- Attackers spoof MetaMask alerts and fake 2FA pages to steal seed phrases.
- The Mertamask domain uses typosquatting and urgency tactics to trick users.
A fresh wave of phishing attempts is circling back toward MetaMask users, this time with a more polished and coordinated setup. SlowMist’s Chief Information Security Officer (CISO) has raised the alarm over a new scam framed as a “2FA verification,” built to look far more legitimate than earlier attacks.
This method mimics the official security flow and directs victims to fake websites, one of which is “Mertamask.” This is where many users become unprepared, as the interface and narrative appear to originate from MetaMask’s own system.
MetaMask 出现新型 '2FA 安全验证' 骗局 @MetaMask @tayvano_
注意防范 pic.twitter.com/RJM78If9zb— 23pds (山哥) (@im23pds) January 5, 2026
The scheme usually starts with a bogus security notice sent by email, warning of suspicious activity in a user’s wallet. The message wastes no time, urging the recipient to “verify” right away. However, instead of going to the official page, users are redirected to a deliberately similar Mertamask domain.
Small changes in the lettering are easy to miss, particularly when an urgent warning pushes someone into panic mode. Once they click through, victims land on a fake 2FA page outfitted with a countdown meant to heighten the pressure.
MetaMask Users Tricked Into Handing Over Recovery Phrases
On the fake page, users are asked to follow seemingly logical steps. However, in the final stage, the site asks for a recovery phrase or seed phrase. This is where the scam’s core lies. MetaMask never asks for a seed phrase for verification, updates, or any other security reasons. Once the phrase is entered, control of the wallet is immediately transferred.
Not only that, the asset draining process is usually quick and silent, with victims only realizing it after their balances have been drastically reduced.
Interestingly, this approach marks a shift in the fraudsters’ focus. While previously many attacks relied on random messages or superficial visuals, now the visuals and flow are much more convincing.
Furthermore, psychological pressure has become a primary weapon. Threat narratives, time limits, and a professional appearance combine to make MetaMask users act reflexively, rather than rationally.
Malicious Contract Signatures Enable Silent Asset Theft
This fake 2FA scheme emerged amid a surge in other phishing attacks also targeting the EVM ecosystem. Recently, hundreds of EVM wallets, primarily MetaMask users, fell victim to fraudulent emails claiming a “mandatory update.”
In these cases, victims were not asked for their seed phrase but instead were lured into signing a malicious contract. Over $107,000 was stolen in small amounts from each wallet, a strategy that makes the theft difficult to detect individually. This pattern exploits the speed of transaction signatures, as opposed to direct seed phrase theft.
On the other hand, on December 9, we reported that MetaMask had expanded cross-chain exchanges through its Rango multi-chain routing infrastructure. What started with the EVM and Solana has now expanded to Bitcoin, giving users even broader cross-chain reach.
A few days earlier, on December 5, we also highlighted the direct integration of Polymarket into MetaMask Mobile, allowing users to participate in prediction markets without leaving the app and earn MetaMask Rewards.
Also, in late November, we covered the on-chain equity perpetual trading feature in MetaMask Mobile, which opens access to long and short positions on a variety of global assets with leverage options.
