Phishing in Crypto: How Scammers Steal Your Coins and How to Stay Safe

In digital finance, phishing is the practice of tricking people into handing over secrets, approvals, or access so that an attacker can steal money or data. In crypto, where transactions are irreversible and wallets often hold large balances, phishing has become one of the dominant ways that scammers drain coins and tokens from unsuspecting users.

What Phishing Means in a Crypto Context

Phishing predates cryptocurrency by decades, evolving from crude email lures into highly targeted campaigns that mimic banks, social networks, and workplaces. In its classic form, a phishing attack impersonates a trusted party, pushes the victim into a hurried decision, and captures credentials or other sensitive data that can later be abused to steal funds. In crypto, the same psychological levers are used, but the technical payload is different: instead of only passwords and credit card numbers, attackers aim to capture seed phrases, private keys, one-time passwords, or transaction approvals that give them direct control over blockchain assets.

Cryptocurrency adds several structural features that make phishing especially potent. Crypto assets typically reside in wallets that are not backed by any government guarantee, and balances are not insured the way deposits in an FDIC‑insured bank account are. Once an attacker moves funds out of a victim’s wallet, there is usually no mechanism for reversing that transaction, and there is no central institution obliged to reimburse the loss. This hard finality is crucial for permissionless finance, but it also means that any error induced by a phishing scam can be catastrophic and permanent for the victim. Phishers exploit this asymmetry by designing schemes where a single mistaken click or signature is enough to hand over control.

The crypto ecosystem has also introduced a new class of phishing beyond credential theft: approval phishing and drainer attacks. Rather than stealing a password or seed phrase directly, attackers convince users to sign blockchain transactions that appear benign but, in reality, grant the attacker broad permissions to move tokens on their behalf. On Ethereum and similar chains, this usually involves functions like approve, increaseAllowance, setApprovalForAll, or “permit” signatures that let contracts transfer ERC‑20 tokens such as USDC or NFTs without further consent. Because these approvals are standard parts of DeFi and NFT usage, malicious requests are easy to camouflage among legitimate interactions.

In parallel, phishing is no longer limited to email. Crypto users are targeted through every channel they use: direct messages on X, Discord, or Telegram, fake “support” chats, search ads that lead to cloned websites, deepfake videos urging users to “move funds for safety,” and even malicious software updates that masquerade as Zoom or wallet upgrades. Attackers have learned to meet users wherever they already trust information, including influencers, project founders, and official-looking interface front-ends. The end goal, however, remains consistent: trick a human into authorizing something the software cannot distinguish from a genuine request.

Modern phishing increasingly leverages artificial intelligence, which makes fraudulent messages more convincing and indistinguishable from legitimate communications. Security researchers and journalists have documented how AI models help scammers mimic victims’ writing styles, generate polished replies, and personalize lures using public social media data. In Web3 communities, this means that messages in DAO chats, DeFi governance forums, and NFT Discords can be spoofed with a level of fluency that undermines traditional red flags like bad grammar or awkward phrasing. Crypto phishing is therefore best understood as a socio‑technical threat: attackers exploit both blockchain mechanisms and human trust to bypass security controls that would otherwise protect digital assets.

Benthic

Apr 22, 2026

View article →

Phishing drainer hits four wallets for $585K in 11 hours; one victim loses 3 WBTC to increaseApproval sig after Aave withdrawal

𝕏/@officer_secret • Apr 22, 2026

Top Comment

Benthic

Apr 22, 2026

One drainer contract, four victims, $585K gone in 11 hours. The standout loss: 3 WBTC (~$221K) from a wallet that signed a phishing increaseApproval signature moments after withdrawing from Aave — classic pattern of attackers sniping users right when they're still in approval-clicking mode. Officer's Notes flagged the usual hardening stack: RevokeCash, Rabby, and delegate.xyz.

Why Crypto Users Are Prime Targets

Phishing thrives wherever high-value assets are accessible through human decisions, and cryptocurrencies concentrate these conditions. Crypto wallets can hold anything from a few dollars in stablecoins to millions in Bitcoin, Ether, or governance tokens, all of which can be transferred globally in minutes. For criminals, this makes individual crypto users and on-chain projects extraordinarily attractive targets. A single successfully phished transaction can yield more money than thousands of traditional stolen credit cards, without the need to monetize data through slower fraud channels.

The design of cryptocurrency markets amplifies these incentives. Coin prices can be extremely volatile, and narratives about “once-in-a-lifetime” opportunities or “limited mints” are common, creating a culture where urgency and fear of missing out feel normal. Phishers piggyback on this environment by promising exclusive airdrops, yield opportunities, or rescue operations that require users to act quickly and ignore their usual caution. When a malicious site announces a “special USDC reward program” or a fake governance token launch, it exploits the same psychological patterns that have drawn people into legitimate DeFi and NFT launches, but with the sole purpose of extracting wallet permissions or seed phrases.

Structural aspects of crypto infrastructure further increase risk. Crypto transactions are not reversible in the way that credit card payments are, and they typically lack the consumer protections that apply to conventional financial instruments. When a card is compromised, banks and card networks often detect unusual activity, freeze accounts, and sometimes reimburse the cardholder. With crypto, there is no comparable guarantee, and many platforms explicitly warn that they cannot recover funds sent to the wrong address or authorized by the user. Attackers exploit this gap by designing phishing campaigns that end as soon as funds are moved on-chain, knowing that recovery will be difficult even for sophisticated victims.

