Phishing Attacks

Smart Contract Vulnerability Deep Dive

JohnnyTime
JohnnyTime · Updated June 24, 2026
26 min read
Total Stolen $3,344,812,624
Last Attack Mar 16, 2026
Latest Victim USDC Permit Signature Phishing

Summarize with AI

Phishing Attacks in Web3: The Ultimate Guide to Defense & Detection

Let's cut right to the chase: Web3 phishing attacks are the #1 threat in the crypto ecosystem today. While complex smart contract bugs get all the headlines, a simple phishing attack targets the actual human behind the screen. It takes just one wrong click to sign a malicious transaction, draining a wallet in seconds.

Whether you're a DeFi degenerate, an NFT collector, or a smart contract auditor, you need to understand how these attacks work. In this comprehensive guide, we'll dive deep into everything from basic approval phishing and wallet drainers, to address poisoning and the wild social engineering tactics that caused the staggering $1.5B Bybit hack.

What Exactly is a Web3 Phishing Attack?

Traditional Web2 phishing tries to steal your passwords. A Web3 phishing attack is far more devious: it tricks crypto users into signing a malicious blockchain transaction or off-chain message. By doing so, you unwittingly hand the attacker the 'keys to the kingdom' - granting them explicit permission to siphon your ERC-20 tokens, sweep your NFTs, or empty your entire wallet.

Because Web3 relies entirely on cryptographic signatures and smart contract approval mechanisms, hackers don't need your private key. They just need your signature.

The "Restaurant Bill" Analogy 🍽️

Imagine you've just finished a fantastic dinner. The waiter brings you the bill, you glance at the total, and scribble your signature. But what if, buried in the fine print of that receipt, there was a clause giving the restaurant full access to your entire bank account?

That is approval phishing in a nutshell. You think you're authorizing a standard Web3 action (like verifying your wallet or claiming an airdrop), but you're actually signing away unlimited access to your crypto assets.


Why Phishing Is the #1 Threat in Web3

Phishing attacks have caused more financial damage than any other attack vector in the crypto ecosystem:

$0M+
Lost in 2024 Alone
0K+
Victims Per Year
2021–2025
Active Threat Period
Attack Year Impact
Bybit / Safe{Wallet} Hack 2025 $1.5B stolen via social engineering
$55M DAI Phishing 2024 Single victim, Inferno Drainer kit
Wallet Drainers Total 2024 $494M from 332K+ victims
$71M WBTC Address Poisoning 2024 Funds later recovered via negotiation
Radiant Capital 2024 $50M via developer social engineering
OpenSea Phishing 2022 $1.7M+ in NFTs from 32 users

Phishing was the absolute most costly attack vector in 2024. An eye-watering $1.05 billion vanished across 296 incidents, representing almost half of all stolen Web3 funds that year.


The $55M DAI Heist: A Web3 Nightmare

Think phishing only happens to newbies? Think again. On August 21, 2024, an experienced crypto whale woke up to a nightmare, losing a staggering $55.47 million in DAI stablecoins in the largest single-victim Web3 phishing attack ever recorded.

How It Went Down

The victim, identified on-chain as 0xf2B8..., let their guard down for just a second. They unknowingly signed a setOwner transaction on their DeFi Saver Proxy contract. In plain English? They accidentally transferred the legal ownership of their highly collateralized Maker vault straight to a phishing address.

The culprit? The infamous Inferno Drainer, a sophisticated Phishing-as-a-Service (PaaS) toolkit that instantly spins up pixel-perfect fake websites mirroring legitimate DeFi protocols.

Unpacking the Devastation

Once the attacker snagged ownership of the Maker vault, they wasted no time:

  1. Hijacked the protocol by switching the owner address to their own.

  2. Minted a massive 55,473,618 DAI directly into their wallet.

  3. Swapped 27.5 million of that DAI for 10,625 ETH to start obfuscating the trail.

  4. Laundered the remaining loot across dozens of mixer addresses.

Fun, but terrifying fact: The setOwner method was the star player in 31.9% of massive crypto hacks in 2024. If you take anything away from this, never sign a setOwner transaction unless you absolutely know what you're doing.

