Last updated on January 11th, 2026 at 09:37 pm
Quick Breakdown
- Fake MetaMask 2FA pages are being used to steal wallet recovery phrases via spoofed domains
- Phishing losses dropped sharply in 2025, but attackers are adopting more advanced social engineering tactics
- Wallet providers are collaborating globally to identify and block phishing threats in real time
SlowMist Chief Security Officer, known as “23pds,” has issued an urgent alert over a newly discovered phishing campaign targeting MetaMask users through fake two-factor authentication (2FA) verification pages.
🚨MetaMask 出现新型 ‘2FA 安全验证’ 骗局 @MetaMask @tayvano_
注意防范 pic.twitter.com/RJM78If9zb— 23pds (山哥) (@im23pds) January 5, 2026
The scam uses highly convincing replicas of MetaMask’s security interface, tricking users into believing they are completing routine safety checks while unknowingly handing over their wallet recovery phrases.
According to SlowMist, the attack unfolds in multiple deceptive steps designed to exploit users’ trust in standard security procedures.
Attackers first lure victims to spoofed domains such as “mertamask,” closely resembling MetaMask’s official website. Once redirected, users are shown what appears to be a legitimate security alert page warning of suspicious activity.
Victims are then prompted to complete a supposed 2FA verification, complete with countdown timers and realistic safety messaging. The final step asks users to input their seed phrase, falsely presented as a requirement to complete authentication, giving attackers full control of the wallet.
Phishing losses fall, but attacks grow more sophisticated
While phishing-related crypto losses dropped significantly in 2025, threat actors are clearly refining their methods.
Data cited by ScamSniffer shows wallet-draining losses fell 83% year-over-year to $83.85 million, down from nearly $494 million in 2024. The number of affected users also declined by 68% to roughly 106,000.
However, experts note that phishing activity continues to mirror broader market trends. Losses peaked in the third quarter of 2025, coinciding with Ethereum’s strongest rally, with August and September accounting for nearly 29% of the year’s total losses.
The single largest incident involved a $6.5 million theft in September, linked to a malicious Permit signature. Permit and Permit2 approvals remained the most exploited attack vector, responsible for 38% of losses above $1 million.
New Ethereum exploits and shift toward retail victims
Following Ethereum’s Pectra upgrade, attackers began abusing EIP-7702-based malicious signatures, which allow multiple harmful actions to be bundled into a single approval.
Recent coordinated attacks across EVM-compatible chains drained hundreds of wallets, typically stealing less than $2,000 per address.
In response, major wallet providers, including MetaMask, Phantom, WalletConnect, and Backpack, have partnered with the Security Alliance (SEAL) to launch a global phishing defense network.
If you would like to read more articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