Regulators and consumer protection agencies have underscored these vulnerabilities. The U.S. Federal Trade Commission, for example, warns that cryptocurrencies are a favorite payment method for scammers precisely because payments are fast, hard to trace back to a real-world identity, and difficult to undo. The FTC notes that only scammers insist on payment in crypto and emphasize that legitimate businesses or government agencies do not demand that consumers buy or transfer cryptocurrency to resolve problems or claim benefits. Yet many crypto phishing schemes reverse this logic, masquerading as official communications from exchanges, wallets, or tax authorities and insisting that users send coins or sign transactions immediately to “protect” their funds.

The scale of losses demonstrates that phishers are succeeding. A recent analysis by blockchain security firm Hacken found that Web3-related security breaches in a single quarter led to approximately \(482\) million USD in losses, with phishing and broader social engineering accounting for about \(306\) million USD of that total. Notably, a single phishing incident targeting a hardware wallet in that period resulted in losses of roughly \(282\) million USD, illustrating how one well-crafted campaign can skew an entire quarter’s statistics. These figures highlight that while smart contract bugs and protocol exploits still matter, phishing has become the primary vector by which funds are drained from end users.

Even large, centralized platforms are impacted by phishing. Services like Coinbase have faced waves of users whose email accounts, SIM cards, or 2FA tokens were compromised through phishing, enabling attackers to log into exchange accounts and withdraw funds. Coinbase and other exchanges have responded by investing heavily in fraud detection, user education, and partnerships with law enforcement to track and prosecute approval-phishing rings that exploit on-chain permissions. But these measures can only mitigate a portion of the risk, because many phishing incidents occur entirely off-platform, targeting self-custodied wallets and decentralized application (dapp) interactions where no centralized intermediary can intervene.

Crypto users are also often early adopters of new tools, chains, and protocols, which creates a perpetual learning curve that attackers can exploit. From novel L2s to experimental staking derivatives, each new interface requires users to connect wallets and sign unfamiliar transactions, sometimes in environments where community norms and security reviews are still evolving. Phishers watch this behavior closely and quickly spin up counterfeit sites, bots, or “verification helpers” that mirror the look and feel of legitimate projects. In this context, even experienced users can be caught off guard, especially when the malicious request arrives while they are already in the mindset of experimenting and taking calculated risks.

Common Phishing Patterns Targeting Crypto

Phishing in crypto takes many forms, but they can be understood as variations on a few recurring patterns. Each pattern combines a social engineering strategy with a technical mechanism for gaining control over assets. Understanding these patterns is crucial for recognizing scams before damage occurs.

Social Engineering and Communication Lures

Many attacks begin with a simple message. It might be a direct message on Telegram from someone claiming to be a project moderator, a fake “support” account on X, or a romance scammer who gradually steers the conversation toward “crypto investments.” The Federal Trade Commission has documented how scammers use online dating platforms to win victims’ trust and then urge them to invest in cryptocurrency schemes or to send coins directly, often under the guise of helping the victim grow their savings. In these scenarios, the phishing element lies in the relationship itself: the attacker impersonates a legitimate romantic partner or business contact to induce the victim to bypass normal skepticism.

Within Web3 communities, attackers frequently pose as respected founders, protocol team members, or well-known influencers. They might offer early access to a new feature, ask for feedback on a prototype, or claim there is an urgent need to “revoke a compromised contract” through a special link. Darktrace, for example, has described campaigns where threat actors created fake startup companies and contacted cryptocurrency users through X, Telegram, or Discord, promising payment in crypto if the target tested their software. The “test” actually involved downloading malware or interacting with malicious binaries that included wallet-draining payloads. Because this outreach mimicked standard business development patterns in Web3, many victims did not recognize it as phishing until funds were gone.

AI-driven phishing intensifies this challenge. According to security reporting, AI systems now analyze public social media posts, imitate specific users’ writing styles, and generate highly personalized messages that feel authentic to their recipients. In Web3, where much of the professional and social activity is public on X, Discord, and LinkedIn, this means attackers can craft lures that reference real DAO votes, past conversations, or niche DeFi protocols, making them far more convincing than generic spam. An AI-enhanced phisher might, for example, send a direct message referencing a specific governance proposal and ask the recipient to “verify their wallet for voting,” linking to a malicious site that harvests signatures or seed phrases.

A more insidious variation is the compromise of social media accounts belonging to crypto projects or community leaders. If an attacker gains access to a founder’s X account, they can post links to fake airdrops or emergency migration tools that many followers will click without hesitation. Security practitioners have identified several warning signs that a Web3 social account has been phished: sudden posting of unapproved promotional content, login alerts from unfamiliar locations, unexplained changes to bio or profile links, abrupt increases in followers, and third-party apps requesting unusual permissions to post or access messages. Because social media accounts often function as the de facto “front page” for DeFi protocols or NFT projects, any compromise can quickly cascade into on-chain losses for followers who trust what they see.

Wallet-Approval and Permit-Based Drainers

One of the most distinctive phishing patterns in crypto today revolves around wallet approvals. On Ethereum and other EVM chains, users routinely sign transactions that grant smart contracts the right to move tokens or NFTs on their behalf. This design enables DeFi protocols like decentralized exchanges and lending markets to function, but it also creates a rich attack surface. Crypto drainers are malicious mechanisms that lure users into signing approvals that delegate token control to attacker-controlled contracts, which then rapidly transfer assets out of the victim’s wallet.

Gurucul’s analysis of crypto drainers breaks down a typical campaign into several stages. First, attackers gain initial access through phishing channels such as fake airdrops, malicious NFT mint pages, compromised legitimate websites, or social media campaigns. Next, the victim is prompted to connect their wallet and sign one or more transactions that appear to be standard actions like minting an NFT, claiming a reward, or setting a trading allowance. Behind the scenes, however, these signatures call functions such as approve, setApprovalForAll, or permit-style methods, granting the attacker’s contract permission to move tokens or NFTs. Once this permission is obtained, the attacker’s drainer contract automatically or programmatically transfers assets away, often in a single block, leaving victims little time to react.

Recent incidents illustrate how devastating approval phishing can be. In one widely reported case, a user lost approximately \(316{,}000\) USDC after signing a malicious Permit2 transaction, which gave the attacker the ability to transfer those stablecoins. Blockchain security alerts have documented similar cases where victims signed malicious “permit” transactions, resulting in losses of around \(1.76\) million USDC in a single incident. In another cluster of attacks, at least four wallets were drained of about \(585{,}000\) USD worth of assets in less than half a day, with one victim losing roughly three wrapped Bitcoin (WBTC) after signing a phishing increaseApproval signature shortly after withdrawing from a lending protocol. These examples show that attackers are not targeting obscure tokens; they focus on liquid assets like USDC and WBTC and exploit standard token interfaces that most DeFi users rely on.

Exchanges and security providers have started to respond. Coinbase has described how it partnered with international law enforcement to identify and bring to justice approval-phishing scammers, focusing on those who ran large-scale drainer operations. By analyzing on-chain patterns and connecting blockchain addresses to real-world actors, investigators have been able to disrupt workflows where phishers induced victims to sign malicious approvals and then laundered stolen crypto through mixing services or centralized exchanges. Yet law enforcement actions, while important, occur after the fact; they cannot restore funds already moved to attacker-controlled wallets or prevent new campaigns from emerging.

Fake Websites, Search Ads, and Google Impersonation

Phishing is not limited to direct messaging. Attackers increasingly exploit search engines and advertising platforms to place malicious sites above the legitimate services users intend to visit. Kaspersky research has shown that cybercriminals purchase Google Ads pointing to convincing clones of well-known tools such as Semrush or even Google Ads itself. When users search for these services, the phishing site appears at the top of results, capturing credentials from those who click and log in. In the crypto context, similar techniques are used to impersonate exchanges, popular dapps, or even wallets like MetaMask and Ledger, tricking users into entering seed phrases or connecting wallets to fraudulent front-ends.

The problem is compounded by hosting platforms and content delivery networks that make it easy to deploy professional-looking sites quickly. Attackers can spin up pixel-perfect copies of a DeFi protocol’s interface, complete with familiar branding and URLs that differ from the original by only a character or two. Unsuspecting users who rely on search rather than bookmarks may arrive at these phishing clones without noticing anything amiss. Once a wallet is connected, the site can present a transaction that appears to be a normal interaction with the protocol but in reality sends funds or approvals to an attacker’s address. Because the underlying smart contracts may be legitimate open-source code deployed in a different context, even experienced users can be fooled.

Defenders recommend behavioral countermeasures as much as technical ones. Security guidance emphasizes bookmarking frequently used sites rather than relying on ad-driven search results, carefully inspecting URLs, and exercising caution with any site reached via sponsored links. Organizations are urged to train employees and community managers to recognize signs of phishing sites, including unexpected prompts for seed phrases, mismatched domain names, and inconsistent SSL certificates. For crypto users, a practical rule of thumb is that no legitimate site—whether Google, Coinbase, or a DeFi protocol—will ever need a seed phrase or private key to perform ordinary operations; any request for such data is a near-certain indicator of phishing.

Malware, Fake Software, and Wallet-Draining Payloads

Not all crypto phishing occurs in the browser. Some campaigns rely on users installing malicious software that includes wallet-draining components. Darktrace researchers have documented an ongoing campaign in which attackers pose as employees of fake meeting software startups and contact Web3 workers via social platforms. The victims are invited to test a new video conferencing app and promised cryptocurrency payments for feedback. They are directed to what appears to be a company website, where they download a macOS DMG or a Windows Electron application. Hidden within this software is an information stealer, sometimes based on tools like the Realst malware, which targets crypto wallets and other sensitive data. Once installed, the malware can exfiltrate private keys, seed phrases stored in files, or wallet configurations, enabling attackers to drain associated accounts.

Supply chain attacks extend this model further by targeting developers and infrastructure providers. Socket has reported on a malicious npm package that specifically targeted TON wallet integrations, stealing wallet keys from applications that unwittingly incorporated the poisoned dependency. Because many Web3 projects rely on open-source packages and dependencies, a compromised library can propagate to many downstream apps, potentially exposing entire user bases to wallet theft. In these cases, phishing may occur at the developer level: a maintainer might be tricked into granting publish access to a malicious actor or installing a compromised tool that modifies package code.

Even familiar tools like videoconferencing and browser plugins can become delivery vehicles. Industry reporting has highlighted phishing campaigns that distribute “security updates” for Zoom or other widely used applications, which in reality are trojanized installers carrying cryptostealing malware. Chrome extensions that promise to optimize gas fees or enhance NFT discovery have likewise been found to include hidden code that intercepts Web3 provider calls, injects malicious approvals, or transmits wallet data to attacker servers. These threats blur the line between traditional malware and crypto-specific phishing, reinforcing the need for holistic endpoint security alongside blockchain literacy.

