Opening your email to see a warning about your crypto wallet can be scary. That sense of urgency is exactly what scammers are now using against MetaMask users. In early January, reports began to surface that attackers were sending fake security emails impersonating MetaMask, telling users their accounts needed urgent two factor authentication verification.
The messages warned that wallet access could be limited if users did not act quickly, pushing many to make rushed decisions.
David Adubiina
How the phishing scam works
The emails looked convincing, complete with MetaMask branding, advising users to complete a 2FA security check before January 4, 2026. But reports now claims that some users who clicked the link were led to a fake MetaMask security pages. These pages showed countdown timers and security warnings to increase pressure. In the final step, users were asked to enter their wallet recovery phrase. Once entered, attackers gained full access to the wallet and drained funds within minutes.
Security researcher 23pds, a partner and CISO at blockchain security firm SlowMist, was among the first to raise the alarm publicly via social media. He warned users to be extremely careful and stay alert with emails claiming to come from MetaMask. “Attackers are impersonating a ‘2FA security verification’ flow, redirecting users via look-alike domains to fake security warnings with countdown timers and ‘authenticity checks,’” he posted on X.
🚨 New #metamask phishing scam alert
— SlowMist (@SlowMist_Team) January 5, 2026
Attackers are impersonating a “2FA security verification” flow, redirecting users via look-alike domains to fake security warnings with countdown timers and “authenticity checks.”
The final step asks for your wallet recovery phrase — once… pic.twitter.com/3bX9U1wZbs
MetaMask has faced repeated phishing-related incidents over the years. After a 2022 security issue linked to cloud storage backups, users reported stolen NFTs and tokens worth more than $650,000. These past incidents show how attackers keep finding new ways to trick users.
Blockchain security firm Halborn has previously urged crypto companies to prepare better for phishing attacks. According to Halborn, no system can stop every scam email, but fast incident response and clear communication can reduce damage when attacks happen.
MetaMask has repeatedly told users that it does not send random security emails. The company says it will never ask for recovery phrases, Apple IDs, Google accounts, or private keys under any condition. It also stressed that two-factor authentication should only be set up directly through official MetaMask platforms, not through email links.
