MetaMask Users Warned of Scam Using Fake Two-Factor Authentication Prompts

TLDR

• Attackers created fake MetaMask alerts urging users to verify wallets through counterfeit security pages.
• Victims receive emails mimicking MetaMask Support, with branding nearly identical to official communications.
• Users are guided through a staged 2FA process designed to build trust and extract sensitive data.
• The scam ends by requesting the user’s seed phrase, enabling attackers to access and drain wallets.
• Attackers use domain names nearly identical to MetaMask’s, increasing the risk of user confusion and compliance.

A new phishing campaign targeting MetaMask users has emerged using counterfeit security alerts and fake verification processes. Blockchain security firm SlowMist reported that attackers designed the scam to closely mimic official MetaMask communications. The campaign aims to steal wallet seed phrases and enable immediate asset theft.

Fake Security Alerts Impersonate Official MetaMask Warnings

SlowMist identified fake security warning pages that closely resemble MetaMask system notifications. The pages warn users that their wallets face immediate threats and require urgent verification. Attackers use this urgency to reduce hesitation and prompt quick responses.

🚨 New #metamask phishing scam alert

Attackers are impersonating a “2FA security verification” flow, redirecting users via look-alike domains to fake security warnings with countdown timers and “authenticity checks.”

The final step asks for your wallet recovery phrase — once… pic.twitter.com/3bX9U1wZbs

Advertisement

— SlowMist (@SlowMist_Team) January 5, 2026

Victims often reach these pages through emails posing as MetaMask Support messages. The emails feature professional branding, including logos, fonts, and color schemes similar to official materials. Domains used in the scam differ from legitimate ones by a single character.

SlowMist stated the attackers relied on visual authenticity and timing. The method increased the likelihood of victims proceeding without scrutiny. Once users click the link, they enter a staged security flow. Each step appears consistent with known security practices. The process builds trust before requesting sensitive information.

Fake Two-Factor Authentication Used as Entry Point

After landing on the phishing page, users see instructions to complete mandatory two-factor authentication. The interface mimics legitimate 2FA verification screens. However, the entire process is fabricated. The flow guides users through several confirmation steps. Each step normalizes data entry and reinforces the appearance of security compliance. Attackers design the sequence to reduce suspicion.

The scam exploits familiarity with two-factor authentication protections. Attackers rely on users associating 2FA with safety. This association increases compliance during the process. Security researchers say the 2FA framing adds psychological pressure. Users believe refusal could risk account security. This belief increases vulnerability to deception.

The final step requests the wallet’s seed phrase under the pretense of verification or recovery. Once entered, attackers gain full control of the wallet. Assets are drained within minutes. A seed phrase functions as the wallet’s master key. Anyone with access can recreate the wallet on another device. They can also sign and execute transactions independently.