails that impersonate MetaMask Support and claim 2FA is now mandatory for all accounts. These emails often feature fake warnings like “Risk of Account Lock” and request action within a short deadline.

The button labeled “Enable 2FA Now!” takes users to the phishing site, designed to mimic MetaMask’s real interface. The interface includes fake verification steps and security alerts, pushing users to comply without verifying authenticity.

SlowMist confirmed these phishing pages are designed with convincing user interfaces to appear legitimate and trustworthy. “Users should remember MetaMask will never request seed phrases for security verification,” SlowMist warned in a statement.

Phishing victims typically lose $500–$2,000 per wallet, making early losses harder to detect or trace immediately. Funds are transferred to attacker-controlled addresses and usually converted to stablecoins or ETH across various EVM chains.

Phishing Activity Returns as Market Activity Picks Up in 2026

Scam Sniffer data shows phishing-related crypto losses dropped to $84 million in 2025 from $494 million the year before. However, the report linked scam trends with market momentum and warned phishing attempts rise with increased trading activity.

“Q3 of 2025 saw $31M in phishing losses, coinciding with a strong ETH rally,” the report explained. Analysts note that more retail involvement often leads to a spike in user vulnerability and scam exposure.

MetaMask has confirmed no vulnerabilities in its wallet; the threat comes solely from social engineering and user error. Wallet providers emphasize that users must never input their seed phrase outside their wallet interface or trusted app.

ZachXBT, a known on-chain analyst, also flagged MetaMask scams before this 2FA phishing attack surfaced on January 5, 2026. Earlier phishing scams included fake “mandatory updates” and have already drained over $107,000 from multiple users.

MetaMask urges affected users to disconnect from suspicious sites and move remaining assets to a new wallet immediately. The company maintains that seed phrases are the wallet’s master key and must be kept secret under all circumstances.

The post Fake 2FA Setup Used in New MetaMask Phishing, Warns SlowMist appeared first on CoinCentral.