Pi Network fake 2FA scams surge, with 119,000 migrated users targeted

Security researchers found on March 30 that the number of phishing websites targeting Pi Network’s second mainnet migration surged sharply. The scammers are widely distributing fake two-factor authentication (2FA) links, specifically targeting more than 119,000 pioneer users who have completed the second migration, in an attempt to trick them into entering a 24-word wallet seed phrase to steal assets.

Scam Workflow: How a phishing page can empty a wallet in an instant

The danger of this wave of attacks comes from its ability to disguise itself— the phishing page’s visual presentation is almost indistinguishable from the official Pi platform. The attack process typically goes as follows:

· Users receive a link that claims to help them complete 2FA verification; the source could be an SMS, a social media post, or a message disguised as a technical support notification. After clicking, users see a page that closely resembles the official interface and is asked to enter the complete 24-word seed phrase to “verify your identity.” Once the user enters the seed phrase, the scammers gain full control of the wallet and can complete asset transfers within milliseconds, leaving the victim with virtually no chance to stop it.

Officially reiterated: Pi Network’s seed phrase is the highest-level credential that controls the wallet, and under no circumstances should it be entered into or disclosed to anyone outside the App.

Why the risk rises significantly during the second migration

The timing chosen by the scammers is not a coincidence; it precisely exploits the behavioral characteristics of users during the active period of the second migration. The second migration includes on-chain confirmations for referral rewards, with potentially larger asset amounts. Over 119,000 pioneer users are in a state of actively looking for migration instructions, have a higher level of trust in “official operation prompts,” and their awareness of prevention is relatively weaker.

The scammers exploit this sense of urgency and habitual trust—when users are actively processing the migration flow, a seemingly official “verification step” is the easiest to carry out without questioning.

Emergency Response Guide: Users whose seed phrases may have leaked must act immediately

If you have already entered a seed phrase on a suspicious page, time is critical. The following steps are recommended immediately:

Transfer assets out immediately: Before the scammers complete the transfer, move all PI tokens from the compromised wallet into a brand-new secure wallet as quickly as possible.

Stop using the old wallet: A wallet whose seed phrase has leaked should be considered no longer secure; revoke all related authorizations.

Recreate a new wallet: Generate a new 24-word seed phrase and update the related whitelist settings.

Notify the Pi Core Team: Submit the suspicious situation through the reporting feature in the official App.

Prevention principles are equally critical: Official 2FA exists only within the App. Scam pages often use urgent language such as “your account is about to expire” to pressure users. Stay calm, and carefully verify the source before performing any operation involving seed phrases.

Frequently Asked Questions

How do you tell a real Pi Network operation request from a phishing link?

All security verification functions of the official Pi Network only operate inside the official App. The Pi Core Team never sends 2FA links via SMS, email, Telegram, or any third-party website. Any request claiming that a seed phrase must be entered outside the App—no matter how convincing the page looks—should be immediately treated as a scam and the page should be closed.

After entering a seed phrase on a phishing site, is there still a chance to save the assets?

Time is the key factor. If you act immediately before the scammers complete the transfer, there is a chance to recover some assets. You need to create a new wallet right away and move all assets into the new wallet as quickly as possible. Once the scammers have completed the transfer, assets are usually not recoverable due to the irreversible nature of blockchain transactions; therefore, immediate reaction after discovery is the only effective response.

Why is the second migration period of Pi Network especially easy to become an attack target?

During the second migration, more than 119,000 users are in an active operation state. The migration for referral rewards means the potential asset size is larger, and users have a higher level of trust in “official instructions” when looking for migration guidance. This behavior pattern—users actively searching for operation steps—creates ideal conditions for social engineering attacks, which is the core reason scammers choose to launch dense attacks during this period.