Fake MetaMask 2FA Phishing Steals Seed Phrases via Urgent Emails

A targeted phishing campaign is impersonating MetaMask to trick users into revealing their seed (mnemonic) phrases by mimicking a mandatory two‑factor authentication (2FA) flow. Attackers send highly convincing spoofed emails urging recipients to “Enable 2FA Now,” often with countdown timers and MetaMask branding. Links lead to lookalike domains (single‑letter swaps such as “mertamask”) or fraudulent pages that replicate MetaMask’s interface and prompt users to enter their mnemonic; once supplied, attackers can recreate and drain wallets. SlowMist flagged the campaign and researchers report related fake app‑update scams. The campaign is linked conceptually to recent wallet drains — for example, the compromised Trust Wallet browser‑extension incident that led to roughly $7 million in losses. While industry trackers (Scam Sniffer) report an overall drop in phishing losses in 2025, criminals are shifting from mass spam to lower‑volume, high‑credibility social engineering that leverages urgency, polished design, and trusted security concepts (2FA) to bypass user caution. Trader guidance: never enter seed phrases in response to unsolicited emails, verify sender addresses and exact domains (watch for single‑letter typos), install extensions/apps only from official stores or verified sites, prefer hardware wallets for large holdings, and maintain standard security hygiene (updated software, phishing checks, and separate devices for sensitive ops).