The new market cycle has brought increased on-chain activity, but with it comes a greater exposure to risks. Malicious actors employ a variety of sophisticated, complex, and hidden phishing methods to trick users into revealing sensitive information, leading to significant asset losses. Common tactics include imitating legitimate wallet websites, hijacking social media accounts, distributing malicious browser extensions, sending phishing emails and messages, and promoting fake applications.
For instance, a common scam involves creating a fake wallet website that looks almost identical to a real one. These sites are often promoted through social media ads, emails, or search engine results, tricking users into entering their private keys or seed phrases. In other cases, phishing actors pose as customer support or community administrators on platforms like Twitter or Discord, sending direct messages that request private wallet information. These methods exploit user trust to steal digital assets.
To help the community improve its security posture, this guide delves into the most common phishing scenarios encountered by Web3 wallet users. It provides actionable strategies and highlights built-in protective features to help you navigate the space safely.
Common Sources of Malicious Information
Replies on Popular Project Twitter Threads
Malicious accounts often post replies under official project tweets. These replies can include phishing links, which users might mistakenly believe are from the official project because of their placement. Some official accounts now add "End of Tweet" markers to their posts to warn users that any replies below could contain malicious links.
Hijacked Official Twitter/Discord Accounts
To appear more credible, phishers sometimes hijack the official social accounts of well-known projects or key opinion leaders (KOLs). They then use these compromised accounts to post phishing links. High-profile examples include the hijacking of Vitalik Buterin's Twitter account and the official TON project Twitter, which were used to distribute fraudulent links and information.
Google Search Ads
Phishers also use Google Search Ads to promote malicious sites. These ads can be crafted to appear as if they are pointing to a project's legitimate domain. However, clicking them redirects the user to a fraudulent phishing website designed to steal information.
Fake Applications
Another common tactic is the distribution of fake or modified applications. For example, a user might download a counterfeit wallet app that, once installed, steals their private keys. There have also been instances of modified Telegram installation packages that alter the destination addresses for token transfers, siphoning funds to the attacker.
Protective Measures: OKX Web3 Wallet's Phishing Detection & Risk Alerts
To combat these threats, the OKX Web3 Wallet incorporates phishing detection and risk alerts. When using the OKX Web3 extension wallet to browse a website, if the domain is known to be malicious, the user will receive an immediate warning. Similarly, when accessing a decentralized application (dApp) through the Discover section of the OKX Web3 app, the wallet automatically performs a risk check on the domain. If it is identified as malicious, access is blocked, and a warning is displayed.
Securing Your Wallet's Private Keys
During Project Interactions or Verification
Be extremely cautious if a website—especially one that mimics a wallet pop-up—asks you to enter your seed phrase or private key during a project interaction or a verification process. This is almost always a sign of a malicious site.
Impersonating Project Support or Administrators
A classic phishing strategy involves an actor pretending to be an official admin or customer support agent on Discord or other community platforms. They will direct you to a website and ask you to input your private keys. Remember: Legitimate support will never ask for your private keys or seed phrase.
Other Common Key Leakage Paths
There are numerous ways your private keys can be compromised:
- Malware or viruses on your computer.
- Using fingerprint browsers designed for airdrop farming.
- Employing remote desktop or proxy tools.
- Taking a screenshot of your keys, which is then uploaded by a malicious app.
- Backing up your keys to a cloud service that gets hacked.
- Having your keyboard inputs monitored by spyware.
- Someone physically discovering your written key backup.
- Developers accidentally committing private keys to a public GitHub repository.
Safely storing your seed phrase is paramount to securing your assets. The OKX Web3 Wallet, a decentralized self-custody solution, offers multiple secure backup options including iCloud/Google Drive encrypted backups, manual backup, and integration with hardware wallets. It also provides robust security features like support for Ledger, Keystone, and Onekey hardware wallets, where the private keys are stored securely on the physical device, separate from internet-connected devices. Furthermore, OKX offers MPC (Multi-Party Computation) wallets, which eliminate the single point of failure of a traditional private key, and AA (Account Abstraction) smart contract wallets for enhanced security and usability.
4 Major Phishing Scenarios
Scenario 1: Stealing Mainnet Tokens
Phishers often create malicious smart contract functions with deceptive names like "Claim" or "SecurityUpdate." While these functions appear legitimate, their actual logic is empty except for a command that transfers the user's mainnet tokens (like ETH or BTC) to the attacker. The OKX Web3 Wallet's transaction pre-execution feature shows users exactly how their assets and token approvals will change after a transaction is confirmed, providing a crucial layer of review. Furthermore, if the contract or approval address is known to be malicious, a prominent red warning is displayed.
