Attackers bypass Coinbase and MetaMask 2FA via TeamViewer, fake support chat

Attackers bypass Metamask 2FA

Attackers bypass Metamask 2FA

A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask,, and KuCoin and steal cryptocurrency.

The threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites and lure victims to them via phishing messages impersonating bogus transaction confirmation requests or suspicious activity detection.

For example, one of the phishing emails seen in the attacks pretended to be from Coinbase, which says they locked the account due to suspicious activity.

MetaMask parent company ConsenSys raises Series D at $7B valuation

When the targets visit the phishing site, they are presented with a chat window supposedly for ‘customer support,’ controlled by a scammer who directs visitors through a multi-step defrauding process.

PIXM has been tracking this campaign since 2021 when the threat group targeted only Coinbase. Recently, PIXM’s analysts noticed an expansion in the campaign’s targeting scope to include MetaMask,, and KuCoin.

Bypassing 2FA

The first phase of the attack in the fake crypto exchange phishing sites involves a bogus login form followed by a two-factor authentication prompt.

Regardless of the credentials entered during this stage, they will still be stolen by the threat actors. The page then proceeds to a prompt asking for the 2FA code needed to access the account.

The attackers try out the entered credentials on the legitimate website, triggering the sending of a 2FA code to the victim, who then enters a valid 2FA on the phishing site.

The threat actors then attempt to use the entered 2FA code to log in to the victim’s account as long as they act before the timer runs out.

It should be noted that the MetaMask phishing attacks are targeting recovery phrases, rather than credentials or 2FA codes.

Remote trickery

To overcome the authenticated device obstacle, the attackers convince the victim to download and install the ‘TeamViewer’ remote access app.

Next, the scammers ask the victims to log in to their cryptocurrency wallet or exchange accounts, and while they do so, the threat actors add a random character in the password field to cause a login failure.

The attacker then asks the victim to paste the password on the TeamViewer chat, uses the password (minus the random character) to login on to their device, and then snatches the device confirmation link sent to the victim to authenticate their device as trusted.

Once they gain access to the account or wallet, the threat actors drain it of all funds while still keeping the victim engaged in the support chat. 

To avoid getting scammed in attacks like these, it is essential to always pay attention to the sender’s email address and any sent URLs.

If these URLs do not match the cryptocurrency platform, you should immediately treat the email as suspicious and delete it.


Attackers bypass Metamask 2FA

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts