In a significant alert, SlowMist Chief Security Officer, known as “23pds,” has unveiled a new phishing campaign aimed at MetaMask users. This sophisticated scheme employs counterfeit two-factor authentication (2FA) verification pages to deceive individuals into divulging their wallet recovery phrases.
The phishing attack operates through convincingly designed replicas of MetaMask“s security interface, creating an illusion of routine security checks. Victims are initially drawn to spoofed websites with domains closely resembling the official MetaMask site, such as “mertamask.” Upon arriving at these sites, users are confronted with what appears to be a legitimate security alert indicating suspicious account activity.
As the scam unfolds, victims are coerced into completing a fabricated 2FA verification process, complete with countdown timers and realistic safety messaging. The final stage of this malicious scheme prompts users to enter their seed phrase, misleadingly framed as a requirement to finalize the authentication. This action effectively grants attackers unrestricted access to the victim”s wallet.
Despite a notable decline in phishing-related cryptocurrency losses in 2025, experts caution that attackers are refining their methods. Data from ScamSniffer indicates that wallet-draining losses plummeted 83% year-over-year, totaling $83.85 million, down from nearly $494 million in 2024. Additionally, the number of affected users saw a significant reduction, decreasing by 68% to around 106,000.
However, the trends reveal that phishing activity remains closely tied to broader market fluctuations. Notably, losses peaked during the third quarter of 2025, coinciding with a robust rally in Ethereum, with the months of August and September accounting for nearly 29% of the total losses for the year. The most prominent incident recorded involved a theft amounting to $6.5 million in September, linked to a malicious Permit signature.
The evolving landscape of Ethereum exploits and a notable shift towards targeting retail victims is evident following the Pectra upgrade. Attackers have been taking advantage of EIP-7702-based malicious signatures, enabling them to bundle multiple harmful actions into a single approval. Recent coordinated attacks across EVM-compatible chains have drained hundreds of wallets, typically extracting less than $2,000 per address.
In response to the rising threat of phishing attacks, major wallet providers, including MetaMask, Phantom, WalletConnect, and Backpack, have united with the Security Alliance (SEAL) to establish a global phishing defense network. This collaboration aims to enhance real-time identification and blocking of phishing threats, offering users a more secure experience.
As the cryptocurrency landscape continues to evolve, it is crucial for users to remain vigilant and informed about the tactics employed by scammers. Awareness and education are key components in safeguarding digital assets against sophisticated phishing schemes.
