Crypto investors are being targeted by a new phishing campaign that impersonates MetaMask and tricks users into handing over their wallet recovery phrases, according to the blockchain security firm SlowMist.
The attackers are impersonating a fake two-factor authentication (2FA) security verification flow, which redirects users to fraudulent domains through fake security warnings that request users’ seed phrases.
Once users share their wallet recovery phrase, the funds from the wallet are stolen, warned SlowMist’s chief security officer, 23pds, in a Monday X post.
The new wave of scams serves as a stark reminder that decentralized wallet protocols would never ask users for their secret recovery phrase, which enables anyone to take control of the wallet.
Related: Bitcoin investor loses retirement fund in AI-fueled romance scam
The phishing email redirects users to fake domains impersonating MetaMask, urging them to enable 2FA within a short period, claiming they would lose access to key wallet features.
The final step of the fraudulent process asks users for their 12-word seed phrase to complete the “security setup.”
Crypto phishing scams involve hackers sharing fraudulent links with victims to steal sensitive information, such as crypto wallet private keys.
Phishing scams have been a long-standing issue in the cryptocurrency space, but the decreasing number of incidents signals that investors are becoming wiser to this threat.
Related: Crypto hack counts fall but supply chain attacks reshape threat landscape
Phishing scams fall 83% in 2025
Losses to phishing scams decreased 83% year-over-year, falling to $83.3 million in 2025, from $494 million stolen through phishing in 2024, according to a report from Web3 security tool Scam Sniffer, published on Saturday.
The number of phishing scam victims also decreased by 68% year-over-year, from 332,000 victims in 2024 to 106,000 in 2025.
However, losses to phishing attacks peaked in the third quarter of the year, during the market’s most active period, signaling that phishing losses are closely eclipsing market activity.
“When markets are active, overall user activity increases, and a percentage fall victim — phishing operates as a probability function of user activity,” wrote Scam Sniffer in the report.
Phishing scammers often impersonate the most popular brands to build trust with their victims.
MetaMask is the world’s leading self-custodial wallet with over 100 million annual users and 244,000 connected decentralized applications, according to its parent company, Consensys.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
