MetaMask Security Alert: New 2FA Scam Steals Seed Phrases
MetaMask users are facing a sophisticated new phishing scam involving fake 2FA security checks. Scammers are using verified-looking pages to trick victims into revealing their wallet recovery phrases.
Fake 2FA flow targets metamask users
A new phishing campaign targets MetaMask wallet users with fake security messages that copy official support language. The messages claim that users must complete a new two-factor authentication (2FA) security check to avoid restrictions. Two-factor authentication, or 2FA, adds a second step like a code or prompt when users sign in. In this scam, attackers direct victims to websites that replicate MetaMask colours, logos, and layout to appear legitimate.
Typosquatted domains and countdown pressure
Attackers register typosquatted domains that differ from official addresses by one or two characters. These domains host pages that request the full wallet recovery phrase, also called the seed phrase. The fake pages display a countdown timer and warning banners that claim the wallet faces suspension without immediate action. Once users enter the seed phrase, attackers import the wallet and drain funds without further contact.
Security context and industry response
Blockchain security firm SlowMist reported this campaign and linked it to groups that run long-term wallet-draining operations. Reports describe a wider pattern where phishing losses in 2025 declined in total value while social engineering techniques became more polished. MetaMask states that support teams never request a seed phrase through email, chat, or pop-up messages. Any request for a seed phrase on a web form or support channel indicates an active theft attempt.
Partnering with SEAL enables wallet developers to act swiftly and disrupt the drainers' infrastructure. — Ohm Shah, Security Researcher at MetaMask
Practical safety signals for users
Legitimate self-custody wallets never ask users to enter a full seed phrase into a website for security checks. Security checks rely on local devices and signed transactions, not recovery phrases typed into forms. Users who manage funds in browser wallets rely on hardware backups and private key storage, not on email-based 2FA resets. Any message or site that combines seed phrase requests with countdown timers, suspension threats, or aggressive warnings represents a high-risk phishing attempt.