Web3 Phishing Attacks: How They Work and How to Avoid Them
Phishing remains the most common attack vector in crypto. We examine the latest techniques targeting wallet connections, token approvals, and social engineering through Discord and Telegram.
Phishing remains the most effective attack vector in crypto because it bypasses all technical security. It doesn't matter how strong your seed phrase security is if you sign a malicious transaction voluntarily. The techniques evolved significantly in 2024-2025, with AI-assisted personalization and new signature types creating attack vectors that existing security advice doesn't cover.
Wallet Drainer Infrastructure
Modern crypto phishing does not require the attacker to write custom draining software. Wallet drainer kits are available as a service on criminal forums - attackers pay a fee or revenue share for access to infrastructure that handles the transaction generation, signature request, and fund movement. The attacker's job is to drive traffic to a convincing fake site. The drainer handles the rest.
The Monkey Drainer, Pink Drainer, and Inferno Drainer kits were documented in 2023-2024 and collectively facilitated hundreds of millions of dollars in losses. Most have been shut down or rebranded, but the model persists. A competent attacker with no smart contract development skill can run a phishing operation using purchased drainer infrastructure.
Signature-Based Attacks: No Transaction Required
The most dangerous evolution in 2024-2025 is attacks that use off-chain signatures to drain wallets - no visible blockchain transaction required from the victim. Two signature types are most commonly abused:
Signature Attack
EIP-2612 Permit Phishing
EIP-2612 introduced “permit” - a signature that grants a token spending allowance without a separate on-chain approval transaction. The signature looks like a “sign in with Ethereum” request. It costs no gas. But it authorizes the attacker's contract to transfer your tokens. The attacker submits the permit on-chain after you sign it, and immediately drains the approved tokens. USDC, DAI, and most modern ERC-20 tokens support permit. Wallets are increasingly flagging these, but many users still approve permit requests without recognizing what they're signing.
Signature Attack
Seaport Order Signing
OpenSea and other NFT marketplaces using the Seaport protocol construct trades as off-chain signed orders. A malicious site can present a Seaport order signature request that looks like a standard “list your NFT” confirmation but actually constructs a trade selling your NFT for zero ETH or a minimal amount. The Bored Ape Yacht Club Discord hack in 2022 used this method - victims saw what appeared to be a legitimate minting signature and lost high-value NFTs.
How to Identify Dangerous Signatures
Discord Compromise Attacks
Discord server compromises follow a consistent pattern. The attacker either phishes an admin's account credentials, exploits a compromised admin's account through browser session theft, or takes over a bot account with admin privileges. Once they have server control, they post a pinned announcement or use the “#announcements” channel to publish a fake mint or airdrop with a link to a drainer site. The announcement looks identical to official communications.
Projects affected by Discord compromises in 2023-2024 include Azuki, Yuga Labs, Bored Ape Yacht Club, and dozens of smaller projects. These are not obscure targets - they are verified, large communities with significant security awareness among their user base. The attack succeeds because the announcement appears in the official channel, from the official server, with the official branding.
The defense is simple: official crypto projects do not post time-limited mint links without prior announcement on multiple channels including their main website. Any time-sensitive announcement in a Discord server that creates urgency should be verified against the project's main website and official Twitter before connecting a wallet.
Telegram Scam Patterns
Telegram phishing targets DeFi and trading communities. The most common pattern: bots monitor Telegram groups for mentions of wallet issues, protocol errors, or questions about specific platforms. Within seconds of your message, you receive a DM from an account with a name resembling official support (e.g., “Uniswap Support Official”) offering to help. They ask for transaction hashes, wallet addresses, and eventually direct you to a website to “verify your wallet.” The verification site requests your seed phrase or a “recovery signature” that drains the wallet.
DeFi protocols do not have Telegram support staff who monitor groups and DM users. No legitimate protocol will ask for your seed phrase, private key, or a “recovery signature” through any channel. Block and report any account that contacts you after posting a support question publicly.
Active 2025
Fake Software Downloads via Search Ads
Attackers purchase Google search ads for “MetaMask download,” “Phantom wallet,” “Ledger Live download,” and similar queries. The ad link goes to a domain similar to the real one (metamask-extensions.io, ledger-live-app.com). The fake site either hosts malware disguised as the wallet app or redirects to a seed phrase recovery page. Google's ad vetting has improved but still fails for newly registered domains. Never download wallet software by clicking a search result - go directly to metamask.io, ledger.com, or the official domain you have bookmarked.
Active 2025
Address Poisoning via Zero-Value Transfers
Attackers monitor the mempool for transactions you send. They then send a zero-value transaction from an address that shares the first 4-6 characters and last 4-6 characters with one of your regular transaction recipients. The fake address appears in your transaction history. When you copy an address from history to send to the same recipient again, you may select the poisoned address. Always verify the full address - all 42 characters - before confirming any transaction.
Token Approval Phishing
Some phishing sites don't drain immediately - they request an unlimited token approval and wait. The approval transaction looks like a standard protocol interaction. Months later, the attacker activates the approval and drains the token. Victims often can't trace the loss to a specific event.
Revoke.cash and Etherscan's token approval checker show all active approvals for your address. Run a monthly audit. Any unlimited approval to a contract you don't recognize or no longer use should be revoked immediately. The revocation costs a small gas fee but eliminates the ongoing exposure.
Defense Summary
- Bookmark every dApp you use. Never access via search results or links in messages.
- Read every signature request before signing. If you see “spender,” “consideration,” or “permit” and you didn't intend to grant those permissions, reject it.
- Verify Discord announcements about mints, airdrops, or urgent links against the project's main website before connecting a wallet.
- DeFi protocols do not DM users on Telegram or Discord. Any unsolicited support contact is a scam.
- Download wallet software only from bookmarked official URLs, never from search results.
- Review token approvals monthly on revoke.cash. Revoke anything you don't recognize.
- Verify the full 42-character address before confirming any transaction, not just the first and last few characters.
Use a Wallet With Better Phishing Detection