Meet the Top 101 in Crypto
News
5 min read

MetaMask Users Under Attack: Fake 2FA Scam Draining Wallets in Seconds

Published 05 January 2026
Prashant Jha
Authors
Edited by Insha Zia

Key Takeaways

  • Scammers are targeting MetaMask users with fake “2FA security verification” pages that mimic official alerts.
  • The phishing sites use countdown timers and urgency to trick victims into entering their seed phrases.
  • Once the seed phrase is submitted, attackers gain complete control and can instantly drain wallets.

MetaMask, the leading non-custodial Ethereum wallet, is facing an active two-factor authentication (2FA) scam that has recently drained multiple user wallets.

Cybersecurity firm SlowMist flagged the attack on Jan. 5, noting that scammers lure victims through a series of fake web pages designed to closely mimic official MetaMask interfaces, ultimately tricking users into revealing their wallet seed phrases.

Try Our Recommended Crypto Exchanges
Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Opened in 2017
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

What Happened?

The attack typically begins with a phishing email or link shared via social media, direct messages, or compromised websites.

Unlike legitimate 2FA setups, which rely on codes generated by apps or devices, this scam ultimately prompts users to enter their seed phrase.

This grants attackers full control and enables them to drain funds within seconds.

Users receive unsolicited emails posing as “MetaMask Support,” with subject lines such as “2FA – Protect Your Wallet” or “Action Required: Secure Your Wallet with 2FA.”

The emails claim that 2FA is becoming mandatory to prevent unauthorized access and often impose a fake deadline to create urgency.

They feature the MetaMask fox logo and include a button labeled “Enable 2FA Now!”

Metamask phishing scam.
Metamask users received malicious emails asking them to update their seed phrase. Source: X

Clicking the button redirects users to a phishing site with a domain closely resembling MetaMask’s, often using typosquatting techniques such as “matamask” instead of “metamask.”

The site displays a fake security alert warning of potential risks and urges immediate action.

Users are then guided to a counterfeit 2FA verification interface that includes realistic elements, such as countdown timers (e.g., “Complete in 5 minutes or risk account restriction”), to pressure quick compliance.

The final step asks users to enter their 12- or 24-word seed phrase under the pretense of “verifying wallet ownership” or “completing security setup.”

Some versions include a fake “authenticity check” to build trust.

Once entered, the phrase is sent to the attackers, who can import the wallet elsewhere and transfer all assets instantly.

Users Risk Losing Their Total Holdings

MetaMask itself is not technically vulnerable; the exploit relies on social engineering and user error. 

As this specific 2FA variant was first publicly reported on Jan. 5, 2026, detailed loss figures have not yet been widely disclosed.

However, early indicators suggest a rapid potential for loss due to the direct theft of seed phrases

Similar MetaMask phishing campaigns, such as the “mandatory update” scam, were flagged by on-chain investigator ZachXBT just days prior.

These scams have drained over $107,000 from hundreds of wallets across EVM chains. 

Victims typically lose small amounts per wallet ($500–$2,000), making the thefts initially harder to detect and trace.

Funds are funneled to attacker-controlled addresses, often in stablecoins or ETH, with total ecosystem losses from MetaMask-related scams estimated in the millions annually.

If you’ve fallen victim, immediately disconnect the wallet from suspicious sites and transfer any remaining funds to a new wallet.

Staying vigilant is key in Web3; MetaMask emphasizes that security begins with user awareness.

How To Avoid Such Scams

First and foremost, it’s crucial for users holding assets in online wallets and self-custodial wallets to be wary of such attacks. 

Always remember: no wallet, whether hardware or software, custodial or non-custodial, should ever ask for your seed phrase.

However, due to the sophistication of these scams, it’s hard to detect them all the time.

Here’s a step-by-step guide to always double-check any such emails, creating urgency:

  • Ignore unsolicited emails claiming to be from MetaMask; official ones never create a sense of urgency or request seed phrases. 
  • Check the sender domains for legitimacy: [email protected] or [email protected]
  • Manually type URLs instead of clicking links. Hover over buttons to inspect destinations.
  • Never enter your seed phrase anywhere except during initial wallet setup or recovery on a trusted device. Store it offline and use a hardware wallet for high-value assets to require physical confirmation for transactions.
  • Enable real 2FA on related accounts using authenticator apps instead of SMS. Disable iCloud backups for sensitive apps to prevent access via Apple ID scams. 
  • Regularly revoke token approvals using tools like MetaMask Portfolio to limit access to malicious contracts.

Prashant Jha

Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.

His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.

Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status