MetaMask users are at risk of a new “2FA verification” phishing scam that steals their seed phrase under the guise of improving security.

According to blockchain security firm SlowMist, MetaMask users are receiving a spoofed email that creates a false sense of urgency by prompting them to enable Two-Factor Authentication. The message is MetaMask-branded and appears convincing at first glance. (See below.)

Notably, the malicious notifier also comes with a countdown timer, which increases pressure on the user and attempts to force a quick response.

Upon clicking the “Enable 2FA Now” button, users are redirected to a fake page hosted by the attacker. However, in reality, the entire process is a sham. The main goal is to trick MetaMask users into entering their mnemonic phrase, which attackers can use to access and transfer funds from their wallets. (See below.)

While at first glance a less cautious user may fall for this scheme, the spoof email contains several giveaways that can help users spot the fraud.

For instance, such phishing messages often include subtle typos or design inconsistencies that can reveal their true nature. In this case, the URL to which MetaMask users were redirected was spelled as “mertamask” instead of “metamask.” In some cases, these emails are also sent from completely unrelated email accounts, or from addresses using public domains like Gmail. (See below.)

Lastly, it is important to remember that MetaMask does not send unsolicited emails asking users to verify their accounts or perform security updates. Any such requests are typically scams.

Recent phishing campaigns targeting crypto users

Late last week, cybersecurity researcher Vladimir S. flagged a similar campaign that pushed a fake MetaMask app update. It is believed to be connected to an ongoing wallet-draining exploit.

According to on-chain sleuth ZachXBT, the incident resulted in losses of less than $2,000 per wallet but affected a wide range of users across several EVM-compatible networks. However, it has not been confirmed whether the two campaigns are definitely connected.

The incident was also linked to the Trust Wallet hack that occurred on Christmas Day, where losses climbed to roughly $7 million. 

The attacker managed to gain access to the wallet’s browser extension source code and uploaded a malicious version of the extension to the Chrome Web Store. Trust Wallet has vowed to compensate all users affected by the incident.

Separately, Cardano users were also warned about a different ongoing attack that circulated emails promoting a fraudulent Eternl Desktop application.

Despite these events all happening within less than two weeks, a recent Scam Sniffer report showed that total losses from crypto phishing campaigns dropped nearly 88% in 2025 from the previous year.