Leading blockchain security company SlowMist has alerted cryptocurrency users to a sophisticated phishing campaign impersonating MetaMask, a popular Ethereum wallet provider. The scam exploits users’ concerns about account security by sending fraudulent emails that urge immediate setup of two-factor authentication (2FA), ultimately aiming to steal wallet recovery phrases and drain funds.
According to SlowMist’s detailed thread posted on X (formerly Twitter), the attack begins with spoofed emails appearing to come from MetaMask support. These messages claim that users must enable 2FA to prevent account compromise, complete with urgent language and a prominent link directing victims to a fake domain, such as “2fa.metamask.com.”
Once clicked, users are taken through a multi-step deception designed to build trust and pressure:
- A counterfeit Cloudflare verification page mimics legitimate security checks.
- A QR code is presented, supposedly for scanning to enable 2FA via an authenticator app.
- The final stage displays a convincingly designed form requesting the user’s 12- or 24-word seed phrase, framed as necessary for “securing” the wallet.
SlowMist emphasized that MetaMask does not use traditional 2FA systems in this manner and never requests seed phrases via email, websites, or support channels. Entering the recovery phrase on any unauthorized site grants attackers full control over the wallet.
The firm shared screenshots illustrating the scam’s flow, highlighting subtle design elements that closely replicate official MetaMask branding to evade detection.
Cryptocurrency users should remain vigilant against urgency-driven tactics like countdown timers and official-looking domains,” SlowMist stated in their alert. They recommend verifying any communication directly through the official MetaMask website (metamask.io) and enabling hardware wallet integration for enhanced security.
This incident underscores the persistent evolution of social engineering attacks in the crypto space, even as overall phishing attempts have reportedly declined in recent years. Users are advised to report suspicious emails and enable email filters to block known phishing domains.
For the latest security updates, follow trusted sources like SlowMist and official wallet providers. Always remember: legitimate services will never ask for your seed phrase.
Join our Telegram Channel