Analyzing the "Fake MetaMask Alert" Phishing Campaign Targeting Nigeria

Few days ago we issued a detailed analysis of an ongoing, technically sophisticated phishing campaign targeting Nigerian cryptocurrency users. This campaign, first flagged by our TRP'25 research teams, uses carefully crafted social engineering and technical evasion techniques to steal MetaMask wallet credentials, leading to the total loss of user funds. This brief provides a shorter technical teardown of the attackers' TTPs (Tactics, Techniques, and Procedures).

The campaign begins with a phishing email designed to create a sense of urgency. Our analysis of the email's source code reveals several key indicators of compromise (IOCs).

1. Email Header Forgery & Evasion: The attackers are spoofing the From address to appear as "MetaMask." However, analysis of the email headers reveals the true origin.

• Originating Server: The email is sent from a generic cloud hosting provider like cloudhost-5951370[.]us-midwest-1[.]nxcli[.]net, not from MetaMask's official mail servers.

• Failed DKIM Signature: The email contains a DKIM-Signature, but it fails validation (DKIM_INVALID). This is a clear technical sign that the sender's identity is forged.

• Keyword Obfuscation: Spam analysis shows the use of "fuzzy" or obfuscated keywords to bypass simple content filters looking for the word "Wallet."

2. URL Obfuscation via Shorteners: The primary call to actions, "Secure Your Wallet Now," etc, does not link directly to a domain.

• The Link: The phishing URL is hidden behind a Twitter t.co shortened link, like (https://t[.]co/kznMmVK9zz ). This is a classic technique to mask the final malicious destination from both the user and basic email security scanners. Official security alerts will always use the full, verifiable domain name.

3. The Phishing Kit & Credential Capture: The destination site is a pixel-perfect clone of the MetaMask interface. Its sole purpose is to deceive the user into entering their 12-word secret recovery phrase. Once entered, this phrase is exfiltrated to an attacker-controlled server, giving them complete and irreversible control over the victim's wallet.

Our Recommendations for Defense:

Based on this analysis, our recommendations are clear and absolute:

1. Scrutinize the Sender: Never trust the display name. Always inspect the true From address and Return-Path for any security-related email.

2. Never Enter Your Recovery Phrase on a Website: Your secret phrase should only ever be used directly within the official MetaMask application or extension to restore a wallet. No legitimate service will ever ask you to type it into a web form.

3. Enable Phishing-Resistant MFA: Wherever possible, secure accounts with a hardware security key (like a YubiKey).

The full list of IOCs, including the originating IP address and malicious domains associated with this campaign, will be made available to our intelligence subscribers.