The Autopsy: Why Did This Work?

The targeted whale fell into a classic, yet fatal, sequence:

  • Clicked a malicious link disguised as a standard DeFi interface.

  • Confirmed a prompt in their wallet, assuming it was a routine connection signature.

  • Completely missed the fine print stating they were calling setOwner.

  • Flew blind, lacking any transaction simulation extensions to warn them.

This one fateful click made up over 11% of the entire year's wallet drainer losses.


Ready to stop hackers in their tracks? The industry-leading Smart Contract Hacking course includes hands-on phishing and approval exploitation exercises. You won't just read about attacks - you'll actually exploit vulnerable contracts in a safe environment, exactly like elite security researchers do.


Types of Web3 Phishing Attacks

Web3 phishing comes in several distinct forms, each exploiting different mechanisms:

1
Approval Phishing
"Tricks users into signing approve(), increaseAllowance(), or setApprovalForAll() - granting attackers permission to move their tokens"
Impact: $1B+ stolen | Most common type
2
Signature Phishing
"Exploits off-chain signatures via EIP-2612 permit() or Permit2 - no on-chain transaction needed from the victim"
Impact: $494M in 2024 | Hardest to detect
3
Address Poisoning
"Plants lookalike addresses in transaction history - victims copy the wrong address and send funds to the attacker"
Impact: $83M+ confirmed | 270M+ attempts

Beyond these three primary types, frontend hijacking has emerged as a devastating technique. Here, attackers don't even bother making a fake site - they compromise a protocol's actual website or deployment infrastructure to serve malicious transactions to real users. The astronomical $1.5B Bybit hack and the $120M BadgerDAO attack both relied exactly on this vector.


How Approval Phishing Works: Step-by-Step

Understanding the exact mechanism of an attack is your best defense. Approval phishing (often called "ice phishing," a term coined by Microsoft back in 2022) exploits the very token approval system that makes DeFi possible.

Why Do Token Approvals Even Exist?

Every single time you use a decentralized exchange (DEX), a lending protocol, or an NFT marketplace, you must first approve that smart contract to spend your tokens. This is essentially by design - unlike native ETH, ERC-20 tokens can't just be "pushed" to contracts directly.

The fatal flaw? Attackers can trick you into approving their malicious address instead of the safe, legitimate protocol you thought you were using.

The Classic Attack Flow

Step What Happens State
1 Attacker creates phishing site mimicking a DeFi protocol Victim's tokens safe
2 Victim connects wallet to fake site Wallet connected
3 Site prompts victim to sign an approve() transaction Transaction pending
4 Victim signs - granting attacker unlimited token allowance Approval granted
5 Attacker calls transferFrom() on the token contract Tokens being drained
6 All approved tokens moved to attacker's wallet Wallet drained

The 4 Phases of an Ice Phishing Attack

Every successful approval phishing attack follows a meticulously planned four-step execution:

1
Tap to reveal
Social Engineering Lure

The attacker promotes a phishing site via hacked social media accounts, fake airdrops, Google ads, or direct messages. The site closely mimics a legitimate protocol like Uniswap, OpenSea, or an airdrop claim page.

2
Tap to reveal
Wallet Scanning & Asset Discovery

Once the victim connects their wallet, the drainer script scans their holdings - identifying the most valuable tokens, NFTs, and staked positions. A command-and-control server decides which assets to target first.

3
Tap to reveal
Malicious Transaction Signing

The victim is prompted to sign a transaction - either an approve() call, a permit() off-chain signature, or a setApprovalForAll(). The wallet popup shows the action, but most users don't read the details.

4
Tap to reveal
Asset Extraction

The attacker uses the granted approval to call transferFrom(), moving tokens to their address. For NFTs, they use safeTransferFrom(). Often routed through legitimate protocols like SushiSwap to obfuscate the theft.

"One signature can drain your entire wallet."
Unlike traditional hacks that exploit code, approval phishing only needs you to click "Confirm" once. The approval persists until you manually revoke it - the attacker can drain you hours, days, or weeks later.

