The promise of Web3 is that decentralized ownership puts more eyes on the actions users take, which helps prevent fraud. In Web3, a blockchain protocol secures a distributed ledger and prevents the data it records from being falsified. But there’s a catch: the ledger is agnostic as far as what data gets recorded, and can’t tell if that data is the result of fraud. As a result, there is plenty of opportunity for fraud in Web3, especially when users are tricked into sharing private information.
The most common form of fraud in Web3 is phishing, or fraudulent communications that pretend to come from a legitimate source. A phishing attempt may come in many forms, including emails, DMs on social media platforms, and text messages. The attacker pretends to be a legitimate party, such as a celebrity or Web3 company offering a new token, in order to gather exploitable information from the victim, often by giving out a phishing link that directs the victim to a fraudulent phishing site.
Web3 phishing attacks are skyrocketing–for instance, such attacks increased 170% in the second quarter of 2022 compared with the previous quarter, security firm CertiK found. The report found there were 290 different phishing attacks during the period. Most phishing attacks are conducted on social media platforms such as Discord or Telegram, which don’t require account verification.
Attackers will often counterfeit the accounts of prominent projects or individuals, such as Elon Musk or Bill Gates. The usual target of Web3 phishing attempts is the user’s private key or seed phrase, which gives access to the assets controlled in a given wallet. See our Web3 Security Guide for a review of private keys and seed phrases, if you’re unfamiliar with these important security measures.
Phishing attacks only succeed if they can trick users into sharing private information. For that reason, most phishing attacks manipulate the recipient into feeling a sense of urgency. This pushes the user to act quickly, without thinking about the possible consequences.
The urgency can be positive, attempting to exploit FOMO (Fear Of Missing Out). For instance, a common phishing angle in Web3 is telling users there’s a fast-approaching token launch they can only get in on if they act now, before the limited initial token supply is gone.
Alternatively, the urgency can be negative, threatening problems the user will have if they don’t act immediately. A classic example is claiming that the user’s account on a crypto exchange or trading platform has been compromised and its password must be reset.
6 Types of Phishing in Web 3–With Examples
There are six basic types of phishing that commonly occur in Web3. Below are descriptions of how each type works and examples of each. Note that these types are not mutually exclusive. Often, two or more phishing techniques will be used in combination.
In this type of phishing, the attacker sends a fraudulent email pretending to be another party, such as a representative of a trading platform or protocol. Some phishing emails contain a link to a fraudulent website. Once on the phishing site, the user is asked to input private information that the attacker then uses to steal cryptocurrency.
Email phishing example
After a developer at crypto exchange bZx opened a phishing email with a malicious attachment, the hacker was able to steal an estimated $55 million in various cryptocurrencies from the platform. The email contained "a malicious macro in a Word document that was disguised as a legitimate email attachment, which then ran a script on his personal computer. This led to his personal mnemonic wallet phrase being compromised," the company said.
The bZx team indicated 25% of the purloined assets were taken from the developer’s wallet, which was emptied. Users on the platform that had approved unlimited spend parameters were also targeted.
Social media phishing
In this type of phishing, the attacker will DM users on a social media platform or post links in their status updates. As with email, the attacker pretends to be another party, aided by the lack of account verification on some social media platforms. The message may ask for a private key or seed phrase. Social-based phishing is easy to fall for and has led to major thefts–the Certik security report called social media “the Achilles’ heel of Web3.”
Social media phishing examples
Here’s one way social media can be used for phishing: A Twitter bot poses as customer support, scanning for particular types of assistance requests. The bot then sends automatic replies that include links to fake Google forms, where their seed phrase is collected.
For instance, a user tweeting a complaint about being locked out of their MetaMask wallet would then receive multiple fake responses from a phishing bot purporting to be MetaMask’s support desk. Once the user inputs their seed phrase, the thief is able to empty their crypto wallet. MetaMask scams have proliferated as it’s become one of the most popular crypto wallets.
Another approach: 91 NFTs were stolen from the Bored Ape Yacht Club (BAYC) after the project’s Instagram was hacked. Once they gained access to the IG account, the thieves shared a link to a phishing site that collected the information needed to transfer ownership of the NFTs from some users’ connected wallets. Ethereum-based NFTs worth $2.8 million were stolen in the April 2022 attack.
