MetaMask Users Hit by Phishing Using Fake Security Reports

Attackers are targeting MetaMask cryptocurrency wallet users with phishing emails that include fabricated security incident reports. The campaign, documented by SANS Internet Storm Center handler Xavier Mertens on February 17, combines urgency messaging with official-looking PDF attachments to pressure victims into surrendering their wallet credentials.

The tactic represents an evolution beyond simple credential-harvesting pages. By attaching what appears to be a legitimate incident report about "unusual login activity," attackers add a layer of credibility that basic phishing emails lack. This mirrors the Valentine's Day phishing surge we covered last week, where attackers used seasonal themes to boost engagement rates.

How the Attack Works

The phishing email requests that recipients enable two-factor authentication on their MetaMask wallet—an ironic twist since the "security upgrade" actually compromises security. The message includes a PDF attachment named Security_Reports.pdf containing a fake incident report about suspicious login attempts.

According to SANS ISC analysis, the PDF itself isn't malicious. It doesn't contain embedded scripts or exploit code. Instead, it serves purely as a social engineering artifact designed to make the victim believe their account is under active threat. The document was created using ReportLab, a common Python PDF generation library, with a creation date of February 11, 2026.

The attack chain flows as follows:

1. Victim receives email warning about account security
2. PDF attachment shows fabricated incident details
3. Email link directs to AWS S3-hosted phishing page
4. Victim enters wallet credentials believing they're enabling 2FA
5. Attackers capture recovery phrase and drain the wallet

Technical Indicators

The phishing infrastructure uses AWS S3 to host the credential harvesting page:

• Malicious URL: hxxps://access-authority-2fa7abff0e[.]s3.us-east-1[.]amazonaws[.]com/index.html
• PDF SHA256: 2486253ddc186e9f4a061670765ad0730c8945164a3fc83d7b22963950d6dcd1
• PDF metadata: Producer listed as "ReportLab PDF Library"

AWS S3 provides attackers with free, fast hosting that inherits the legitimate reputation of Amazon's infrastructure. Email filters that block newly registered domains often allow amazonaws.com subdomains through. We've seen similar abuse of Google Cloud services for phishing to bypass security controls.

Part of a Larger MetaMask Targeting Campaign

This incident fits into a broader wave of MetaMask-targeted phishing that began in late 2025. According to BeInCrypto reporting, attackers have been sending fake "2FA verification" emails with tight deadlines to create urgency—previous variants demanded action by January 4, 2026, or threatened restricted wallet access.

The scams typically end with a request for the wallet's recovery phrase, which attackers immediately use to import and drain the victim's funds. MetaMask's official guidance emphasizes they never send unsolicited emails requesting recovery phrases or security updates.

North Korean threat actors have shown particular interest in cryptocurrency theft through similar ClickFix-style social engineering targeting blockchain developers and wallet users. While no attribution exists for this specific campaign, cryptocurrency remains a high-value target for both cybercriminals and nation-state actors.

Why Fake Incident Reports Work

The fabricated security report adds psychological weight the basic phishing email lacks. When recipients see a formal-looking document detailing login times, IP addresses, and account identifiers—even fabricated ones—they're more likely to believe the threat is real.

Mertens noted the campaign shows "low quality" execution overall: sender addresses aren't spoofed, and the PDFs aren't customized per target. This suggests automated mass-mailing rather than spear-phishing. Still, even crude campaigns land victims when the volume is high enough.

For guidance on identifying these attacks, our phishing email examples guide covers the warning signs, and our social engineering explainer details the psychological tactics attackers use.

Defensive Recommendations

Organizations and individuals should take these steps:

1. Never trust email links for wallet security updates—navigate directly to official wallet sites
2. Understand that legitimate services never request recovery phrases by email, phone, or support chat
3. Block newly created AWS S3 bucket URLs at the proxy or email gateway level when possible
4. Enable bookmark-based access for cryptocurrency platforms to avoid typosquatting and malicious links
5. Report suspicious MetaMask emails to [email protected]

The combination of cloud-hosted infrastructure, official-looking documentation, and urgency messaging makes this campaign more convincing than typical credential phishing. Cryptocurrency users face persistent targeting because wallet compromises offer immediate, often irreversible financial payoffs for attackers.

Security teams should add the documented IOCs to their monitoring systems and remind users that any unsolicited request for wallet credentials—regardless of how legitimate it appears—is almost certainly fraudulent.