SlowMist warns of sophisticated 2FA fraud targeting MetaMask Wallet
Crypto journalist
Anas Hasan
Crypto journalist
Share
SlowMist Chief Security Officer “23pds” issued an urgent warning of a new phishing scam targeting MetaMask users with fake two-factor authentication pages designed to steal wallet recovery phrases.
The sophisticated attack mimics MetaMask's security interface by using domain names that closely resemble the legitimate platform, tricking users into providing critical wallet credentials while completing standard security procedures.
The scam works in several deceptive steps that exploit the user's trust in security protocols.
Attackers create spoof domains like “mertamask” instead of “metamask” and redirect victims to plausible security alert pages that look legitimate.
Users are faced with a standard 2FA verification screen, complete with countdown timers and realistic security reminders, which builds a false sense of confidence before asking for pedigree by pretending to complete the last step of verification.
New attack vectors emerge as phishing techniques evolve.
In the year Total phishing losses in 2025 have dropped significantly, with wallet drain attacks down 83% to $83.85 million from last year's $494 million, as attackers continue to adapt their tactics.
According to CryptoNews, the number of victims has dropped to about 106,000, a 68% year-over-year decrease.
However, as sophisticated operations such as the MetaMask 2FA scam show, threat actors continue to refine social engineering methods even as overall losses continue to decline.
The phishing activity closely followed broader market cycles in 2025, with Ethereum's strong rally posting its biggest loss in the third quarter at $31 million.
August and September alone account for nearly 29% of total annual losses, reinforcing what security experts see as phishing as a “user activity” where high transaction volumes increase the pool of victims.
The largest single incident of the year was a $6.5 million theft in September related to malicious license signing.
Permission and Permission2 approvals have remained the most effective attack vectors, accounting for 38% of losses in cases over $1 million, with new attack vectors emerging following Ethereum's Pectra update.
Attackers began abusing EIP-7702-based malicious signatures, which allow multiple malicious actions to be bundled into a single user authentication, leading to two incidents in August that resulted in a loss of $2.54 million.
Despite the overall decline, attackers have shifted tactics from large-scale heists to mass retail campaigns, with only 11 cases exceeding $1 million in 2025 compared to 30 last year.
The victim's average loss dropped to $790, indicating a broader focus on retail consumers rather than isolated high-profile thefts.
Recent coordinated attacks have depleted hundreds of wallets on EVM-compatible networks, with individual losses below $2,000 per address.
Industry deploys defense networks against ongoing threats
Major wallet providers including MetaMask, Phantom, WalletConnect and Backpack have partnered with Security Alliance (SEAL) to launch a global anti-phishing network, which they describe as a “decentralized immune system” for real-time threat identification.
The system allows anyone worldwide to submit verifiable phishing reports, which are automatically verified and forwarded to all participating wallets, enabling faster response times and potentially saving a lot of money.
“Leaks are a constant game of cat and mouse,” said Om Shah, security researcher at Metamask. “Partnering with SEAL allows wallet developers to move quickly and throw a wrench into the sewer infrastructure.”
The defense effort builds on SEAL's Verifiable Phishing Reports tool, which allows security researchers to verify that reported websites host phishing content.
Beyond technical exploitation, deep spoofing technology has emerged as another threat vector, with Manta Network founder Kenny Lee revealing in April that he had previously been targeted in sophisticated zooming calls using videos of well-known individuals.
The attackers tried to trick him into downloading malicious script files disguised as zoom updates, and Lee suspected the involvement of the North Korean-linked Lazar Group.
Meanwhile, crypto-related revenue from hacking and cyber security exploitation fell 60% to $76 million in December, down from $194.2 million in November.
However, security experts warn that persistent threats such as address poisoning and browser exploits will continue to target users across the ecosystem.
Trending news, recommended popular crypto topics, price predictions
