Phishing Attack

What Is a Phishing Attack?

A phishing attack is a social engineering technique where an attacker impersonates a legitimate service, person, or organization to trick victims into revealing sensitive information or performing harmful actions. The term originates from "fishing" for credentials: attackers cast a wide net of deceptive messages hoping someone takes the bait.

In cryptocurrency, phishing is the single largest category of theft by victim count. According to Scam Sniffer, wallet drainer phishing stole $494 million from over 332,000 victims in 2024, with the largest single theft reaching $55.48 million. Unlike traditional phishing that targets bank logins or credit cards, crypto phishing exploits the finality of blockchain transactions: once funds leave a wallet, no bank or payment processor can reverse the transfer.

The crypto ecosystem's reliance on self-managed keys, complex transaction signing, and decentralized applications creates a uniquely rich attack surface. Victims are not just losing passwords: they are losing direct access to irreversible financial instruments.

How It Works

Crypto phishing attacks follow a general pattern: the attacker creates a convincing replica of a trusted interface, directs the victim to it through a deceptive channel, and then captures credentials or tricks the user into signing a malicious transaction.

1. The attacker clones a legitimate website (exchange, wallet interface, or DeFi protocol) or crafts a convincing email, message, or social media post
2. The victim is lured to the fake interface through search ads, direct messages, fake support channels, or compromised social media accounts
3. The victim enters their seed phrase, connects their wallet, or signs a malicious transaction
4. The attacker uses the captured credentials or signed approval to drain the victim's funds immediately

Common Vectors

Crypto phishing uses several distribution channels to reach victims:

• Fake websites via SEO poisoning: attackers purchase Google Ads or manipulate search rankings to place malicious sites above legitimate results for queries like "MetaMask download" or "Uniswap"
• Social media impersonation: compromised or lookalike accounts on X (Twitter), Discord, and Telegram impersonate project teams, support staff, or influencers. Impersonation scams grew 1,400% year-over-year according to Chainalysis
• Fake airdrop claims: fraudulent token distribution campaigns that require victims to "connect wallet" or "claim tokens" through a malicious site
• Fake support scams: attackers pose as customer support in Discord servers, Telegram groups, or via email, asking users to "verify" their wallet by entering seed phrases
• DNS hijacking: attackers compromise domain registrars to redirect legitimate URLs to phishing sites. Notable cases include MyEtherWallet in 2018 (approximately $17 million stolen via BGP hijack) and CoW Swap in April 2026

Crypto-Specific Phishing Techniques

Approval Phishing (Ice Phishing)

The most financially devastating form of crypto phishing does not require stealing private keys at all. Approval phishing, also called "ice phishing" (a term coined by Microsoft in 2022), tricks users into signing a token approval transaction that grants the attacker permission to spend their tokens.

On EVM-compatible chains, the ERC-20 approve() function allows a user to delegate spending authority over their tokens to another address. Legitimate DeFi protocols use this for swaps and lending. Phishing sites abuse it by requesting unlimited approvals:

// What a malicious approval looks like
// The victim signs this, granting the attacker
// unlimited spending rights on their tokens
approve(
  spender: 0xATTACKER_ADDRESS,
  amount: 0xffffffffffffffffffffffffffffffff  // unlimited
)

According to Scam Sniffer's 2024 data, Permit and Permit2 signature-based phishing accounted for 56.7% of all wallet drainer thefts, while setOwner calls (transferring wallet ownership) accounted for 31.9%.

Address Poisoning

Address poisoning exploits how users interact with their transaction history. The attacker generates a wallet address that visually resembles the victim's frequently used addresses (matching the first and last few characters), then sends the victim a tiny transaction. When the victim later copies an address from their transaction history, they may accidentally copy the attacker's lookalike address instead.

A 2025 academic study published at USENIX Security identified over 270 million on-chain poisoning attempts targeting 17 million addresses, with confirmed losses of $83.8 million across 6,633 incidents.

Wallet Drainer Kits

Phishing has been industrialized through Drainer-as-a-Service operations. These toolkits, sold via Telegram and Discord, provide turnkey phishing infrastructure: cloned websites, wallet connection handlers, and automated fund extraction. Profits are typically split between the kit developer and the operator running the campaign.

Major drainer kits like Inferno Drainer and Pink Drainer operated openly before shutting down in mid-2024. Newer kits have begun exploiting Ethereum's EIP-7702 (introduced with the Pectra upgrade in 2025) to bundle multiple malicious actions into a single signature request, making attacks harder to detect.