The "Big Three" Functions Attackers Target

Understanding which smart contract functions these scammers exploit is your first line of defense:

Function Token Standard What It Does The Attacker's End Goal
approve(spender, amount) ERC-20 Allows a spender to transfer up to a certain amount of your tokens. Set the amount to max uint256 (effectively unlimited access).
increaseAllowance(spender, amount) ERC-20 Increases an existing allowance by a specified amount. Add a massive allowance to the attacker's own address.
setApprovalForAll(operator, true) ERC-721 / ERC-1155 Gives the operator full permission to transfer ALL your NFTs in a specific collection. Sweep every single NFT you own in one fell swoop.
{
  "title": "🎬 Approval phishing: one signature, drained later",
  "stage": { "width": 920, "height": 440 },
  "nodes": [
    { "id": "victim", "label": "Victim", "role": "wallet: 50k USDC", "emoji": "🧑", "x": 60, "y": 200, "color": "cyan" },
    { "id": "token", "label": "USDC Token", "role": "approve / transferFrom", "emoji": "🪙", "x": 440, "y": 60, "color": "purple" },
    { "id": "attacker", "label": "Attacker", "role": "malicious spender", "emoji": "🎣", "x": 720, "y": 200, "color": "red" }
  ],
  "links": [
    { "from": "victim", "to": "token" },
    { "from": "attacker", "to": "token" },
    { "from": "token", "to": "attacker" }
  ],
  "nets": [
    { "id": "victim", "label": "Victim wallet" },
    { "id": "atk", "label": "Attacker" }
  ],
  "legend": [
    { "cls": "call", "label": "contract call" },
    { "cls": "token", "label": "token transfer" },
    { "cls": "sig", "label": "approval / signature" },
    { "cls": "fail", "label": "rejected / blocked" }
  ],
  "scenarios": {
    "Vulnerable (blind unlimited approve)": [
      { "note": "Victim holds 50,000 USDC. A pixel-perfect phishing site prompts what looks like a routine 'connect' signature.", "hi": ["victim"], "bal": { "victim": "50,000 USDC" }, "net": { "victim": "50,000", "atk": "0" } },
      { "note": "It is actually <b>approve(attacker, unlimited)</b>. The victim signs without reading the fine print.", "tone": "bad", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "✍️ approve(attacker, ∞)", "cls": "sig" } },
      { "note": "The token's allowance ledger now lets the attacker move <b>all</b> of the victim's USDC - forever, until revoked.", "tone": "bad", "hi": ["token"], "bal": { "token": "allowance: ∞" } },
      { "note": "Hours later, the attacker calls <b>transferFrom(victim, attacker, 50k)</b>. No new victim signature needed.", "tone": "bad", "hi": ["attacker","token"], "chip": { "from": "attacker", "to": "token", "label": "📞 transferFrom(50k)", "cls": "call" } },
      { "note": "The token moves every approved USDC to the attacker. The wallet is drained from a single past click.", "tone": "bad", "hi": ["token","attacker"], "chip": { "from": "token", "to": "attacker", "label": "💸 50,000 USDC", "cls": "token" }, "bal": { "victim": "0 USDC", "attacker": "+50k" }, "net": { "victim": "0", "atk": "+50,000" } }
    ],
    "Fixed (scoped approval + simulation)": [
      { "note": "Same lure - but the victim's wallet runs a transaction simulator that decodes the prompt before signing.", "hi": ["victim"], "bal": { "victim": "50,000 USDC" }, "net": { "victim": "50,000", "atk": "0" } },
      { "note": "It flags it: 'this grants UNLIMITED spend to an unknown address.' The victim rejects.", "tone": "ok", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "⛔ approve rejected", "cls": "fail" } },
      { "note": "For real use, the victim approves only the <b>exact amount</b> needed (or uses Permit2 with an expiry), never unlimited.", "tone": "ok", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "✍️ approve(dapp, 100)", "cls": "sig" }, "bal": { "token": "allowance: 100" } },
      { "note": "With no standing unlimited allowance, a phishing spender has nothing to drain.", "tone": "ok", "hi": ["victim"], "bal": { "victim": "50,000 USDC safe" }, "net": { "victim": "50,000", "atk": "0" } }
    ]
  }
}

Under the Hood: Why Unlimited Approvals Are So Dangerous

Let's drop down to the code level. Why exactly does the standard ERC-20 approval mechanism create such a massive surface area for phishing attacks?

