Phishing Scam Uses Fake 2FA Alerts to Steal MetaMask Recovery Phrases
Security researchers have identified a new phishing campaign targeting MetaMask users that fabricates a two-factor authentication (2FA) process to extract wallet recovery phrases. Attackers deploy cloned login pages, in-extension pop-ups and email lures that mimic legitimate 2FA prompts, then pressure victims to paste their seed phrase as a “verification” step. The social-engineering is described as unusually polished, making even cautious users more likely to fall for the ruse.
This matters because anyone who shares a recovery phrase gives attackers full control of their wallet and funds. Users should remember that legitimate wallets will never ask for seed phrases as a 2FA step, and should verify URLs, update extensions, and prefer hardware wallets for large holdings. Report suspicious pages and links to MetaMask and relevant platforms, and transfer at-risk funds to a secure wallet immediately if you suspect compromise.