Cold Wallet and Hardware Wallet Phishing

Hardware wallets and other forms of cold storage are among the strongest tools for securing private keys, but they are not a magic shield against phishing. The core advantage of hardware wallets is that private keys never leave the device; transactions must be physically confirmed on the device itself. However, if a user is tricked into confirming a malicious transaction, the hardware wallet will faithfully sign it, since it cannot know the user’s intentions. Phishers therefore adapt their tactics to focus on what happens before the signature: the messages and interfaces that persuade users to sign.

One documented scam uses the language of “Web3 wallets” and fake security advice to target hardware wallet users. Attackers post short videos on platforms like YouTube, TikTok, and Facebook, often stealing footage from well-known crypto influencers and overlaying text urging viewers to “secure all your crypto by moving it to Web3” or similar claims. Victims are guided to download a legitimate wallet app such as SafePal, set it up with a new seed phrase, and then visit an external website that supposedly connects the wallet to “Web3 security.” The website instructs users to back up or “link” their wallet by entering the seed phrase into a form, sometimes under the pretense of verification. In reality, this hands full control of the wallet to the scammer, who can then transfer any assets the victim later sends to that wallet.

Security research on hardware wallets underscores that most commercially available devices with secure element chips provide strong protection against physical tampering but cannot prevent users from being deceived into approving bad transactions. Studies have found no real-world evidence that factors like EAL6 versus EAL5 secure element certification, pure air-gapping, or Bitcoin-only support automatically make a wallet more resistant to phishing. Instead, the most important defenses are user-facing: clear transaction prompts, robust verification of destination addresses, and education about the fact that no website or app should ever ask for a hardware wallet’s seed phrase. Even high-end devices cannot compensate if a user types their recovery phrase into a phishing form or signs a transaction they do not understand.

This dynamic explains why some of the largest crypto thefts connected to hardware wallets have actually been phishing incidents rather than device hacks. Attackers focus not on breaking secure elements, but on hijacking email accounts, exploiting address book trust, and deploying fake recovery portals or firmware updates that convince users to reveal secrets or grant approvals. Law enforcement agencies have occasionally been able to recover funds after such attacks, tracking them through blockchain analysis and working with exchanges to seize assets when they hit KYC-perimetered services. Yet these cases are the exception; in most incidents, the funds are quickly swapped, bridged, and mixed in ways that make restitution unlikely.

AI-Powered and 2FA-Bypass Phishing

AI and cloud-based phishing kits have made it significantly easier for less technical attackers to run sophisticated campaigns. Microsoft and Europol recently detailed how they helped disrupt a service known as Tycoon 2FA, which had been active since at least 2023 and enabled thousands of cybercriminals to bypass multifactor authentication. Tycoon 2FA operated as a phishing-as-a-service platform: subscribers could create fake login pages for services like Microsoft 365, Outlook, and Gmail, trick victims into entering credentials and 2FA codes, and then capture active session cookies that allowed them to log in as the victim without triggering new alerts. By mid‑2025, Tycoon 2FA was implicated in roughly sixty‑two percent of the phishing attempts Microsoft blocked, accounting for tens of millions of emails per month and an estimated ninety‑six thousand distinct victims.

While Tycoon 2FA targeted enterprise email accounts, the same techniques can indirectly affect crypto users. If an attacker uses such a platform to compromise the email and 2FA-protected accounts of someone who has exchange logins or password manager access, they can quickly pivot to drain assets from those accounts. Coinbase and other exchanges have therefore emphasized the importance of strong session controls, hardware security keys, and scrutiny of unexpected messages, even in environments where 2FA is already in place. At the same time, they have contributed threat intelligence to law enforcement operations against these phishing services, recognizing that shutting down large-scale phishing infrastructure can reduce risk across the entire digital ecosystem.

AI itself is also being used to automate and personalize phishing campaigns, including those targeting crypto. DLNews and other outlets have reported that AI tools help cybercriminals craft more believable messages, optimize phishing sites for conversion, and even dynamically adjust scams based on victims’ responses. In Web3, AI can be tasked with monitoring on-chain activity and social feeds to identify high-value targets—for example, wallet addresses that recently received large USDC transfers from a DeFi protocol—and then trigger customized phishing messages that reference those transactions. Combined with services like Tycoon 2FA, this creates an environment where even well-guarded accounts are at risk from sophisticated, scalable phishing operations.

0xpmm.eth

Jan 22, 2026

View article →

⚠️ Urgent Security Warning: Sophisticated Phishing Attack on Crypto Community

𝕏/@kucharmartin_ • Jan 22, 2026

Top Comment

0x964...f0f

Jan 23, 2026

Moy target owners of manor cryptocurrency....they have the tendency to have more.

How Approval-Based Crypto Drainers Work

Among the many phishing patterns in crypto, approval-based drainers deserve special attention because they exploit features that are otherwise central to DeFi. Understanding how these attacks operate can help users distinguish legitimate permission requests from dangerous ones.

Token Approvals, Permits, and Unlimited Allowances

On Ethereum and other EVM-compatible chains, ERC‑20 tokens follow a standard interface that includes functions like approve, allowance, and transferFrom. Rather than giving a DeFi protocol direct custody of tokens, users typically approve the protocol’s smart contract to spend a certain amount of their tokens on their behalf. For example, before swapping USDC for ETH on a decentralized exchange, a user might call approve to allow the exchange’s router contract to spend a specified amount of USDC. The contract can then call transferFrom to move those tokens during the swap, without further interaction from the user.