Note: The vulnerability isn't necessarily a "bug" in the code. The flaw lies in the widespread user habit (and frontend design patterns) of granting permanent, unlimited approvals.

The Risky Pattern in Action

// VULNERABLE PATTERN - DO NOT USE IN PRODUCTION
// This shows how unlimited approvals enable phishing attacks

contract VulnerableToken is ERC20 {
    // Standard ERC-20 approve - allows UNLIMITED approvals
    function approve(address spender, uint256 amount) public override returns (bool) {
        // No limit on amount - can be type(uint256).max
        // No expiration - approval lasts FOREVER
        // No notification - user may forget about this approval
        _approve(msg.sender, spender, amount);
        return true;
    }

    // A DeFi frontend typically requests:
    // approve(contractAddress, type(uint256).max)
    // This grants PERMANENT, UNLIMITED access to your tokens
}

// When a phishing site calls:
// token.approve(ATTACKER_ADDRESS, type(uint256).max)
// The attacker can drain ALL your tokens at ANY time

Why Is This Dangerous?

The problem isn't a bug - it's a design flaw in the approval model:

  1. Approvals default to unlimited amounts (type(uint256).max)

  2. Approvals have no expiration - they last forever

  3. Users can't easily see or manage active approvals

  4. A single approval grants access to all tokens of that type

In 2024, ERC-20 tokens represented 89.5% of the $71.5 million lost to phishing in March alone.

Phishing attack diagram - The allowance is a standing key to your wallet - scope it or lose it
The allowance is a standing key to your wallet - scope it or lose it

Phishing Attacker Contract Example

Here's how an attacker exploits approvals they've obtained through phishing.

// ATTACKER CONTRACT - Educational purposes only
// Demonstrates how phishing-obtained approvals are exploited

contract PhishingDrainer {
    address public attacker;

    constructor() {
        attacker = msg.sender;
    }

    // After tricking a victim into calling:
    // token.approve(address(this), type(uint256).max)
    // The attacker can drain all their tokens:

    function drainERC20(
        IERC20 token,
        address victim,
        uint256 amount
    ) external {
        require(msg.sender == attacker, "Not attacker");

        // This works because the victim already approved this contract
        token.transferFrom(victim, attacker, amount);
    }

    // For NFTs, after victim calls:
    // nft.setApprovalForAll(address(this), true)
    function drainNFT(
        IERC721 nft,
        address victim,
        uint256 tokenId
    ) external {
        require(msg.sender == attacker, "Not attacker");

        // Transfer NFT from victim to attacker
        nft.safeTransferFrom(victim, attacker, tokenId);
    }

    // Advanced: Drain multiple tokens in a single transaction
    function drainMultiple(
        address victim,
        IERC20[] calldata tokens,
        uint256[] calldata amounts
    ) external {
        require(msg.sender == attacker, "Not attacker");

        for (uint i = 0; i < tokens.length; i++) {
            uint256 balance = tokens[i].balanceOf(victim);
            uint256 amount = amounts[i] < balance ? amounts[i] : balance;
            tokens[i].transferFrom(victim, attacker, amount);
        }
    }
}

Attack Execution Summary

  1. Deploy the drainer contract (or use a drainer-as-a-service kit)

  2. Lure victims to a fake site mimicking a legitimate protocol

  3. Request approval - the wallet popup asks to approve the drainer contract

  4. Wait - the approval persists indefinitely

  5. Call drainERC20() or drainNFT() to steal all approved assets

Modern wallet drainers like Inferno Drainer automate this entire flow, scanning wallets for valuable assets and generating the optimal drain transaction automatically.


Want to learn how to write exploits like this to secure billion-dollar protocols? The Smart Contract Hacking course covers advanced phishing mechanics, deep-dive approval exploitation, and wallet drainer analysis. Learn from the best: JohnnyTime (12+ years in cybersecurity) and Trust (the #1 Code4rena warden).


