Overview
- Spoofed emails styled as MetaMask Support urge users to “enable 2FA,” using countdown timers to create urgency and push clicks.
- Targets are redirected to look‑alike domains, including URLs that differ by a single letter such as “mertamask,” which host counterfeit security pages.
- The fake workflow guides users through familiar steps before requesting the wallet’s recovery phrase as a supposed part of setup.
- Entering the phrase grants attackers full control of the wallet, with reports that assets can be transferred out within minutes.
- Researchers note similarities to a recent fake MetaMask app update and the Trust Wallet Chrome extension incident with about $7 million in losses, though any linkage is unconfirmed, and a Scam Sniffer report says crypto phishing losses fell roughly 88% in 2025.