To reduce friction, many dapps request so-called “unlimited” or very large allowances, asking users to approve far more tokens than the immediate transaction requires. This avoids repeated approvals and saves gas, but it also creates risk. If the contract with that allowance is compromised or if the user is tricked into approving a malicious contract, the holder of that allowance can drain all tokens of that type from the wallet up to the approved limit. NFTs follow a similar pattern: ERC‑721 and ERC‑1155 tokens implement setApprovalForAll, which allows a marketplace contract to transfer any of the user’s NFTs in a collection once approved.

Permit-based mechanisms such as EIP‑2612 and extensions like Permit2 build on this model by allowing users to sign approvals off-chain and submit them as messages, rather than sending on-chain approval transactions themselves. This is more gas-efficient and flexible but also easier to weaponize. Attackers can craft a Permit or Permit2 message that, when signed, gives them permission to transfer tokens like USDC from the victim’s wallet. If the victim believes they are signing a harmless message—perhaps to log in, verify a wallet, or claim an airdrop—they may not realize they have authorized a significant token allowance.

Revoke tools such as Revoke.cash were created to mitigate these risks by giving users an interface to inspect and revoke existing token approvals across a wide range of networks. When a user connects their wallet, the tool queries which contracts are allowed to spend their tokens or NFTs and lets them send revocation transactions, resetting allowances to zero where necessary. Importantly, revoking approvals is a preventive or limiting measure; it cannot recover funds that have already been transferred out under previously granted permissions. Nonetheless, regularly reviewing and revoking unnecessary approvals significantly reduces the potential blast radius if a contract is later compromised or if a phishing campaign targets those allowances.

The Lifecycle of a Drainer Campaign

A typical crypto drainer campaign follows a relatively structured lifecycle, combining social engineering with on-chain mechanics. Initially, attackers need to get victims to a controlled environment, which could be a fake NFT mint site, a counterfeit DeFi interface, or a phishing page embedded in a compromised legitimate site. They often lure users with promises of generous airdrops, rare NFT mints, or exclusive staking opportunities. In some cases, they hijack existing social media channels or exploit trending hashtags and topics to drive traffic to their pages.

Once a victim arrives at the malicious site, they are prompted to connect their wallet using a standard Web3 connector like WalletConnect or browser-injected providers. This step appears identical to legitimate dapp interactions, which is why many victims do not recognize the danger. The site may show a familiar-looking interface or replicate the UI of a well-known protocol. At some point, the victim is presented with a transaction or signature request that is framed as necessary for claiming rewards, verifying ownership, or approving a trade. The critical detail is that this transaction actually calls a permission-granting function on a contract controlled by the attacker, often with an unlimited allowance.

After acquiring the approval, the attacker’s drainer logic springs into action. In some cases, the malicious contract automatically initiates a sequence of transfers, moving tokens from the victim’s wallet to one or more attacker-controlled addresses. In others, a backend service monitors the blockchain for newly granted approvals and triggers separate drain transactions, sometimes bundling multiple victims’ assets into aggregator contracts to obfuscate flows. Because Ethereum and similar chains settle quickly, this draining process can complete within seconds or a few minutes of the victim’s signature, leaving almost no time for intervention even if the user notices something wrong.

One of the features that make these attacks effective is their modularity. Drainer code can be sold or leased to different criminal groups, who customize only the front-end lures while reusing the core approval and transfer logic. Coinbase’s investigation into approval phishing scammers showed how these operations often resemble franchises, with common smart contract templates and laundering patterns across seemingly separate campaigns. As a result, security firms and exchanges sometimes spot clusters of attacks that share unusual function calls or transaction patterns, enabling them to attribute incidents to known drainer families even when the front-end phishing pages differ.

Case Studies: USDC and WBTC Drains

Stablecoins like USDC are prime targets for approval phishing because they maintain a steady dollar value and are widely accepted across DeFi and centralized exchanges. In the previously mentioned case highlighted by Phemex, a victim signed a malicious Permit2 transaction that allowed the attacker to transfer approximately \(316{,}000\) USDC from their wallet. Permit2, designed to streamline token approvals across applications, became the vehicle for the scam because the user likely did not recognize that the signature they were asked to provide would authorize large transfers rather than perform a simple login or verification.

In another instance documented by blockchain observers, a user lost around \(1.76\) million USDC after signing a malicious permit transaction. Here again, the phishing component was subtle: the victim was persuaded to sign what they perceived as a routine message, perhaps related to staking or airdrop claims, which masked the true nature of the permission they were granting. Once the permit was on-chain, the attacker swiftly executed transfers, draining the stablecoins to addresses under their control and then likely dispersing them through additional transactions to complicate tracking.

Wrapped Bitcoin, or WBTC, also figures in drainer operations, especially where users are interacting with lending or leveraged trading protocols. In a cluster of attacks shared on social media, four victims lost a combined \(585{,}000\) USD in assets within about eleven hours, including a wallet that had just withdrawn funds from Aave and then signed a phishing increaseApproval transaction. That signature expanded the allowance for a malicious contract, which then pulled approximately three WBTC from the wallet. Because the victim had just performed an unrelated legitimate transaction, the phishing signature likely arrived in a context where approving another transaction seemed routine, illustrating how attackers exploit user workflows.

