VYPR
researchPublished Jul 1, 2026· 1 source

Phishing Campaign Exploits Metamask Recovery Process to Steal Seed Phrases

A new phishing campaign is targeting Metamask users by tricking them into revealing their secret recovery phrases through a fake wallet security alert.

A sophisticated phishing campaign is actively targeting users of Metamask, a widely-used cryptocurrency wallet, by exploiting its password recovery mechanism. Attackers are sending emails that falsely claim a user's Metamask wallet is at risk, creating a sense of urgency to prompt immediate action.

The emails instruct recipients to visit a newly registered domain, captchasolve[.]help, to secure their account. This domain, registered just two days prior to the campaign's emergence, is designed to mimic legitimate Metamask interfaces. The core of the attack lies in bypassing standard security measures, including multi-factor authentication, by directly soliciting the user's secret recovery phrase, also known as a seed phrase.

Metamask, like many cryptocurrency wallets, relies on a secret recovery phrase—typically a 12-word sequence—generated during the initial setup. This phrase serves as the master key to the user's wallet and all associated assets. While essential for account recovery if a user loses access to their device or password, it is also the most sensitive piece of information an attacker could obtain.

By framing the request as a security measure to prevent account compromise, the attackers leverage social engineering to persuade victims to input their seed phrase into the malicious website. Once obtained, the attackers can immediately gain full control over the victim's Metamask wallet, enabling them to steal all cryptocurrency funds stored within it.

This tactic is particularly effective because it circumvents the typical layers of security designed to protect online accounts. While multi-factor authentication (MFA) adds a significant barrier, it is rendered useless if the attacker can directly acquire the seed phrase, which is the ultimate credential for wallet access. The campaign highlights a persistent threat vector where attackers target the foundational elements of account security rather than relying on exploiting software vulnerabilities.

The SANS Internet Storm Center, which first reported on this campaign, noted that this is not the first time Metamask users have been targeted. However, this specific method of exploiting the recovery process represents a notable evolution in phishing tactics aimed at the cryptocurrency community. The use of a recently registered domain and a plausible pretext underscores the ongoing cat-and-mouse game between security professionals and cybercriminals.

Users are strongly advised to be vigilant against such phishing attempts. It is crucial to remember that legitimate services will rarely, if ever, ask for your secret recovery phrase via email or a non-official website. Always verify the authenticity of communications and ensure you are interacting directly with the official Metamask application or website when managing your wallet. If you suspect you have fallen victim, immediate action to secure any remaining assets and report the incident is recommended.

Synthesized by Vypr AI