A new phishing campaign targeting crypto users is impersonating MetaMask, attempting to steal wallet recovery phrases through fake security checks, according to blockchain security firm SlowMist.
Fake 2FA alerts mimic MetaMask security flow
SlowMist warns that attackers are posing as MetaMask and imitating a two-factor authentication (2FA) security verification process. Victims are redirected to fraudulent websites through fake security warnings that claim urgent action is required to protect their wallet.
These phishing pages urge users to enable 2FA within a short time frame, falsely warning that access to key wallet features may be restricted if they fail to comply. The process is designed to look legitimate and closely resembles real MetaMask security prompts.
Seed phrases remain the main target
The final step of the scam asks users to enter their 12-word secret recovery phrase to complete the so-called “security setup.” Once a user shares this phrase, attackers immediately gain full control of the wallet and drain the funds.
SlowMist’s chief security officer, known as 23pds, highlighted the risk in a post on X, stressing that decentralized wallets will never request recovery phrases under any circumstances. Anyone with access to a seed phrase can fully control the wallet and its assets.
How crypto phishing scams work
Crypto phishing scams typically involve fraudulent emails or messages containing malicious links. These links lead to fake websites designed to steal sensitive information such as private keys or wallet recovery phrases. Attackers often impersonate well-known crypto brands to increase credibility and improve their chances of success.
MetaMask’s popularity makes it a frequent target, as scammers rely on brand recognition and urgency to pressure users into making mistakes.
Phishing losses drop sharply in 2025
Despite ongoing threats, overall phishing activity in crypto has declined significantly. According to a recent report from Web3 security platform Scam Sniffer, losses from phishing scams fell 83% year-over-year in 2025, dropping to $83.3 million from $494 million in 2024.
The number of victims also decreased by 68%, from 332,000 in 2024 to 106,000 in 2025. This suggests that crypto investors are becoming more aware of phishing risks and better at identifying suspicious activity.
Market activity still drives phishing spikes
Scam Sniffer noted that phishing losses peaked during the third quarter, when crypto markets were most active. According to the report, higher user activity increases the likelihood that a portion of users will fall victim to scams.
“When markets are active, overall user activity increases, and a percentage fall victim — phishing operates as a probability function of user activity,” the report stated.
Why MetaMask remains a prime target
MetaMask is currently the world’s leading self-custodial crypto wallet, with more than 100 million annual users and over 244,000 connected decentralized applications, according to its parent company Consensys.
Security experts continue to stress one key rule for users: never share your recovery phrase, no matter how official or urgent a request may appear.
