MetaMask has warned users after attackers circulated phishing emails posing as mandatory security updates. The incident highlights growing risks tied to social engineering in crypto.
Security firms say the campaign followed familiar patterns seen in earlier wallet scams. Industry experts now urge faster response systems and stronger user awareness.
Phishing emails exploit 2FA fears to steal recovery phrases
MetaMask said users fell victim to a phishing scam that impersonated official security communications.
According to the wallet provider, attackers sent emails urging users to update 2FA credentials. The messages warned that failure to comply by January 4, 2026, would restrict wallet features.
Blockchain security firm SlowMist flagged the scam early. Its partner and chief information security officer, known as 23pds, issued a public warning on January 5. He cautioned users to treat MetaMask-related emails with skepticism and verify sources carefully.
The scammers created fake MetaMask security pages to execute the attack. These pages guided users through a fake two-factor authentication process. The real objective involved stealing mnemonic phrases that control wallet access.
The process relied on multiple deceptive steps. Attackers distributed links to counterfeit security alerts and 2FA verification interfaces.
Countdown timers added urgency and pressure. Victims eventually faced prompts to enter their secret recovery phrases.
Malware researcher and internet security professional Tomas Meskauskas addressed similar scams last month.
In his report, he explained how fake 2FA activation emails exploit trust in well-known brands. He urged users to verify sender addresses and inspect minor inconsistencies before clicking links.
Meskauskas warned users not to trust emails solely because they appear legitimate.
Similar incidents have surfaced before. Last year, Australian cybersecurity firm MailGuard blocked phishing emails claiming unusual MetaMask account activity.
Those messages also urged immediate 2FA activation to avoid account suspension.
MailGuard said a single well-crafted email can expose users to data theft or malware. The firm advised recipients to delete such messages immediately.
Security firms urge proactive anti-phishing response from MetaMask
Halborn, a blockchain security firm, previously called on MetaMask to adopt proactive phishing response measures.
The firm said crypto companies cannot detect every malicious email. It stressed the need for defined processes to manage attacks once they surface.
According to Halborn, rapid incident response can limit losses.
The firm said dedicated response teams can turn major threats into contained events. It also encouraged users to activate 2FA or MFA only through official platforms and keep protections updated.
Halborn added that email security systems help block phishing attempts. Multi-factor authentication also reduces damage from compromised credentials.
However, the firm emphasized that user education remains critical.
MetaMask has faced repeated phishing-related incidents. Several attacks followed a 2022 security flaw in Apple’s cloud storage.
At the time, users reported stolen digital assets across social platforms. ConsenSys-backed MetaMask later disclosed losses exceeding $650,000.
The stolen assets included NFTs worth 132.86 ETH, about $402,980, and more than $250,000 in Apecoin.
MetaMask’s support team reiterated its stance on email communication.
The company said it never sends random confirmation emails. It also said it does not request Apple or Google account details.
MetaMask added that it cannot initiate email contact unless users submit a support request. Crucially, the firm stressed it never asks for secret recovery phrases under any circumstances.