How to Prevent Phishing Attacks: Best Practices

Stopping a Web3 phishing attack before it happens requires a defense-in-depth approach. We have to secure every layer - from the foundational smart contract architecture all the way down to a user's daily browsing habits.

Effectiveness85/100

What it does: Tools like Pocket Universe, Fire, and Blowfish simulate transactions before you sign, showing you exactly what will happen - including token transfers, approvals, and ownership changes.

When to use: Install as a browser extension and use for every transaction. They intercept wallet popups and add human-readable warnings.

Limitation: Cannot protect against all social engineering - a determined user may still click through warnings.

Effectiveness80/100

What it does: Revoke.cash and Etherscan's Token Approval Checker let you view and revoke all active token approvals. Regularly cleaning up old approvals reduces your attack surface.

When to use: Check and revoke unused approvals monthly. Immediately revoke any suspicious approvals.

Limitation: Costs gas to revoke each approval. Cannot undo damage if tokens were already drained.

Effectiveness75/100

What it does: Hardware wallets require physical confirmation of every transaction. Always verify the full address and transaction details on the hardware device screen.

When to use: For any wallet holding significant value. Use separate wallets for DeFi interactions vs. long-term storage.

Limitation: Hardware wallets cannot parse complex multisig transactions (as demonstrated in the Radiant Capital hack). Users may still blindly confirm.

Effectiveness70/100

What it does: Instead of approving type(uint256).max, approve only the exact amount needed for each transaction. Many wallets now let you edit the approval amount.

When to use: Every time a dApp requests a token approval. Manually reduce the amount to match the actual transaction.

Limitation: Requires extra gas for re-approvals. Many dApps default to unlimited and users don't change it.


Building a Fortress: Phishing-Resistant Approvals in Smart Contracts

As developers, we have a responsibility to protect our users. Here is how smart contracts can and should be designed to severely minimize phishing risks using modern safety patterns.

// SECURE CONTRACT - Phishing-resistant token approval pattern
// Uses expiring approvals and amount limits

contract PhishingResistantToken is ERC20 {
    // IMPROVEMENT 1: Approval expiration
    struct Approval {
        uint256 amount;
        uint256 expiry;
    }

    mapping(address => mapping(address => Approval)) private _timedAllowances;

    event ApprovalWithExpiry(
        address indexed owner,
        address indexed spender,
        uint256 amount,
        uint256 expiry
    );

    // STEP 1: CHECKS - Validate the approval parameters
    function approveWithExpiry(
        address spender,
        uint256 amount,
        uint256 duration
    ) public returns (bool) {
        require(spender != address(0), "Invalid spender");
        require(amount > 0, "Amount must be positive");
        require(duration <= 30 days, "Max approval: 30 days");

        // STEP 2: EFFECTS - Store approval with expiration
        uint256 expiry = block.timestamp + duration;
        _timedAllowances[msg.sender][spender] = Approval({
            amount: amount,
            expiry: expiry
        });

        emit ApprovalWithExpiry(msg.sender, spender, amount, expiry);
        return true;
    }

    // Override transferFrom to check expiration
    function transferFrom(
        address from,
        address to,
        uint256 amount
    ) public override returns (bool) {
        Approval storage approval = _timedAllowances[from][msg.sender];

        // STEP 1: CHECK - Is the approval still valid?
        require(block.timestamp <= approval.expiry, "Approval expired");
        require(approval.amount >= amount, "Insufficient allowance");

        // STEP 2: EFFECTS - Decrease the allowance
        approval.amount -= amount;

        // STEP 3: INTERACTIONS - Execute the transfer
        _transfer(from, to, amount);
        return true;
    }
}

Security Features

Feature Protection How It Helps
Expiring approvals Time-limited access Even if phished, approval auto-expires in 30 days max
Exact amounts No unlimited access Attacker can only drain the approved amount, not everything
Event logging Transparency Wallet UIs can display active approvals with countdown timers
Amount tracking Spend accounting Each transfer reduces the remaining allowance

Real-World Defense: Uniswap's Permit2 already implements expiring approvals in production today. Its AllowanceTransfer contract inherently stores a uint48 expiration alongside every user approval, and SignatureTransfer enforces one-time signatures that are absolutely useless after a single use.


