Trust Wallet and MetaMask wallet users are being targeted in what looks like an ongoing and aggressive Twitter phishing campaign created in order to steal cryptocurrency funds.

MetaMask and Trust Wallet are two of the mobile apps that allow users to create wallets in order to store, buy, send, and receive cryptocurrency and NFTs.

Upon launching the MetaMask or Trust Wallet apps for the first time, the app will prompt users to create a new wallet, and as part of this process, the app will then show a recovery phrase consisting of 12 words whilst prompting users to save them somewhere safe.

This recovery phrase is used by the apps to create the private keys necessary to access your wallet and anyone who has this recovery phrase is able to import your wallet and use the cryptocurrency funds stored in it, therefore the users should never share their recovery phrase with anyone.

The journalists from BleepingComputer have been tracking a Twitter phishing scam in which Trust Wallet and MetaMask users were targeted in order to steal cryptocurrency wallets by promoting fake technical support forms.

At the starting point of the phishing scam are legitimate MetaMask or Trust Wallet users that are tweeting about a problem they are having with their wallets, the issues can be anything from stolen funds to problems accessing their wallets, or even related to issues using the apps.

The scammers pretend to be from the app’s support team, therefore they will answer the tweets whilst impersonating the real client support of the app.

The answers recommend for the user to visit a specific or links and fill out a support form in order to receive help.



When users visit these they are shown a page pretending to be a support form for Trust Wallet or MetaMask, which are requesting the users’ email address, name, the issue they are having, and of course, the wallet’s recovery phrases.

Once the users have submitted the recovery phrases, the threat actors can easily use them to import the victim’s wallet on their own devices and steal all of the deposited cryptocurrency funds, and unfortunately, once the funds are stolen there is almost nothing that can be done in order to recover them.

In order to remain safe, you should keep in mind that the only time when you should use your recovery phrase is when you need to import your wallet on a new device you own, and you should never enter the wallet’s recovery phrase in any app or website or share it with anyone else.



Also, paying attention to what is asked of you is very important as a legitimate company will not use Google Docs or online form-building sites for support requests.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

It’s quite easy for the attackers to create lookalike domains that impersonate legitimate sites, so, when it comes to cryptocurrency and financial assets you should always type the URL you wish to visit into your browser rather than just clicking on links received in emails.

Leave a Reply

Your email address will not be published. Required fields are marked *