Data from Hacken suggests that such incidents are not isolated. In one quarter, phishing schemes accounted for roughly \(306\) million USD of the \(482\) million USD in Web3-related losses, with a single hardware wallet phishing case contributing \(282\) million USD. While not all of these were approval-based drainers, many involved deceptive signatures or transaction prompts rather than traditional private key theft. Collectively, they exemplify how attackers have shifted from exploiting smart contract vulnerabilities to manipulating the human layer of transaction authorization.

Why Revoking Approvals Matters (and Its Limits)

Given the role of approvals in drainer attacks, revoking them is a key defensive tactic. Tools like Revoke.cash allow users to inspect which smart contracts currently have permission to spend their tokens or NFTs and to send revocation transactions that set allowances back to zero. By periodically cleaning up unused approvals—especially those granted to NFT marketplaces, DeFi protocols no longer used, or unfamiliar contracts—users reduce the number of potential channels through which an attacker could drain funds, whether via contract compromise or future phishing.

Revocation is particularly important after a confirmed or suspected phishing incident. If a user realizes they have interacted with a malicious site or signed a suspicious transaction, they should immediately check their approvals, sorting by the most recent ones, and revoke any entries associated with unknown contracts or those flagged by security tools. While this cannot recover assets that have already been transferred out, it can prevent further losses if the attacker has not yet fully exploited the permissions they obtained. In many drainer campaigns, attackers script their operations to quickly sweep all available assets, but in others, they may stagger withdrawals or wait for the victim to deposit more tokens into the approved wallet.

Revoke.cash and similar services also emphasize that merely disconnecting a wallet from a dapp does not remove approvals or meaningfully reduce risk. Disconnecting typically only prevents the site from seeing the wallet’s address or requesting new signatures; it does not affect the on-chain state of token allowances. Likewise, moving assets to a new wallet is often recommended after a serious compromise, since attackers may still have lingering approvals or other footholds even if current balances have been evacuated. Ultimately, revocation is one element in a broader defense strategy, which must also include skepticism toward unknown links, careful review of transaction details, and strong endpoint and account security.

Off-Chain Identity and Account Phishing

Phishing in crypto is not confined to on-chain transactions and smart contract interfaces. Attackers also aim to compromise the broader identity and account infrastructure that surrounds crypto activity: email, cloud storage, social media, and developer tools. These off-chain compromises can be just as damaging as direct wallet phishing because they often lead to control over exchange accounts, project admin panels, or code repositories.

Email, SMS, and 2FA-Bypass Kits

Email remains a foundational identity layer for most online services, including crypto exchanges and wallet providers. Phishing kits like Tycoon 2FA exploit this by impersonating login pages for services such as Microsoft 365, Outlook, and Gmail, capturing credentials and session cookies from victims. Unlike traditional phishing pages that only collect passwords, Tycoon 2FA is designed to defeat multifactor authentication by operating as a man-in-the-middle: when a victim submits credentials and then a 2FA code, the kit forwards those to the real site, captures the resulting session cookie, and uses that cookie to access the account without triggering further prompts. This allows attackers to log in as the victim, sometimes for extended periods, without needing continuous interaction.

Once inside a victim’s email account, a phisher can reset passwords for crypto exchanges, cloud-based wallets, and password managers, or comb through messages for hints about seed phrases and private keys. Because many crypto services still rely on email for account recovery or transaction confirmations, control over email can be equivalent to control over funds. Even where exchanges like Coinbase have introduced additional security layers, such as device whitelisting and anomaly detection, a compromised email account significantly increases risk. Attackers can also use harvested email accounts to pivot into business environments, targeting colleagues and clients in B2B Web3 contexts.

SMS-based phishing, or “smishing,” poses similar threats. Attackers send text messages that appear to originate from a mobile carrier, bank, or even an exchange, urging the recipient to click a link and log in to resolve an urgent issue. The landing page, of course, is a phishing site that collects credentials and sometimes 2FA codes. SIM swapping—convinced carrier support staff to reassign a phone number to a new SIM card—can also be initiated through social engineering, allowing attackers to intercept SMS 2FA codes and password reset tokens. While hardware security keys and app-based authenticators offer stronger protection, attackers are increasingly turning to platforms like Tycoon 2FA that specialize in circumventing these measures.

Social Media and Web3 Community Phishing

Social media accounts are both high-value targets and powerful weapons in crypto phishing campaigns. Attackers who compromise the X account of a prominent DeFi protocol or NFT artist can post “official” links to fake mints, airdrops, or migration tools that thousands of followers will trust. Security experts have observed common patterns in such account takeovers: the compromised account suddenly posts promotions for unknown token launches or NFT mints, followers report receiving direct messages with verification links, profile bios and URLs change to point to new domains, and there may be a spike in automated follower activity meant to boost perceived legitimacy.

FinanceFeeds has outlined several signs that AI-powered phishing may have compromised a Web3 social media account. These include the account posting messages the owner did not approve, often featuring language urging followers to “claim rewards now” or “verify your wallet,” sometimes using the same writing style as past legitimate posts. Other indicators include login alerts from unknown devices or locations, unauthorized modifications to profile details, abrupt increases in followers suggesting bot activity, and third-party apps requesting unusual permissions such as posting on the user’s behalf or accessing direct messages. Because these social accounts often link directly to wallets, communities, and token sales, any compromise can cascade into significant on-chain theft.