Mastering these contract-level defenses is exactly what separates junior developers from elite, senior auditors. The Smart Contract Hacking course dives deep into complex approval security, Permit2 internals, and bulletproof phishing prevention constraints. Step up your game and join 2,000+ security researchers in our exclusive Discord community.


Advanced Phishing Variations: They Keep Evolving

Attackers never sleep. When the Web3 community gets wise to one tactic, hackers pivot to something more insidious. Here are the advanced variations you absolutely must know about.

1. Off-Chain Permit Signature Phishing (The Silent Killer)

The deadliest evolution of approval phishing leverages EIP-2612 permit(). This allows an attacker to obtain approval via an off-chain signature. The terrifying part? It requires zero gas and zero on-chain transactions from the victim.

How the trap is sprung:

  1. You are prompted to "verify" your wallet by signing what looks like a harmless message.

  2. In reality, that signature is heavily structured and contains: your token address, the malicious spender, an approved amount, a deadline, and a nonce.

  3. The attacker takes your raw signature and submits it on-chain via the permit() function.

  4. Armed with valid approval, the attacker instantly calls transferFrom() and empties your wallet.

Why it's so devastating: Because you only signed a "message" and not a transaction, the approval never initially appears in your on-chain history. Wallet UIs have historically struggled to flag these correctly.

The largest single phishing theft of 2025 was $6.5 million in September - caused directly by a malicious Permit signature.

2. Address Poisoning: The Phantom Duplicate

Address poisoning targets a habit almost everyone in crypto has: copy-pasting addresses directly from their transaction history.

The subtle attack:

  1. The Setup: The attacker uses software to generate a "vanity" wallet address that identically matches the first 4-6 and last 4-6 characters of an address you frequently use.

  2. The Bait: They send a tiny amount of tokens (or a zero-value transaction) to you using this lookalike address.

  3. The Trap: This fake address now secretly resides in your recent transaction history on block explorers or your wallet UI.

  4. The Catch: The next time you go to send funds, you lazily check your history, copy the poisoned address by mistake, and shoot your funds straight to the hacker.

Real incidents:

  • December 2025: A trader lost $50M in USDT after copying a poisoned address. Binance's CZ later pushed for wallet-level poison address blocking.

  • May 2024: A victim lost $71M in WBTC but recovered funds after negotiating with the attacker.

  • November 2023: Florence Finance lost $1.45M USDC to the same technique.

Over 270 million address poisoning attempts have been detected across Ethereum and BNB Chain, with $83 million in confirmed losses.

3. Frontend Hijacking

The most sophisticated phishing attacks don't create fake websites - they compromise real ones.

$1.5B Stolen

Bybit / Safe{Wallet} (2025)

Attackers compromised a Safe{Wallet} developer via social engineering, stole AWS session tokens, bypassed MFA, and injected malicious JavaScript that replaced Bybit's transaction destination. The team signed what appeared to be a routine transfer.

$50M Stolen

Radiant Capital (2024)

A developer received a Telegram message from a "contractor" with a malicious PDF. The INLETDRIFT malware intercepted Gnosis Safe transactions, replacing them with transferOwnership() calls. Ledger wallets couldn't parse the multisig data.

$120M Stolen

BadgerDAO (2021)

Attackers compromised BadgerDAO's Cloudflare API key and injected malicious scripts into the frontend. Users visiting the legitimate site were prompted to sign increaseAllowance() transactions granting the attacker unlimited token access.

4. Wallet Drainer-as-a-Service (DaaS): The Illicit Industry

Gone are the days of solo hackers writing custom exploits. Modern Web3 phishing is powered by professional, organized criminal syndicates. Wallet drainer kits are quite literally sold as subscription SaaS products (Drainer-as-a-Service) on the dark web or Telegram, complete with dedicated customer support, polished UI updates, and fully automated revenue-sharing models.