Attackers sometimes use advertisements, such as Google Ads, to direct users to fraudulent websites or fraudulent browser extensions.
Attackers used Google Ads to direct users to fraudulent websites claiming to offer downloads of popular wallets such as MetaMask and Phantom. As part of registration on the phishing site, victims were asked to enter a seed phrase to access their new wallet. When users proceeded to the legitimate site and added the Chrome extension for that wallet, they were in fact logging into the attackers’ wallet, with any cryptocurrency transferred going to the thief.
Other ad scams contained a link that inserted a thief into user accounts on crypto-swap platforms, such as Uniswap or PancakeSwap. The user’s currency swaps then transferred the chosen crypto to the hackers’ accounts. In November 2021 alone, ad phishing thieves stole over $500,000 with these two approaches.
In this scam, fraudulent websites impersonate legitimate ones, encouraging users to input private information the attackers can exploit. Users can be attracted to the websites in typical ways, such as email, social media, or ads, as described above.
They can also be attracted in crypto-specific ways, such as by having “gift” tokens deposited in users’ wallets, with the URL of the phishing site embedded in the token name.
Website phishing examples
Actor and producer Seth Green lost four NFTs, including a Bored Ape, when he attempted to mint a cloned NFT on what turned out to be a fraudulent website. He connected his wallet to the phishing site and gave the attackers access to his private keys.
It was a painful situation for Green, because he had already spent substantial time and money developing a proposed TV show, White Horse Tavern, that was to star his Ape. When he lost ownership of the Ape, production had to be halted. He ended up paying a $300,000 ransom to reclaim the Ape, so he could resume production.
Another case of website phishing targeted the official social media accounts of the British Army. While in control of the Army’s Twitter, Facebook, and YouTube accounts for several hours, attackers used them to share phishing links to sites that offered fraudulent copies of NFTs and nonexistent cryptocurrency for sale.
This second case illustrates how website phishing is often combined with other phishing strategies, in this case social media.
Browser extensions phishing
As with websites, there are fraudulent browser extensions–specifically those for digital wallet managers–that attackers use to exploit any credentials a user enters. New phishing extensions tend to keep popping up.
For instance, Google removed 49 fraudulent Chrome browser extensions that sought to harvest user credentials in April 2020. Just two months later, Google removed another 106 extensions that were fraudulently collecting user data.
When thieves alter a smart contract platform by injecting a script into its front end, it’s known as ice phishing. The script modifies an address in a smart contract to transfer control of a token to the attacker, or tricks a user into giving approval authority for token transfers to the thief.
Ice phishing is an emerging, more complex way to obtain user information to commit fraud, as detailed in this report from Microsoft. The report analyzes the Badger DAO attack of 2021, in which unauthorized users were able to compromise an API key, inserting a script that then redirected certain crypto transactions to be deposited into the thieves’ wallet. A hefty $130 million was stolen, of which only $9 million was recovered.
5 Steps to prevent Web3 phishing
Education is the key to keeping your crypto and other Web3 assets safe. To protect yourself and use Web3 safely, know the common phishing gambits thieves use and don’t take actions that could leave you vulnerable to information theft risk. To keep your crypto safe, always follow these five important rules:
- Never reply to messages from an unverified party.
- Never click on unverified links in any message, including ads.
- Never respond to messages that invoke time pressure or FOMO.
- Never share private keys or seed phrases in response to a communication you did not initiate.
- Never send even a small amount of funds in response to a communication you did not initiate.
If you receive a message that you think is legitimate and you want to respond to it, always navigate to the platform in question manually, not by clicking on a link in the message or copying a URL from it.
Protect yourself from all types of phishing in Web3
Remember that phishing attacks happen across all device types and operating systems. The device or operating system is not the source of risk–fraudulent communications are.
While phishing is a common threat in Web3, it only succeeds if a user takes action. Now that you know how the common Web3 phishing gambits operate, you can protect yourself by taking basic precautions against them.
Be sure to subscribe to our updates to learn about emerging security threats in Web3.