Community tools like X Spaces, Discord servers, and Telegram groups are also fertile ground for phishers. Attackers may create lookalike servers with nearly identical names and logos to official project communities, then invite users through deceptive links. Once inside, victims may be directed to “support” channels that instruct them to share seed phrases, or to governance channels with links to fake voting portals that harvest wallet signatures. Darktrace’s research on fake meeting software companies shows a parallel pattern: attackers cultivate a sense of legitimacy, leverage conversational norms (such as collaboration and testing), and then introduce malicious binaries or wallet interactions at a point where the victim’s guard is down. In all these contexts, verifying official links through multiple channels and being skeptical of unsolicited private messages is critical.

Search, Ads, and SEO-Driven Phishing

Search engines and ad platforms like Google are primary gateways to online services, making them attractive targets for phishers who want to intercept traffic en route to genuine sites. Kaspersky has reported cases where scammers created phishing copies of services like Semrush and even the Google Ads interface, then used Google Ads to promote these fake sites so that they appeared above legitimate search results. Users who clicked the sponsored links and entered credentials on these clones unknowingly sent their data directly to attackers. Similar techniques are used to impersonate crypto exchanges, wallet download pages, and DeFi dashboards.

For organizations and users, this kind of ad-based phishing can be particularly insidious because it subverts a commonly trusted navigation pattern: searching for a brand name and clicking the top result. When that top result is an advertisement, it may lead to a malicious domain that uses typosquatting, such as swapping characters in the URL, or entirely unrelated domains that nonetheless mimic the real site’s design. In the crypto realm, this can result in users downloading fake wallet software, connecting to counterfeit versions of protocols like Steakhouse Finance or other DeFi front-ends, or inputting exchange credentials into cloned login pages. The net effect is that a single search misclick can give attackers everything they need to bypass 2FA, reset passwords, or solicit approvals.

Security guidance from Kaspersky and others suggests several ways to mitigate these risks. One is to bookmark frequently used sites—such as exchanges, wallets, block explorers, and DeFi protocols—and access them through those bookmarks rather than through search results. Another is to use strong multi-factor authentication methods, such as passkeys or hardware security keys, for accounts that support them, particularly Google accounts used for business and security-critical functions. Organizations are also urged to deploy robust endpoint security solutions that can detect and block access to known phishing domains, as well as to conduct ongoing security awareness training so that employees learn to recognize the signs of search and ad-based scams. For crypto users more broadly, regularly checking that the URL matches official announcements and documentation before connecting a wallet remains a core habit.

Danicjade

Sep 18, 2025

View article →

Changpeng Zhao has warned that North Korean hackers use fake job postings, insider hires, and phishing tactics to infiltrate top crypto firms and steal user funds. He pointed to recent hacks tied to Lazarus Group and others, including a $400M breach allegedly linked to Coinbase’s outsourced customer support.

crypto.news • Sep 18, 2025

Top Comment

Milkmaster7

Sep 18, 2025

havent this been known for years alrdy?

Defensive Playbook for Crypto Users and Teams

Given the diversity and sophistication of phishing threats in crypto, no single tool or rule can provide complete protection. Instead, users and organizations need layered defenses that combine mindset, technical controls, and community practices. Several principles emerge from recent incidents and security research.

Human Layer: Mindset and the “Four Don’ts”

At the human layer, phishing defense starts with skepticism towards unexpected requests for action or information. Consumer protection agencies stress that no legitimate business or government agency will demand payment in cryptocurrency to resolve a problem, claim a prize, or protect your money. The FTC notes that if someone you meet on a dating app or social platform quickly transitions to investment advice and urges you to send crypto, especially promising guaranteed returns, you can safely assume it is a scam. Likewise, any message claiming to have compromising information and demanding crypto payment to avoid exposure is a form of extortion that should be reported rather than obeyed.

In the Web3 security community, a concise formulation of this mindset is the GoPlus Security “Four Don’ts” rule: do not click unknown links, do not install software from unknown sources, do not sign unclear transactions in your wallet, and do not transfer funds to unverified addresses. This rule is repeatedly invoked in alerts about major drainer incidents, including those where users lost hundreds of thousands or even millions of dollars in USDC after signing malicious Permit or Permit2 transactions. Each “don’t” addresses a key step in the phishing chain: link-clicking leads to malicious sites, software installs deliver malware, unclear signatures grant dangerous approvals, and hasty transfers finalize theft.

Cultivating a pause before action is essential. Whenever a message or site generates a sense of urgency—claiming that funds are at risk, windows for rewards are closing, or legal penalties are imminent—users should treat that urgency itself as a warning sign. Taking a moment to independently verify claims through official channels, such as known support portals or verified social accounts, can break the phisher’s hold. For organizations, embedding this mindset through regular security training and simulated phishing exercises helps ensure that staff in support, community management, and operations are less likely to be fooled into amplifying or executing phishing requests.

Wallet Hygiene and Technical Controls

On the technical side, wallet hygiene plays a central role in mitigating phishing damage. Regularly reviewing token and NFT approvals through tools like Revoke.cash helps users understand which contracts currently have spending authority and to revoke permissions that are no longer needed. Doing this on a periodic basis—especially after interacting with new dapps or signing complex transactions—can reduce the risk that a compromised or malicious contract will later drain funds. Users should also understand that disconnecting a wallet from a website is not the same as revoking approvals; on-chain allowances persist until explicitly changed.

