Fake MetaMask 2FA Security Checks Lure Users Into Sharing Recovery Phrases

The latest MetaMask phishing campaign exploits the growing expectation of two‑factor authentication by presenting a fake security prompt that redirects users to look‑alike domains. Victims are asked to enter their 12‑word seed phrase under the guise of completing a 2FA setup, a step that never exists in the official wallet. Once the phrase is submitted, attackers gain full control of the wallet and can instantly drain assets. The attack also exploits the recent push for mandatory 2FA, making the fake prompt appear legitimate.

Despite the sophisticated lure, overall crypto phishing losses have fallen dramatically, dropping 83 percent to $83.3 million in 2025, according to Scam Sniffer. The number of victims shrank by 68 percent, from 332 000 in 2024 to 106 000 last year. However, the data shows a sharp spike in Q3, when market activity peaked, confirming that phishing success tracks trading volume. This pattern underscores that heightened user activity creates more opportunities for social‑engineering attacks, even as broader awareness improves. Regulators are monitoring these trends, urging platforms to adopt stricter verification standards.

Wallet providers like ConsenSys must reinforce that they never request seed phrases, especially during 2FA enrollment, and should embed clear warnings across all communication channels. Users should verify URLs, enable hardware‑based authenticators, and treat unsolicited security emails as suspicious. As phishing tactics evolve, continuous education and real‑time threat intelligence from firms such as SlowMist will be essential to protect the expanding base of over 100 million MetaMask users and preserve confidence in decentralized finance. Future defenses may include AI‑driven phishing detection and mandatory hardware wallet onboarding.