Crypto Gloss

Crypto Phishing

Crypto phishing is the broad category of social engineering attacks targeting cryptocurrency users — designed to steal funds by deceiving victims into revealing seed phrases, private keys, or signing transactions that grant attackers control over wallet assets. Unlike smart contract exploits that attack protocol code, phishing attacks target the human layer: attention, trust, and urgency. The attack surface spans fake websites, compromised official Discord servers, malicious dApps prompting silent token approvals, fake customer support, and increasingly sophisticated permit-signature drainers that can drain an entire wallet with a single off-chain signature. Phishing is consistently the largest category of individual crypto loss — outpacing smart contract hacks in total victim count.

Attack Types

The following sections cover this in detail.

Approval Phishing (Wallet Drainers)

The dominant vector since 2022. The victim visits a malicious or compromised site that prompts them to sign a permit() or setApprovalForAll() signature. This signature — often disguised as a routine wallet verification or airdrop claim — grants the attacker’s address unlimited spending rights over one or more token types in the victim’s wallet. No on-chain gas is required from the victim; the attacker batches the drain in a single transaction afterward.

Key mechanics:

  • permit() (EIP-2612): Off-chain signed approval, valid for standard ERC-20 tokens that implement it
  • Permit2 (Uniswap): Universal approval contract — one permit signature covers any token
  • setApprovalForAll(): Grants transfer rights over all NFTs in a collection at once
  • Drainer-as-a-service toolkits (Inferno Drainer, Pink Drainer, Angel Drainer) sold on Telegram — attackers pay 20–30% of stolen funds to the toolkit operator

Fake Site Phishing

Spoofed versions of popular platforms — MetaMask, Ledger Live, Coinbase, exchange websites — designed to steal login credentials, seed phrases, or trick users into connecting wallets. Most commonly distributed via:

  • Google/Bing paid search ads (attacker bids on brand keywords)
  • Lookalike domains (metamask-app.com, ledger-wallets.io)
  • Fake browser extensions
  • Typosquatted URLs

Discord and Social Media Compromise

Project Discord servers are high-value phishing infrastructure. Attackers compromise admin accounts or bots to post fake mint announcements with malicious links. The posts carry the visual legitimacy of an official channel — verified name, correct branding, high member count — driving rapid clicking before moderators can respond. Twitter/X account compromise follows the same pattern, often via SIM swap or OAuth token theft.

High-profile examples:

  • BAYC Discord hack (2022) — official Discord posted fake mint link, ~200 ETH stolen
  • Multiple NFT project Discord compromises in 2022–2023
  • Animoca Brands’ Yat Siu — Twitter account hijacked via SIM swap

Address Poisoning

Attacker sends zero-value or low-value transactions from a wallet address that closely resembles an address the victim regularly interacts with (same first and last 4–6 characters). When the victim copies their last transaction’s counterparty to send funds, they copy the poisoning address instead. Funds sent to a visually correct but fabricated address are unrecoverable.

Seed Phrase Extraction

  • Fake customer support: Impersonating MetaMask, Ledger, or exchange support via Twitter DM, Telegram, or Discord — claiming to “verify” the wallet by entering the seed phrase on a fake form
  • Malicious browser extensions: Legitimate-looking utilities that scrape clipboard or keystrokes looking for seed phrase patterns
  • Recovery scams: After a user tweets about losing funds, scammers rush in claiming they can “recover” crypto for a fee or seed phrase

Permit Signatures: Why They’re Dangerous

Traditional on-chain approvals (approve()) appear in a wallet like a real transaction — users see the token, the amount, and the spender’s address. Permit signatures are off-chain EIP-712 typed data — they appear as a structured message with an expiry and a spender, but many wallets display them as a generic “signature request” without decoding what’s being signed.

Attack flow:

  1. Victim connects wallet to malicious site
  2. Site triggers a permit() signature request for USDC, USDT, or wrapped ETH
  3. Wallet shows a hex blob or partially decoded message — victim clicks “Sign”
  4. Attacker broadcasts the permit + transferFrom() — funds gone in one tx
  5. No warning, no gas cost for victim, no on-chain trace until the drain transaction fires

The Permit2 router amplifies this: one approval of Permit2 itself gives any future permit signature the ability to move any token the user has approved to Permit2 — a single historical approval becomes a permanent attack surface.

Notable Incidents

  • Kevin Rose (2023) — Proof DAO founder signed a malicious Blur permit, losing ~40 ETH worth of rare NFTs in a single transaction
  • Seth Green (2022) — BAYC NFT lost to phishing, briefly shutting down a planned TV project
  • Premint NFT (2022) — Front-end compromised; approximately 314 NFTs stolen from users who signed a malicious approval
  • NFT God (2023) — Streamer lost entire NFT portfolio after downloading fake OBS software containing a stealer
  • Ledger Connect Kit (2023) — Supply chain compromise; Ledger’s JavaScript library injected a wallet drainer affecting multiple dApps simultaneously

Common Misconceptions

“Hardware wallets protect against phishing.”

Hardware wallets protect private keys from being extracted — but they do not protect against signing malicious transactions. If a user with a cold storage setup signs a setApprovalForAll() or permit() prompt on a phishing site, the approval is valid and funds can be drained. The physical signing step provides no protection if the user approves what the attacker wants signed. Hardware wallets protect against key extraction attacks, not against social engineering.

“Only inexperienced users fall for phishing.”

Kevin Rose (Proof DAO co-founder), several OpenSea employees, crypto journalists, and multiple DeFi developers have lost funds to phishing. Sophisticated attackers craft highly contextual attacks — timing fake airdrops to coincide with real announcements, compromising official Discord admin accounts, or presenting permit signatures using project branding that appears after the user has already verified the primary site’s URL.

“I’d notice if I was approving something wrong.”

Permit signatures bypass the normal on-chain approve transaction flow. Wallet UIs vary substantially in how clearly they decode permit signature data — many users have reported seeing only a hex string or a confusing structured-data breakdown that provides no intuitive warning of the dollar value at risk.

Criticisms

  1. Wallet UI failure — The standard Web3 wallet signing experience does not adequately communicate the risk of permit signatures. Wallets that display eth_signTypedData_v4 as a generic “sign message” without surfacing the spender address and token value are creating unnecessary attack surface.
  2. Permit2 risk concentration — Universal approval infrastructure compounds phishing risk: a single permit signature covering Permit2 creates persistent exposure. Users who approved Permit2 months ago may not realize they remain vulnerable to future permit phishing.
  3. Drainer-as-a-service economy — Phishing toolkits have dramatically lowered the technical bar for attackers. Non-technical scammers can operate sophisticated multi-chain wallet drainers via Telegram-sold services, creating a growing criminal ecosystem with no equivalent deterrent.
  4. Platform response lag — Discord, Twitter, and Google Ads have been slow to implement systematic crypto phishing defenses despite consistent high-profile incidents.

Social Media Sentiment

Crypto phishing is near-constant on crypto Twitter/X — post-exploit threads, wallet drainer warnings, and “if you signed this revoke immediately” posts appear weekly. r/CryptoCurrency and r/ethereum frequently feature loss reports. ScamSniffer’s monthly phishing reports (tens of millions drained in slow months, hundreds of millions in active months) are widely circulated by security researchers. There is ongoing frustration with Google Ads amplifying phishing sites, with periodic calls for Google to ban crypto wallet brand keyword ads entirely. The consensus among experienced community members is that permit signature UX is a systemic failure that needs wallet-level solutions, not just user education.

Last updated: 2026-04

Related Terms

See Also

Sources