Background
Recently, SlowMist was invited to speak at the Ethereum Web3 Security BootCamp, organized by DeFiHackLabs. Thinking, the head of SlowMist’s security audits, walked attendees through eight key chapters—“Deception, Baiting, Luring, Attacking, Hiding, Techniques, Identification, Defense”—using real-world case studies to showcase the methods and tactics employed by phishing hackers, as well as the countermeasures that can be implemented. Phishing remains one of the most significant threats in the industry, and understanding both attackers and defenders is essential to strengthening defenses. In this article, we extract and share key insights from the session to help users recognize and protect themselves from phishing attacks.

Why are phishing attacks so effective?

In the Web3 space, phishing attacks have become one of the biggest security threats. Let’s take a look at why users fall victim to phishing. Even those with a high level of security awareness may sometimes feel the sentiment of “those who walk by the river will inevitably get their shoes wet,” because maintaining constant vigilance is very difficult. Attackers typically analyze recent hot projects, community activity, and user base to identify high-profile targets. They then carefully disguise themselves and lure users in with enticing baits like airdrops and high returns. These attacks often involve social engineering, where attackers skillfully manipulate users’ psychology to achieve their fraudulent goals:

• Inducement: Airdrop whitelist eligibility, mining opportunities, wealth passwords, and more.
• Curiosity/Greed: Fearless of selling at the peak, don’t miss out on the potential 100x coin, don’t miss tonight’s meeting at 10:00, meeting link https://us04-zoom[.]us/ (malicious); $PENGU airdrop whitelist, don’t miss out, https://vote-pengu[.]com/ (malicious).
• Fear: Urgent warning: XX project has been hacked, please use revake[.]cash (malicious) to revoke authorization to prevent asset loss.
• Efficient Tools: Airdrop harvesting tools, AI quant tools, one-click mining tools, and others.

The reason why attackers go to great lengths to create and deploy these baits is that they are highly profitable. Through these methods, attackers can easily obtain users’ sensitive information/permissions and steal their assets:

• Stealing Mnemonics/Private Keys: Tricking users into entering their mnemonic or private key.
• Deceiving Users into Using Wallet Signatures: Authorizing signatures, transfer signatures, and more.
• Stealing Account Passwords: Telegram, Gmail, X, Discord, etc.
• Stealing Social App Permissions: X, Discord, etc.
• Inducing Installation of Malicious Apps: Fake wallet apps, fake social apps, fake meeting apps, etc.

Phishing Tactics

Let’s take a look at some common phishing tactics:
Account Theft/Impersonation of Accounts
Recently, there have been frequent reports of Web3 projects/KOLs’ X accounts being hacked. After stealing these accounts, attackers often promote fake tokens or use similar domain names in “good news” posts to trick users into clicking malicious links. Sometimes, the domains may even be real, as attackers could have hijacked the project’s domain. Once victims click on a phishing link, sign a transaction, or download malicious software, their assets are stolen.

In addition to stealing accounts, attackers often impersonate real accounts on X, leaving comments on legitimate posts to mislead users. SlowMist’s security team has analyzed this tactic: about 80% of the first comments on well-known projects’ tweets are often occupied by phishing accounts. Attackers use bots to follow the activities of popular projects and, once a tweet is posted, their bots automatically leave the first comment to secure the highest visibility. Since users are reading posts from the legitimate project, and the phishing account closely resembles the real account, unsuspecting users may click phishing links under the pretext of an airdrop, authorizing or signing transactions and losing their assets.

Attackers also impersonate administrators to post fake messages, especially on platforms like Discord. Since Discord allows users to customize nicknames and usernames, attackers can change their profile to match an administrator’s, then post phishing messages or DM users directly. Without checking the profile, it’s difficult to spot the deception. Additionally, while Discord usernames cannot be duplicated, attackers can create accounts with names that are almost identical to the administrator’s by adding small variations, like an underscore or period, making it hard for users to tell them apart.

Invitation-Based Phishing
Attackers often make contact with users on social platforms, recommending “premium” projects or inviting users to meetings, leading them to malicious phishing sites to download harmful apps. For example, some users were tricked into downloading a fake Zoom app, resulting in asset theft. Attackers use domains like “app[.]us4zoom[.]us” to masquerade as real Zoom links, creating a page that looks nearly identical to the actual Zoom interface. When users click “Start Meeting,” they’re prompted to download a malicious installer instead of launching the Zoom client. During installation, users are encouraged to input passwords, and the malicious script collects wallet plugin and KeyChain data (which may contain stored passwords). After collecting this data, attackers try to decrypt it and access users’ wallet mnemonics or private keys, ultimately stealing their assets.

Search Engine Ranking Exploitation
Because search engine rankings can be artificially boosted by purchasing ads, phishing websites may rank higher than the official websites. Users who are unsure of the official website’s URL may find it hard to spot phishing sites, especially since phishing sites can customize their ad URL to match the official one. The ad’s URL may appear identical to the official site, but when clicked, users are redirected to an attacker’s phishing site. As phishing websites often look nearly identical to legitimate sites, it’s easy to be misled. It’s safer not to rely solely on search engines to find official websites, as this may lead to phishing sites.

