SlowMist: A Deep Dive into Web3 Phishing Techniques

2/10/2025, 1:44:46 PM
Intermediate
Security
This article delves into the phishing threats in the Web3 space, where attackers employ tactics like fake accounts, search engine ads, TG bots, phishing emails, and psychological manipulation (greed, fear) to deceive users into revealing their private keys or authorizing transactions, ultimately leading to asset theft.

Background
Recently, SlowMist was invited to speak at the Ethereum Web3 Security BootCamp, organized by DeFiHackLabs. Thinking, the head of SlowMist’s security audits, walked attendees through eight key chapters—“Deception, Baiting, Luring, Attacking, Hiding, Techniques, Identification, Defense”—using real-world case studies to showcase the methods and tactics employed by phishing hackers, as well as the countermeasures that can be implemented. Phishing remains one of the most significant threats in the industry, and understanding both attackers and defenders is essential to strengthening defenses. In this article, we extract and share key insights from the session to help users recognize and protect themselves from phishing attacks.

Why are phishing attacks so effective?

In the Web3 space, phishing attacks have become one of the biggest security threats. Let’s take a look at why users fall victim to phishing. Even those with a high level of security awareness may sometimes feel the sentiment of “those who walk by the river will inevitably get their shoes wet,” because maintaining constant vigilance is very difficult. Attackers typically analyze recent hot projects, community activity, and user base to identify high-profile targets. They then carefully disguise themselves and lure users in with enticing baits like airdrops and high returns. These attacks often involve social engineering, where attackers skillfully manipulate users’ psychology to achieve their fraudulent goals:

  • Inducement: Airdrop whitelist eligibility, mining opportunities, wealth passwords, and more.
  • Curiosity/Greed: Fearless of selling at the peak, don’t miss out on the potential 100x coin, don’t miss tonight’s meeting at 10:00, meeting link https://us04-zoom[.]us/ (malicious); $PENGU airdrop whitelist, don’t miss out, https://vote-pengu[.]com/ (malicious).
  • Fear: Urgent warning: XX project has been hacked, please use revake[.]cash (malicious) to revoke authorization to prevent asset loss.
  • Efficient Tools: Airdrop harvesting tools, AI quant tools, one-click mining tools, and others.

The reason why attackers go to great lengths to create and deploy these baits is that they are highly profitable. Through these methods, attackers can easily obtain users’ sensitive information/permissions and steal their assets:

  • Stealing Mnemonics/Private Keys: Tricking users into entering their mnemonic or private key.
  • Deceiving Users into Using Wallet Signatures: Authorizing signatures, transfer signatures, and more.
  • Stealing Account Passwords: Telegram, Gmail, X, Discord, etc.
  • Stealing Social App Permissions: X, Discord, etc.
  • Inducing Installation of Malicious Apps: Fake wallet apps, fake social apps, fake meeting apps, etc.

Phishing Tactics

Let’s take a look at some common phishing tactics:
Account Theft/Impersonation of Accounts
Recently, there have been frequent reports of Web3 projects/KOLs’ X accounts being hacked. After stealing these accounts, attackers often promote fake tokens or use similar domain names in “good news” posts to trick users into clicking malicious links. Sometimes, the domains may even be real, as attackers could have hijacked the project’s domain. Once victims click on a phishing link, sign a transaction, or download malicious software, their assets are stolen.

In addition to stealing accounts, attackers often impersonate real accounts on X, leaving comments on legitimate posts to mislead users. SlowMist’s security team has analyzed this tactic: about 80% of the first comments on well-known projects’ tweets are often occupied by phishing accounts. Attackers use bots to follow the activities of popular projects and, once a tweet is posted, their bots automatically leave the first comment to secure the highest visibility. Since users are reading posts from the legitimate project, and the phishing account closely resembles the real account, unsuspecting users may click phishing links under the pretext of an airdrop, authorizing or signing transactions and losing their assets.

Attackers also impersonate administrators to post fake messages, especially on platforms like Discord. Since Discord allows users to customize nicknames and usernames, attackers can change their profile to match an administrator’s, then post phishing messages or DM users directly. Without checking the profile, it’s difficult to spot the deception. Additionally, while Discord usernames cannot be duplicated, attackers can create accounts with names that are almost identical to the administrator’s by adding small variations, like an underscore or period, making it hard for users to tell them apart.

Invitation-Based Phishing
Attackers often make contact with users on social platforms, recommending “premium” projects or inviting users to meetings, leading them to malicious phishing sites to download harmful apps. For example, some users were tricked into downloading a fake Zoom app, resulting in asset theft. Attackers use domains like “app[.]us4zoom[.]us” to masquerade as real Zoom links, creating a page that looks nearly identical to the actual Zoom interface. When users click “Start Meeting,” they’re prompted to download a malicious installer instead of launching the Zoom client. During installation, users are encouraged to input passwords, and the malicious script collects wallet plugin and KeyChain data (which may contain stored passwords). After collecting this data, attackers try to decrypt it and access users’ wallet mnemonics or private keys, ultimately stealing their assets.