Scenario 2: Similar Address Transfers
In this scheme, phishers monitor the blockchain for large transactions. They then use address spoofing to generate a receiving address that looks very similar to the intended recipient's address (e.g., the first and last few characters match). They may send a $0 transfer or send fake tokens to the victim, polluting their transaction history. The victim might later copy this fraudulent address from their history for a genuine transaction, inadvertently sending funds to the scammer.
Scenario 3: On-Chain Approvals
This is a highly common attack vector. Users are tricked into signing transactions for functions like approve, increaseAllowance, or setApprovalForAll. This grants a malicious smart contract unlimited or high spending access to the user's tokens. Some advanced attacks use Create2 to pre-calculate new contract addresses, bypassing basic security databases. OKX Web3 Wallet provides clear security reminders for approval transactions, warning users about the risks involved. If the authorized address is known to be malicious, a red warning is shown to prevent the user from proceeding.
Scenario 4: Off-Chain Signatures
Beyond on-chain transactions, phishers can also exploit off-chain signature requests. A common example is an ERC-20 token permit signature, which allows a user to grant token spending power through a signed message instead of an on-chain transaction. If a user signs a malicious permit message, the attacker can use it to drain their tokens. OKX Web3 Wallet is developing enhanced risk prompts for these scenarios, which will parse signature requests and warn users if they involve known malicious addresses.
Additional Sophisticated Phishing Scenarios
Scenario 5: TRON Account Permissions
The TRON network has a permission system similar to EOS, featuring Owner and Active permissions that can be configured like multi-signature controls. A phisher might trick a user into changing these permissions, granting the attacker control over the account and its assets. For instance, the Owner permission might be set with a threshold of 2, with the user's key having a weight of 1 and the attacker's key having a weight of 2, effectively locking the user out of their own account.
Scenario 6: Solana Token and Account Authorities
On Solana, an attacker can deceive a user into signing a SetAuthority transaction. This can change the ownership of a user's Associated Token Account (ATA), effectively transferring all tokens within it to the scammer. Another method involves an Assign transaction, which can change the owner of a user's core account from the System Program to a malicious contract.
Scenario 7: EigenLayer's queueWithdrawal
Protocol-specific mechanisms can also be exploited. In EigenLayer, a restaking protocol, the queueWithdrawal function allows a user to specify a withdrawal address. If a user is tricked into signing a malicious queueWithdrawal transaction that specifies the attacker's address, the attacker can claim the user's staked assets after the withdrawal period elapses.
Frequently Asked Questions
What is the number one rule for avoiding Web3 phishing?
Never, under any circumstances, enter your seed phrase or private key on any website. A legitimate Web3 service will never ask for this information.
How can I safely check if a website link is legitimate?
Always navigate to a project's website directly from their official Twitter or Discord bio link. Avoid clicking on links sent in DMs or posted in random replies. Use a wallet like OKX Web3 that offers real-time phishing detection and link screening to get automatic warnings for known malicious sites.
What should I do if a website asks me to sign an 'approve' transaction?
Always scrutinize what contract you are approving and for what amount. Be extremely wary of approvals for unlimited amounts. Use your wallet's transaction preview feature to understand what the transaction will do before you sign.
My private key might be compromised. What are my immediate steps?
If you suspect your key is leaked, immediately transfer all assets to a new, secure wallet address generated from a new, uncompromised seed phrase. Do not use the same seed phrase again.
Are hardware wallets effective against these phishing scams?
Yes. Hardware wallets require you to physically confirm and sign transactions on the device itself. This prevents remote attackers from automatically draining your funds even if you accidentally sign a malicious transaction on your computer, as you would still have to confirm it on your hardware device.
What makes a wallet like OKX Web3 secure for beginners?
It combines user-friendly features with strong security layers like transaction previews, approval warnings, phishing site blocking, and support for hardware wallets and MPC technology, which removes the burden of managing a single private key.
Exploring the On-Chain World: Safety First
Securely using your Web3 wallet is the most critical step in protecting your digital assets. It is essential to adopt robust preventative measures to guard against evolving threats. Choosing a well-known, security-audited wallet like OKX Web3 is a fundamental step towards a safer on-chain experience.
As one of the industry's most advanced and comprehensive wallets, the decentralized and self-custodial OKX Web3 Wallet provides a unified platform across App, Extension, and Web, supporting over 85 blockchains. It integrates key features like a wallet, DEX, DeFi dashboard, NFT marketplace, and dApp explorer, alongside unique offerings like an Ordinals market, MPC/AA wallets, gas top-up, and hardware wallet support.
Ultimately, in the on-chain world, asset security is paramount. Always remember the three golden rules:
- Never enter your seed phrase or private key on any webpage.
- Carefully review every transaction before clicking the confirm button in your wallet.
- Be skeptical of links obtained from Twitter, Discord, or search engines, as they could be phishing links.
By staying vigilant and leveraging the right tools, you can confidently and securely explore the vast opportunities of Web3.