SlowMist Warns of Sophisticated 2FA Scam Targeting MetaMask Wallets

SlowMist Chief Security Officer “23pds” issued an urgent warning about a new phishing scam targeting MetaMask users through fake two-factor authentication verification pages designed to steal wallet recovery phrases.

The sophisticated attack mimics MetaMask’s security interface using spoofed domain names that closely resemble the legitimate platform, tricking users into believing they’re completing standard security procedures while surrendering critical wallet credentials.

The scam operates through multiple deceptive stages that exploit user trust in security protocols.

Attackers create fraudulent domains like “mertamask” instead of “metamask” and redirect victims to convincing security alert pages that appear authentic.

Users then encounter what appears to be a standard 2FA verification screen, complete with countdown timers and realistic safety reminders, which builds false confidence before the final step requests their seed phrase under the guise of authentication completion.

New Attack Vector Emerges as Phishing Tactics Evolve

While overall phishing losses declined sharply in 2025, with wallet-draining attacks dropping 83% to $83.85 million from nearly $494 million the previous year, attackers continue to adapt their methods.

According to a Cryptonews report, the number of affected users fell to approximately 106,000, a 68% year-over-year decrease.

Yet sophisticated operations like the MetaMask 2FA scam show that threat actors continue to refine social engineering tactics even as aggregate losses decline.

Phishing activity tracked closely with broader market cycles throughout 2025, with the third quarter recording the highest losses at $31 million during Ethereum’s strongest rally.

August and September alone accounted for nearly 29% of total annual losses, reinforcing what security experts see as phishing operating as a “probability function of user activity,” where higher transaction volumes increase the potential victim pool.

The largest single incident of the year involved a $6.5 million theft in September tied to a malicious Permit signature.

Permit and Permit2 approvals remained the most effective attack vectors, accounting for 38% of losses in cases exceeding $1 million, while new attack vectors emerged following Ethereum’s Pectra upgrade.

Attackers began abusing EIP-7702-based malicious signatures, which enable multiple harmful actions to be bundled into a single user approval, leading to two such incidents in August that resulted in $2.54 million in losses.

Despite the overall decline, attackers shifted strategies from large-scale heists to mass retail campaigns, with only 11 cases exceeding $1 million in 2025 compared to 30 the previous year.

The average loss per victim fell to $790, pointing to a broader focus on retail users rather than isolated high-profile thefts.

Recent coordinated attacks have drained hundreds of wallets across EVM-compatible networks, with individual losses typically under $2,000 per address.

Industry Mobilizes Defense Networks Against Persistent Threats

Major wallet providers, including MetaMask, Phantom, WalletConnect, and Backpack, have launched a global phishing defense network through partnership with the Security Alliance (SEAL), creating what they describe as a “decentralized immune system” for real-time threat identification.

The system allows anyone worldwide to submit verifiable phishing reports, which are automatically validated and broadcast to all participating wallets, enabling quicker response times and potentially saving more funds.

“Drainers are a constant cat-and-mouse game,” MetaMask security researcher Ohm Shah said. “Partnering with SEAL allows wallet developers to move faster and throw a wrench at the drainer’s infra.“

The defense effort builds on SEAL’s verifiable phishing reports tool, which lets security researchers prove that reported websites actually host phishing content.

Beyond technical exploits, deepfake technology has emerged as another threat vector, with Manta Network co-founder Kenny Li revealing back in April that he was targeted in a sophisticated Zoom call using prerecorded videos of familiar individuals.

The attackers attempted to trick him into downloading malicious script files disguised as Zoom updates, with Li suspecting North Korea-linked Lazarus Group involvement.

Meanwhile, crypto-related losses from hacks and cybersecurity exploits fell 60% in December to approximately $76 million, down from November’s $194.2 million.

However, security experts caution that persistent threats such as address-poisoning scams and browser wallet exploits continue to target users across the ecosystem.