{"id":19167,"date":"2026-01-05T09:32:01","date_gmt":"2026-01-05T09:32:01","guid":{"rendered":"https:\/\/bitunikey.com\/news\/metamask-users-targeted-by-fake-2fa-phishing-scam-that-steals-seed-phrases\/"},"modified":"2026-01-05T09:32:18","modified_gmt":"2026-01-05T09:32:18","slug":"metamask-users-targeted-by-fake-2fa-phishing-scam-that-steals-seed-phrases","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/metamask-users-targeted-by-fake-2fa-phishing-scam-that-steals-seed-phrases\/","title":{"rendered":"MetaMask users targeted by fake 2FA phishing scam that steals seed phrases"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">MetaMask users are at risk of a new \u201c2FA verification\u201d phishing scam that steals their seed phrase under the guise of improving security.<\/p>\n<div id=\"cn-block-summary-block_d52b636aca388a400e6c1dfc74948b63\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>MetaMask users are being targeted by a phishing campaign involving a fake 2FA verification process.<\/li>\n<li>The new campaign comes on the heels of a large-scale wallet exploit and the Trust Wallet Chrome extension incident.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>According to blockchain security firm SlowMist, MetaMask users are receiving a spoofed email that creates a false sense of urgency by prompting them to enable Two-Factor Authentication. The message is MetaMask-branded and appears convincing at first glance. (See below.)<\/p>\n<figure class=\"wp-block-image size-full\"><figcaption class=\"wp-element-caption\">A spoof email sent by attackers | Source: <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/im23pds\/status\/2008008223526400417?s=20\" target=\"_blank\" rel=\"nofollow\">X\/im23pds<\/a><\/figcaption><\/figure>\n<p>Notably, the malicious notifier also comes with a countdown timer, which increases pressure on the user and attempts to force a quick response.<\/p>\n<p>Upon clicking the \u201cEnable 2FA Now\u201d button, users are redirected to a fake page hosted by the attacker. However, in reality, the entire process is a sham. The main goal is to trick MetaMask users into entering their mnemonic phrase, which attackers can use to access and transfer funds from their wallets. (See below.)<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"1567\" src=\"https:\/\/bitunikey.com\/news\/wp-content\/uploads\/2026\/01\/1767605521_58_MetaMask-users-targeted-by-fake-2FA-phishing-scam-that-steals.webp.webp\" alt=\"Malicious website asking users to input their seed phrase.\" class=\"wp-image-14443104\"><figcaption class=\"wp-element-caption\">Malicious website asking users to input their seed phrase | Source: X\/im23pds\u00a0<\/figcaption><\/figure>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>While at first glance a less cautious user may fall for this scheme, the spoof email contains several giveaways that can help users spot the fraud.<\/p>\n<p>For instance, such phishing messages often include subtle typos or design inconsistencies that can reveal their true nature. In this case, the URL to which MetaMask users were redirected was spelled as \u201cmertamask\u201d instead of \u201cmetamask.\u201d In some cases, these emails are also sent from completely unrelated email accounts, or from addresses using public domains like Gmail. (See below.)<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1208\" height=\"1028\" src=\"https:\/\/bitunikey.com\/news\/wp-content\/uploads\/2026\/01\/1767605521_892_MetaMask-users-targeted-by-fake-2FA-phishing-scam-that-steals.webp.webp\" alt=\"Typos within spoof emails.\" class=\"wp-image-14443102\"><figcaption class=\"wp-element-caption\">Typos within spoof emails | Source: X\/im23pds<\/figcaption><\/figure>\n<p>Lastly, it is important to remember that MetaMask does not send unsolicited emails asking users to verify their accounts or perform security updates. Any such requests are typically scams.<\/p>\n<h1 class=\"wp-block-heading\">Recent phishing campaigns targeting crypto users<\/h1>\n<p>Late last week, cybersecurity researcher Vladimir S. <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/officer_secret\/status\/2006918899254882421\" target=\"_blank\" rel=\"nofollow\">flagged a similar campaign<\/a> that pushed a fake MetaMask app update. It is believed to be connected to an ongoing wallet-draining exploit.<\/p>\n<p>According to on-chain sleuth ZachXBT, the incident resulted in losses of <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.me\/investigations\/298\" target=\"_blank\" rel=\"nofollow\">less than $2,000<\/a> per wallet but affected a wide range of users across several EVM-compatible networks. However, it has not been confirmed whether the two campaigns are definitely connected.<\/p>\n<p>The incident was also linked to the Trust Wallet hack that occurred on Christmas Day, where losses climbed to roughly $7 million.\u00a0<\/p>\n<p>The attacker managed to gain access to the wallet\u2019s browser extension source code and uploaded a malicious version of the extension to the Chrome Web Store. Trust Wallet has vowed to compensate all users affected by the incident.<\/p>\n<p>Separately, Cardano users were also warned about a different ongoing attack that circulated emails promoting a fraudulent Eternl Desktop application.<\/p>\n<p>Despite these events all happening within less than two weeks, a recent Scam Sniffer report showed that total losses from crypto phishing campaigns dropped nearly 88% in 2025 from the previous year.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>MetaMask users are at risk of a new \u201c2FA verification\u201d phishing scam that steals their seed phrase under the guise of improving security. Summary MetaMask users are being targeted by&hellip;<\/p>\n","protected":false},"author":1,"featured_media":19168,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-19167","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=19167"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19167\/revisions"}],"predecessor-version":[{"id":19169,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19167\/revisions\/19169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/19168"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=19167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=19167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=19167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}