Search Engine Ranking Exploitation
Because search engine rankings can be artificially boosted by purchasing ads, phishing websites may rank higher than the official websites. Users who are unsure of the official website’s URL may find it hard to spot phishing sites, especially since phishing sites can customize their ad URL to match the official one. The ad’s URL may appear identical to the official site, but when clicked, users are redirected to an attacker’s phishing site. As phishing websites often look nearly identical to legitimate sites, it’s easy to be misled. It’s safer not to rely solely on search engines to find official websites, as this may lead to phishing sites.

TG Ads
Recently, there’s been a significant increase in user reports about fake TG bots. Users often encounter new bots appearing at the top of official trading bot channels and mistakenly think they are official. They click on the new bot, import their private key, and bind their wallet, only to have their assets stolen. Attackers use targeted ads in official Telegram channels to lure users into clicking. These phishing methods are particularly covert because they appear in legitimate channels, making users assume they’re official. Without enough caution, users can fall for the phishing bot, input their private keys, and lose their assets.

Additionally, we recently uncovered A New scam: Telegram Fake Safeguard Scam. Many users were tricked into running malicious code from attackers’ instructions, resulting in stolen assets.

App Stores
Not all software available on app stores (Google Play, Chrome Store, App Store, APKCombo, etc.) is genuine. App stores are not always able to fully review all apps. Some attackers use tactics like purchasing keyword rankings or redirecting traffic to trick users into downloading fraudulent apps. We encourage users to carefully review apps before downloading. Always verify the developer’s information to make sure it matches the official identity. You can also check app ratings, download numbers, and other relevant details.

Phishing Emails
Email phishing is one of the oldest tricks in the book, and it’s often simple yet effective. Attackers use phishing templates combined with Evilngins reverse proxies to craft emails like the one shown below. When users click on “VIEW THE DOCUMENT,” they’re redirected to a fake DocuSign page (which is now offline). If the user clicks the Google login on this page, they’ll be redirected to a fake Google login page. Once they enter their username, password, and 2FA code, the attacker gains control of their account.

The phishing email above wasn’t carefully crafted, as the sender’s email address hasn’t been disguised. Let’s look at how the attacker attempted to disguise it in the following example: The attacker’s email address differs from the official one by only a small dot. Using a tool like DNSTwist, attackers can identify special characters supported by Gmail. Without paying close attention, you might mistake it for a dirty screen.

Exploiting Browser Features
For more details, see Slow Mist: Revealing How Malicious Browser Bookmarks Steal Your Discord Tokens.

Defense Challenges

Phishing tactics are continuously evolving and becoming more sophisticated. Our previous analysis showed that attackers can create websites that closely mimic official pages of well-known projects, take over project domains, and even fabricate entire fake projects. These fraudulent projects often have a large number of fake followers on social media (bought followers) and even have GitHub repositories, making it even harder for users to spot phishing threats. Moreover, the attackers’ skillful use of anonymous tools further complicates efforts to track their actions. To conceal their identity, attackers often rely on VPNs, Tor, or compromised hosts to carry out their attacks.

Once attackers have an anonymous identity, they also need basic infrastructure, such as Namecheap, which accepts cryptocurrency payments. Some services only require an email address to register and do not require KYC verification, allowing attackers to avoid being traced.

Once they have these tools in place, attackers can initiate phishing attacks. After stealing funds, they may use services like Wasabi or Tornado to obscure the money trail. To further enhance anonymity, they may exchange the stolen funds for privacy-focused cryptocurrencies like Monero.

To cover their tracks and avoid leaving evidence behind, attackers will remove related domain resolutions, malicious software, GitHub repositories, platform accounts, etc. This makes it difficult for security teams to investigate incidents, as phishing sites may no longer be accessible and malicious software may no longer be available for download.

Defense Strategies

Users can identify phishing threats by recognizing the characteristics mentioned above and by verifying the authenticity of information before acting. They can also improve their phishing defense using the following tools:

  • Phishing Risk Blocker Plugins: Tools like Scam Sniffer can detect risks from multiple angles. If a user opens a suspicious phishing page, the tool will alert them with a warning.
  • Highly Secure Wallets: Wallets like Rabby’s observation wallet (which doesn’t require a private key), phishing website detection, “what you see is what you sign” functionality, high-risk signature detection, and scam history recognition features.
  • Well-Known Antivirus Software: Popular programs like AVG, Bitdefender, and Kaspersky.
  • Hardware Wallets: Hardware wallets offer offline storage for private keys, ensuring that keys are not exposed online when interacting with DApps, which significantly reduces the risk of asset theft.

Conclusion

Phishing attacks are widespread in the blockchain world. The most important thing is to stay vigilant and avoid being caught off guard. When navigating the blockchain space, the core principle is to adopt a zero-trust mindset and continually verify everything. We recommend reading and gradually mastering the “Blockchain Dark Forest Self-Rescue Handbook” to strengthen your defense: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/.

