A new phishing scam is tricking MetaMask users into handing over their seed phrases by mimicking two-factor authentication (2FA) alerts.
Quick Summary – TLDR:
- Scammers are impersonating MetaMask using fake emails and 2FA pages to steal wallets.
- Victims are urged to enter their seed phrase on fake sites, leading to immediate fund loss.
- The phishing scam includes countdown timers and urgent warnings to rush users.
- MetaMask confirms it will never request secret recovery phrases via email.
What Happened?
Cybersecurity firm SlowMist first flagged the phishing campaign on January 5, 2026, after spotting fake MetaMask security emails circulating online. These emails claim that users must activate 2FA by a specific deadline, pressuring them to click a button labeled “Enable 2FA Now.” The button links to counterfeit websites made to look like MetaMask’s real interface, where users are tricked into entering their seed phrase. Once the phrase is submitted, scammers instantly drain the wallet.
🚨 New #metamask phishing scam alert
— SlowMist (@SlowMist_Team) January 5, 2026
Attackers are impersonating a “2FA security verification” flow, redirecting users via look-alike domains to fake security warnings with countdown timers and “authenticity checks.”
The final step asks for your wallet recovery phrase — once… pic.twitter.com/3bX9U1wZbs
How the Scam Works?
This phishing scam uses typosquatting domains such as “matamask” and visually identical interfaces to fool users. Here’s the typical attack flow:
- Victims receive an email from addresses mimicking MetaMask, warning of security risks and account restrictions.
- These emails claim 2FA is mandatory and include fake deadlines to create urgency.
- Clicking the email button leads to a counterfeit MetaMask 2FA setup page, complete with a countdown timer and fake security alerts.
- Users are prompted to “verify ownership” by entering their 12- or 24-word seed phrase.
- Once entered, scammers import the wallet and instantly transfer all assets to their own addresses.
The scam is particularly dangerous because it relies entirely on social engineering, not technical flaws in MetaMask itself.
Losses and Impact
While exact loss figures from this latest phishing wave are still unfolding, prior similar scams flagged by on-chain analyst ZachXBT have drained over $107,000 from wallets across Ethereum Virtual Machine (EVM) chains. Victims often lose between $500 and $2,000 per wallet, making individual losses hard to detect immediately. Attackers typically convert the stolen assets into ETH or stablecoins, quickly moving them across wallets to obscure the trail.
This surge in phishing activity follows a broader trend seen in 2025, when phishing-related crypto losses dropped to $84 million from $494 million the year before. However, experts caution that scams spike during bull markets. In Q3 2025, for instance, losses surged to $31 million alongside a major Ethereum rally.
MetaMask’s Response and User Warnings
MetaMask has reiterated that it does not send unsolicited emails, and will never request seed phrases, even for security or account recovery purposes. Any emails requesting such information should be treated as fraudulent.
In light of these attacks, Malware researcher Tomas Meskauskas and Australian security firm MailGuard have both issued updated guidance urging users to inspect sender addresses, avoid clicking unknown links, and never enter seed phrases outside of the wallet app itself.
MetaMask also reminded users that even if wallets are linked to Google or Apple accounts, the company does not request those credentials and does not initiate email communication unless the user reaches out first.
Security Experts Urge Proactive Measures
Blockchain security firm Halborn called on MetaMask and other crypto companies to establish robust anti-phishing processes and rapid incident response teams. Since scams are constantly evolving, no user or platform is immune. According to Halborn, having a dedicated security response process can be the difference between a minor breach and a major theft.
SQ Magazine Takeaway
I’ve seen phishing scams in crypto before, but this one is especially dangerous because it hits where users least expect it – their email inbox. What makes it worse is the emotional trickery. When a message says your wallet will be restricted unless you act fast, it’s easy to panic. But remember this: your seed phrase is your wallet’s master key. No company will ever ask for it. If they do, that’s your cue to walk away. MetaMask isn’t at fault here, but it’s a wake-up call for all of us to double check, slow down, and stay skeptical. Crypto security starts with you.