TG Ads
Recently, there’s been a significant increase in user reports about fake TG bots. Users often encounter new bots appearing at the top of official trading bot channels and mistakenly think they are official. They click on the new bot, import their private key, and bind their wallet, only to have their assets stolen. Attackers use targeted ads in official Telegram channels to lure users into clicking. These phishing methods are particularly covert because they appear in legitimate channels, making users assume they’re official. Without enough caution, users can fall for the phishing bot, input their private keys, and lose their assets.

Additionally, we recently uncovered A New scam: Telegram Fake Safeguard Scam. Many users were tricked into running malicious code from attackers’ instructions, resulting in stolen assets.

App Stores
Not all software available on app stores (Google Play, Chrome Store, App Store, APKCombo, etc.) is genuine. App stores are not always able to fully review all apps. Some attackers use tactics like purchasing keyword rankings or redirecting traffic to trick users into downloading fraudulent apps. We encourage users to carefully review apps before downloading. Always verify the developer’s information to make sure it matches the official identity. You can also check app ratings, download numbers, and other relevant details.

Phishing Emails
Email phishing is one of the oldest tricks in the book, and it’s often simple yet effective. Attackers use phishing templates combined with Evilngins reverse proxies to craft emails like the one shown below. When users click on “VIEW THE DOCUMENT,” they’re redirected to a fake DocuSign page (which is now offline). If the user clicks the Google login on this page, they’ll be redirected to a fake Google login page. Once they enter their username, password, and 2FA code, the attacker gains control of their account.

The phishing email above wasn’t carefully crafted, as the sender’s email address hasn’t been disguised. Let’s look at how the attacker attempted to disguise it in the following example: The attacker’s email address differs from the official one by only a small dot. Using a tool like DNSTwist, attackers can identify special characters supported by Gmail. Without paying close attention, you might mistake it for a dirty screen.

Exploiting Browser Features
For more details, see Slow Mist: Revealing How Malicious Browser Bookmarks Steal Your Discord Tokens.

Defense Challenges

Phishing tactics are continuously evolving and becoming more sophisticated. Our previous analysis showed that attackers can create websites that closely mimic official pages of well-known projects, take over project domains, and even fabricate entire fake projects. These fraudulent projects often have a large number of fake followers on social media (bought followers) and even have GitHub repositories, making it even harder for users to spot phishing threats. Moreover, the attackers’ skillful use of anonymous tools further complicates efforts to track their actions. To conceal their identity, attackers often rely on VPNs, Tor, or compromised hosts to carry out their attacks.

Once attackers have an anonymous identity, they also need basic infrastructure, such as Namecheap, which accepts cryptocurrency payments. Some services only require an email address to register and do not require KYC verification, allowing attackers to avoid being traced.

Once they have these tools in place, attackers can initiate phishing attacks. After stealing funds, they may use services like Wasabi or Tornado to obscure the money trail. To further enhance anonymity, they may exchange the stolen funds for privacy-focused cryptocurrencies like Monero.

To cover their tracks and avoid leaving evidence behind, attackers will remove related domain resolutions, malicious software, GitHub repositories, platform accounts, etc. This makes it difficult for security teams to investigate incidents, as phishing sites may no longer be accessible and malicious software may no longer be available for download.

Defense Strategies

Users can identify phishing threats by recognizing the characteristics mentioned above and by verifying the authenticity of information before acting. They can also improve their phishing defense using the following tools:

• Phishing Risk Blocker Plugins: Tools like Scam Sniffer can detect risks from multiple angles. If a user opens a suspicious phishing page, the tool will alert them with a warning.
• Highly Secure Wallets: Wallets like Rabby’s observation wallet (which doesn’t require a private key), phishing website detection, “what you see is what you sign” functionality, high-risk signature detection, and scam history recognition features.
• Well-Known Antivirus Software: Popular programs like AVG, Bitdefender, and Kaspersky.
• Hardware Wallets: Hardware wallets offer offline storage for private keys, ensuring that keys are not exposed online when interacting with DApps, which significantly reduces the risk of asset theft.

Conclusion

Phishing attacks are widespread in the blockchain world. The most important thing is to stay vigilant and avoid being caught off guard. When navigating the blockchain space, the core principle is to adopt a zero-trust mindset and continually verify everything. We recommend reading and gradually mastering the “Blockchain Dark Forest Self-Rescue Handbook” to strengthen your defense: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/.

Statement:

1. This article is reproduced from 【慢雾科技】，Copyright belongs to the original author【慢雾安全团队】, if you have any objection to the reprint, please contact Gate Learn, the team will handle it as soon as possible according to relevant procedures.
2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.
3. Other language versions of the article are translated by the Gate Learn team. Unless otherwise stated, the translated article may not be copied, distributed or plagiarized.