Web3, land of the free. Home of the scammed, rugged, and hacked.
Cryptocurrency has brought the spirit of the Wild West to finance. Many newcomers, OGs, and builders alike venture through the dark forest of blockchains, unprepared to defend against the monsters - phishing, malware, and other scams - that lie in wait.
The danger and freedom of crypto exist because there is no distance between balance sheet changes and user actions.
In traditional finance, transactions are mediated through layers of abstraction. Instead, in web3, users interact directly with raw calldata. For many, this can feel like piloting a recently invented spaceship with no license.
Unfortunately, this financial autonomy, combined with novel technology, has resulted in some of the most devastating financial events in history.
Billions of dollars have fled from the pockets of projects and users into the hands of sophisticated criminals. You don't have to look far to see the magnitude and consistency of the destruction. Just skim through DeFiLlama’s database of hacks, Kacherginsky's weekly blockchain threat reports, and the rekt leaderboard.
In this multi-part series, we’ll start our journey to web3 safety and help you avoid crypto scams. In this first segment, we’ll explore token ownership fundamentals and examine common threats like phishing, and address poisoning that plague the industry.
But before diving into the specifics, it’s crucial to understand the cornerstone of web3 security.
Your tokens are stored at the location of your public address. Anyone with access to the private key associated with that public address is considered the owner of the tokens.
Think of your private key as a powerful 32-byte digital pen that allows you to sign transaction data to interact directly with blockchains.
Your private key is secured by a seed phrase, a list of 12 or 24 words generated during wallet creation. Since it can be used to recover your private key, anyone with access to it gains the same control and authority as if they had the private key itself.
So, how do you manage it securely?
Wallets are the interface for your private key, enabling you to interact with your assets. Different wallet types offer various ways to maintain control over your tokens.
For a deeper discussion on wallet types, check out this full guide.
Regardless of how you store your tokens, certain core tenets are essential for safeguarding your assets.
Now that we understand token ownership, let's explore common crypto scams and attacks targeting your assets and how to defend against them.
Malware is malicious software that infects your device and attempts to steal your sensitive data or assets.
Most modern malware is difficult to detect because it rarely slows down your computer and may not appear as a visible task in your task manager. It can lay dormant for long periods, waiting for an opportunity to act, or even operate within your system’s memory to evade detection.
The most common types of malware that can compromise your device include:
So, how do you stay safe?
This is only half the battle. Equally important is recognizing phishing and drainer scams, which often serve as the entry point for malware or direct asset theft.
Phishing involves deceptive content designed to appear legitimate, tricking victims into downloading malicious payloads or divulging sensitive information.
The content can take many forms, including malicious files and attachments (.exe, .zip, .pdf) or imitations of legitimate Zoom links, websites, apps, browser extensions, QR codes, airdrops and giveaways, arbitrage bots, and more.
The payload (harmful code or data) can come in various forms of malware like RATs, keyloggers, spyware, and more.
The sensitive information includes passwords, seed phrases, private keys, and personal details that attackers can exploit for unauthorized access or financial theft.
Spear phishing is a targeted form of phishing where an attacker gathers information on a target and tailors their interactions to create the illusion of being a legitimate actor. Social media and blockchain’s transparency often help craft and execute highly personalized attacks against individuals or companies.
Social engineering techniques are used throughout all phishing scams to increase the likelihood of victims interacting with fake content. Common tactics involve:
But in blockchain, there is more.
In web3, approval phishing websites mimic legitimate Decentralized Applications (dApps) and are one of the most consistent tools criminals use to steal tokens.
Drainers are the underlying smart contracts behind phishing dApps. They steal user funds by generating malicious approve() or permit() data. When signed, the data grants the drainer unlimited access to the user’s tokens.
Cold wallets do NOT protect you against crypto drainer scams because you willingly sign over access to your coins. This means the attacker bypasses the need for private key or seed phrase access.
Sophisticated crypto drainers use purely numerical addresses to bypass the default EIP-712 formatted data that wallets attempt to display. This makes the signature data unreadable and prevents users from understanding the content.
Attackers exploit the CREATE2 opcode, which allows developers to determine the address of a newly deployed contract before actually deploying it. They use it to pre-compute and generate unique contract addresses, making each malicious signature appear distinct and harder to detect.
Attackers also use multicall contracts to bundle several operations into a single transaction, bypassing standard security alerts that might flag individual actions.
In just a few years, notorious crypto drainers like Pink Drainer, Inferno Drainer, and AngelX have stolen over $100 million.
Yet, phishing attacks come in many forms, often imitating legitimate services or opportunities.
At the time of writing, zoom links are always formatted as: [subdomain].zoom.us/j/[meeting-id].
Common region subdomains: usXX (USA), euXX (Europe), ukXX (United Kingdom), jpXX (Japan), auXX (Australia).
So, correct Zoom links display like:
Incorrect Zoom links might display like:
Impersonators on social media will attempt to leverage fake engagement to encourage users to donate tokens, or sign up for fake airdrops and giveaways that lead to phishing websites. The goal is always to scam you out of your tokens. Below are just a few examples.
Scammers can successfully place phishing websites at the top of Google search results that look identical to the official website. Be especially careful of fake decentralized exchanges that drain your wallet by replacing standard trading data with malicious approval requests. Always take your time and confirm the URL is correct.
Wallet providers like MetaMask and Ledger will never send an email requesting your seed phrase or asking you to perform cancellation or setup actions. If you ever receive one, it is definitely a crypto scam. Here's a detailed list of subtle phishing emails to reference.
QR codes can contain links that download malicious payloads to your device. Do not click on a link if you think it may be malicious. Below is an example of a malicious QR code from a fake giveaway.
Fake browser extensions usually ask for your seed phrase or inject malware onto your computer. To avoid these kinds of crypto scams, take your time to thoroughly review any extension you install and ensure they are connected to an official website.
Videos promoting ridiculous passive income from generic crypto trading scripts are always scams. If you deploy the contract and "fund" it, you are simply giving your tokens to the attacker.
There are hundreds of video examples of this type of crypto scam. Here are a few that use a similar malicious contract and nearly identically crafted scripts.
As we wrap up our discussion on web3 safety, it's important to address a lesser-known but highly effective tactic.
Tangential to web3 phishing is a simple and devious attack called address poisoning. Over $123 million have been stolen using this method, which works as follows:
This concludes the first part of our two-part series on web3 safety. If you want to combat even more advanced attacks, check out part 2.