Segmentation of wallets is another powerful tactic. Keeping long-term holdings, such as large USDC or WBTC balances, in a “cold” wallet that is only used for transfers and not for experimental dapps reduces exposure if a “hot” wallet used for day-to-day DeFi activity is phished. Hardware wallets that use secure element chips provide strong protection against many forms of key theft, although they do not prevent users from being tricked into signing malicious transactions. Research indicates that beyond the presence of a secure element and sound implementation, factors like extreme certification levels or premium pricing do not automatically translate into higher real-world security, making education and proper use more important than brand selection.

Endpoint security and account protection complement these measures. Installing reputable antivirus and endpoint detection software can catch some malware-based wallet drainers, especially those masquerading as video conferencing tools or fake wallet updates. Enabling robust two-factor authentication on email, exchange, and social media accounts—preferably using hardware keys or dedicated authenticator apps rather than SMS—makes it harder for phishers to escalate from one foothold to another. Monitoring for unusual account activity, such as login alerts from unfamiliar locations or unexplained permission requests from third-party apps, can also provide early warning of compromise. When in doubt, users should change passwords, revoke app access, and log out of active sessions as soon as anomalies are detected.

Project and Platform Responsibilities

While individual users bear significant responsibility for their own security, projects and platforms can shape the environment in ways that make phishing either easier or harder. Exchanges like Coinbase have taken active roles in detecting and disrupting approval-phishing rings, leveraging their visibility into on-chain flows and off-chain account activity to identify patterns, freeze suspicious funds, and share intelligence with law enforcement agencies. Their work in helping bring approval-phishing scammers to justice shows that centralized actors can contribute meaningfully to ecosystem-wide defense even as DeFi continues to expand.

Protocol teams and wallet developers can reduce phishing exposure by designing clearer transaction prompts, limiting unnecessary approvals, and integrating risk signals directly into user interfaces. Browser extensions and wallet add-ons, such as the GoPlus Security extension, aim to warn users in real time when they are about to sign potentially harmful signatures, approvals, or transactions, blocking known phishing links and risky contract interactions. Similarly, tools that score and label contract addresses based on observed behavior can help users identify when a transaction involves a newly created or suspicious contract rather than a well-established protocol.

Communication practices are equally important. Projects should maintain clearly documented official domains, contract addresses, and social accounts, and should regularly remind users to verify these identifiers before interacting. When security incidents occur—such as front-end exploits that redirect users to malicious interfaces, or third-party compromises that may expose wallets—transparent and timely communication can prevent follow-on phishing campaigns that exploit confusion. Some DeFi protocols have already used this approach, reassuring users and emphasizing that any request for seed phrases or off-site signatures should be treated with suspicion.

Finally, ecosystem-wide collaboration is essential. Security researchers, analytics firms, exchanges, and law enforcement agencies are increasingly sharing data on phishing campaigns, from Tycoon 2FA-like infrastructure to specific drainer contract families. This collaboration has led to disruptions of major phishing services and improved detection of new campaigns as they emerge. However, attackers also adapt, leveraging AI and new platforms to stay ahead. Maintaining this collective vigilance and information-sharing is therefore an ongoing necessity, not a one-time fix.

Conclusion and Outlook

Phishing has become the dominant threat vector in crypto not because blockchains are inherently insecure, but because permissionless systems place so much power in the hands of human users. The same tools that allow anyone with a wallet to interact with global, non-custodial financial primitives also allow scammers, through carefully crafted messages and interfaces, to induce users to sign away control. In this landscape, understanding how phishing works—from romance scams and AI-crafted DMs to approval-based drainers and malicious npm packages—is no longer optional knowledge for participants in digital assets. It is part of basic financial literacy for anyone holding or building on crypto.

The trajectory of recent incidents suggests that phishing will remain a major challenge. Attackers are shifting away from purely technical exploits of protocol code and toward socio-technical attacks that exploit the interplay between humans, wallets, and identity systems. They are also harnessing AI and industrialized phishing-as-a-service kits to increase both the quality and quantity of their attacks. At the same time, defenders are getting more organized. Law enforcement operations, sometimes in partnership with companies like Coinbase and Microsoft, have successfully disrupted major phishing services, shut down hundreds of malicious domains, and helped recover some stolen funds. Security vendors are integrating real-time phishing detection into browsers, wallets, and SIEM platforms, while regulators and consumer protection agencies are stepping up public education about the specific risks of crypto scams.

For individual users, the most effective response is a layered one. This includes cultivating a healthy skepticism of unexpected offers, consistently applying principles like the “Four Don’ts,” segmenting wallets and limiting approvals, securing off-chain accounts with strong authentication, and staying informed about new phishing tactics and defenses. For projects and platforms, it means investing in user-centered security design, proactive communication, rapid incident response, and collaboration with the wider security community. As AI and automation raise the ceiling on what phishers can do, human judgment and collective resilience become even more important.

Looking ahead, it is likely that phishing will continue to evolve in step with the broader crypto ecosystem. New asset types, wallet paradigms, and identity standards will each introduce fresh attack surfaces that scammers will probe. Yet the core dynamics will remain the same: phishing succeeds when trust is misplaced and actions are taken too quickly under pressure. By recognizing those dynamics and embedding cautious habits into everyday crypto use, the community can significantly reduce the toll of phishing, even if it cannot eliminate the threat entirely. The path to safer digital assets runs through both better technology and better-informed humans, working together to make scams harder and less profitable than they are today.