Why Blockchain Irreversibility Makes Phishing Worse

In traditional finance, phishing victims can often recover stolen funds. Credit card companies process chargebacks, banks can freeze accounts, and regulatory bodies can compel institutions to reverse fraudulent transactions. The settlement cycle in traditional payment systems creates windows where fraud can be intercepted.

Blockchain offers no such recourse. Once a transaction is confirmed on-chain, it is final. There is no customer support to call, no dispute process, and no central authority that can reverse the transfer. This finality is a feature for legitimate payments but a devastating liability when combined with social engineering.

The gap is especially severe for self-custodial wallet users. While custodial exchanges may freeze stolen funds if the attacker attempts to cash out, assets stolen from a self-custodial wallet can be moved through mixers, bridges, or decentralized exchanges within minutes, making recovery effectively impossible.

How to Protect Yourself

Phishing prevention in crypto relies on establishing strong verification habits rather than relying on spam filters or institutional safeguards. Key defenses include:

URL Verification and Bookmarking

The most effective defense against fake websites is to never click links from emails, DMs, or search ads. Instead, manually bookmark the URLs of every exchange, wallet, and DeFi protocol you use, and only access those services through your bookmarks.

When visiting a new site, verify the URL character by character. Phishing domains often use subtle substitutions: replacing "l" with "1", using homoglyph characters from non-Latin alphabets, or adding extra words (e.g., "app-uniswap.com" vs "app.uniswap.org").

Hardware Wallet Confirmation

A signing device (hardware wallet) provides a critical security layer by displaying transaction details on a trusted, isolated screen before signing. Even if a user interacts with a phishing site, the hardware wallet shows the actual contract being called, the recipient address, and the amount being sent.

This defense is effective against many attack types but not all: if a user confirms a malicious token approval on their hardware wallet without reading the details, the signing device cannot prevent the loss. The security depends on the user actually verifying the information displayed.

Approval Hygiene

Regularly review and revoke token approvals using tools like Revoke.cash or Etherscan's token approval checker. Limit approvals to the exact amount needed for a transaction rather than granting unlimited spending rights. On chains that support Permit2, prefer time-limited approvals that expire automatically.

Address Verification

Never copy addresses from transaction history. Instead, use an address book or contacts feature within your wallet. When sending to a new address, verify the full address character by character and send a small test transaction first. Some wallets and exchanges support address whitelisting, which blocks transfers to unapproved destinations.

Multi-Layered Security

Effective protection combines multiple defenses:

• Store significant holdings in a cold storage wallet disconnected from the internet
• Enable two-factor authentication on every exchange and service
• Use a dedicated browser profile for crypto activities to isolate cookies and extensions
• Never share seed phrases with anyone: no legitimate service will ever request them
• Verify smart contract interactions using a signing device before confirming

Why It Matters for Bitcoin Users

While approval phishing primarily targets EVM-based chains, Bitcoin users face their own phishing risks. Fake wallet software, malicious browser extensions, and seed phrase harvesting scams all target Bitcoin holders. The UTXO model and lack of smart contract approvals provide some structural protection: an attacker cannot gain ongoing spending authority through a single signed transaction the way they can on Ethereum.

However, the consequences of seed phrase exposure are equally severe. A compromised seed phrase gives the attacker full control over all current and future addresses derived from that seed. Solutions like multisig wallets and threshold signatures reduce this risk by requiring multiple keys to authorize transactions, ensuring that a single compromised credential cannot drain funds. Layer 2 protocols like Spark inherit Bitcoin's security model while enabling faster transactions, and users benefit from the same self-custody principles that protect against phishing: control your keys, verify every transaction, and never trust unsolicited messages.

Risks and Considerations

Phishing attacks continue to evolve in sophistication. As security tools improve at detecting known phishing domains, attackers adapt with new techniques: compromising legitimate websites, exploiting new protocol features, and using AI-generated content to create more convincing impersonations.

The fundamental challenge is that phishing exploits human judgment rather than technical vulnerabilities. No amount of cryptographic security can protect a user who willingly enters their seed phrase on a fake website or confirms a malicious transaction on their hardware wallet without reading the details. Security in crypto ultimately depends on user education and careful verification habits.

For further reading on securing your crypto assets, see the research articles on self-custodial vs custodial wallets and Bitcoin custody solutions compared.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.