Statement:

  1. This article is reproduced from 【慢雾科技】,Copyright belongs to the original author【慢雾安全团队】, if you have any objection to the reprint, please contact Gate Learn, the team will handle it as soon as possible according to relevant procedures.
  2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.
  3. Other language versions of the article are translated by the Gate Learn team. Unless otherwise stated, the translated article may not be copied, distributed or plagiarized.
* The information is not intended to be and does not constitute financial advice or any other recommendation of any sort offered or endorsed by Gate.
* This article may not be reproduced, transmitted or copied without referencing Gate. Contravention is an infringement of Copyright Act and may be subject to legal action.

Share

Crypto Calendar
Tokenların Kilidini Aç
Grass, 28 Ekim'de mevcut dolaşım arzının yaklaşık %74,21'ini oluşturan 181.000.000 GRASS tokeni açığa çıkaracak.
GRASS
-5.91%
2025-10-27
Ana Ağ v.2.0 Lansmanı
DuckChain Token, Ekim ayında ana ağ v.2.0'ı başlatacak.
DUCK
-8.39%
2025-10-27
StVaults Lansmanı
Lido, Lido v.3.0 güncellemesinin bir parçası olarak stVaults'ın Ekim ayında ana ağda kullanılmaya başlayacağını duyurdu. Bu arada, kullanıcılar testnet'te özellikleri keşfedebilirler. Yayın, yeni modüler kasa mimarisi aracılığıyla Ethereum staking altyapısını geliştirmeyi amaçlıyor.
LDO
-5.66%
2025-10-27
MA
Sidus, Ekim ayında bir AMA düzenleyecek.
SIDUS
-4.2%
2025-10-27
Forte Ağı Yükseltmesi
Flow, Ekim ayında başlayacak Forte yükseltmesini duyurdu. Bu yükseltme, geliştirici deneyimini iyileştirmek ve AI ile tüketiciye hazır on-chain uygulamalarını mümkün kılmak için araçlar ve performans iyileştirmeleri sunacak. Güncelleme, Cadence diline yönelik yeni özellikler, yeniden kullanılabilir bileşenler için bir kütüphane, protokol iyileştirmeleri ve rafine tokenomi içermektedir. Flow'daki mevcut ve yeni geliştiriciler, en son yetenekleri kullanarak uygulamalar ve yükseltmeler yayınlayacak. Ek detaylar, ETHGlobal hackathonu öncesinde 14 Ağustos'ta Pragma New York'ta paylaşılacak.
FLOW
-2.81%
2025-10-27
sign up guide logosign up guide logo
sign up guide content imgsign up guide content img
Start Now
Sign up and get a
$100
Voucher!
Create Account

Related Articles

False Chrome Extension Stealing Analysis
Advanced

False Chrome Extension Stealing Analysis

Recently, several Web3 participants have lost funds from their accounts due to downloading a fake Chrome extension that reads browser cookies. The SlowMist team has conducted a detailed analysis of this scam tactic.
6/12/2024, 3:30:24 PM
Analysis of the Sonne Finance Attack
Intermediate

Analysis of the Sonne Finance Attack

The essence of this attack lies in the creation of the market (soToken), where the attacker performed the first collateral minting operation with a small amount of the underlying token, resulting in a very small "totalSupply" value for the soToken.
6/13/2024, 12:35:30 AM
What is a Crypto Card and How Does it Work? (2025)
Beginner

What is a Crypto Card and How Does it Work? (2025)

In 2025, crypto cards have revolutionized digital payments, with Gate Crypto Card leading the market through unprecedented innovation. Now supporting over 3000 cryptocurrencies across multiple blockchains, these cards feature AI-powered exchange rate optimization, biometric security, and customizable spending controls. Gate's improved reward structure offers up to 8% cashback, while integration with major digital wallets enables acceptance at 90 million merchants worldwide. The enhanced user experience includes real-time transaction tracking, spending analytics, and automated tax reporting. With competitive advantages over other platforms, Gate Crypto Card demonstrates how the bridge between traditional finance and digital assets has strengthened, making cryptocurrency more accessible and practical for everyday use than ever before.
5/29/2025, 2:35:39 AM
Introduction to the Aleo Privacy Blockchain
Beginner

Introduction to the Aleo Privacy Blockchain

As blockchain technology rapidly evolves, privacy protection has emerged as a pressing issue. Aleo addresses the challenges of privacy and scalability, enhancing network security and sustainable development. This article delves into Aleo's technical advantages, application areas, tokenomics, and future prospects.
11/7/2024, 9:44:39 AM
Understanding the Babylon Protocol: The Hanging Gardens of Bitcoin
Intermediate

Understanding the Babylon Protocol: The Hanging Gardens of Bitcoin

The core structure of the Babylon Protocol is the Babylon blockchain, which is a POS blockchain built on the Cosmos SDK and compatible with Cosmos IBC. It enables data aggregation and communication between the Bitcoin chain and other Cosmos application chains. Users can lock Bitcoin on the Bitcoin network to provide security for other POS consumption chains while earning staking rewards. Babylon allows Bitcoin to leverage its unique security and decentralization features to provide economic security for other POS chains.
7/26/2024, 10:25:41 AM
What is KernelDAO (KERNEL)?
Intermediate

What is KernelDAO (KERNEL)?

KernelDAO enhances blockchain security and staking efficiency through restaking, liquid staking, and automated yield strategies.
4/17/2025, 3:39:12 PM