The Staggering Evolution of Drainers:

Drainer Active Period Estimated Stolen Business Model
Monkey Drainer Aug 2022 – Feb 2023 $16M+ 30% cut + $1,000 entry fee
Inferno Drainer Mar 2023 – Q4 2024 $81M+ Revenue sharing
MS Drainer 2023 $59M+ Sold to 63,000+ victims
Angel Drainer 2023 – 2024 $20M+ Market leader by Q1 2024 (42%)
Pink Drainer 2023 – Q2 2024 Significant Exited market mid-2024
Acedrainer Q4 2024+ Growing Captured 20% market share rapidly

In 2024, the top three drainers (Angel, Pink, Inferno) controlled 92% of the market in Q1. The ecosystem constantly evolves - as old drainers exit, new ones fill the gap.


Debunking Dangerous Phishing Myths

Because this space moves so incredibly fast, a lot of outdated or frankly dangerous advice circulates online. Let's set the record straight:

?

"Hardware wallets protect you from phishing attacks."

Tap to reveal
MYTH

Hardware wallets protect your private keys, but they still require you to approve transactions. If you confirm a malicious approval on your Ledger or Trezor, the attacker gets permission to drain your tokens - as demonstrated in the $50M Radiant Capital hack.

?

"Phishing only steals private keys or seed phrases."

Tap to reveal
MYTH

Web3 phishing rarely targets private keys. Instead, it exploits the approval mechanism - tricking you into granting token spending permission. Your keys stay safe, but your tokens don't. This is why it's called "ice phishing."

?

"If I don't see a suspicious transaction in my history, I'm safe."

Tap to reveal
MYTH

Permit signature phishing operates entirely off-chain. The victim signs a message (not a transaction), so the approval never appears in transaction history. The attacker submits it later. Address poisoning also works by planting fake entries IN your transaction history.

?

"Approvals are safe because I only approved a legitimate protocol."

Tap to reveal
FACT... but

Approving a legitimate protocol IS safe - the danger is that approvals are permanent and unlimited by default. If that protocol gets hacked later (like BadgerDAO's frontend), your existing approval becomes the attack vector. Always revoke unused approvals.


Phishing attacks don't happen in a vacuum - they are closely connected to other critical smart contract attack vectors.

  • Access Control Attacks: These share a massive root cause with phishing. Both exploit unauthorized permission grants, regardless of whether it's through code flaws or social engineering.

  • Call Attacks: To truly understand drainers, brush up on the low-level mechanics of call(), delegatecall(), and external interactions that these phishing exploits rely on under the hood.

  • Flash Loan Attacks: Phishing is frequently combined with flash loans. Once an attacker gets approval access to a victim's tokens in deep DeFi positions, they use flash loans to artificially amplify the financial damage.


Test Your Web3 Phishing IQ

Test Your Web3 Phishing IQ

5 questions. How well do you really know this attack?

Question 1 of 5

Frequently Asked Questions (FAQ): Web3 Phishing

A Web3 phishing attack is a scam that tricks you into signing a malicious blockchain transaction, unknowingly giving a hacker permission to steal your cryptocurrency or NFTs. Unlike traditional Web2 phishing that steals your passwords, smart contract phishing exploits token approval mechanisms. You keep your private keys securely in your hardware wallet, but you still lose all your assets because you cryptographically signed a malicious approval.

Phishing was the most costly attack vector in 2024, with over $1 billion lost across 296 incidents. Wallet drainers specifically stole $494 million from 332,000+ victims in 2024. Since May 2021, Chainalysis has tracked approximately $1 billion in approval phishing losses alone. Including the $1.5B Bybit hack in 2025, total phishing-related losses in Web3 exceed several billion dollars.

A wallet drainer is a malicious script embedded in phishing websites that automatically scans your wallet for valuable assets and generates optimized transactions to steal them. When you connect your wallet and sign the transaction, the drainer uses approve(), permit(), or setApprovalForAll() to gain permission, then transfers your assets to the attacker. Drainer kits are sold as a service (DaaS) with the operator taking a 20-30% cut.

Use Revoke.cash or Etherscan's Token Approval Checker to view all active approvals on your wallet. Connect your wallet, review each approval, and revoke any that are no longer needed - especially unlimited approvals to contracts you no longer use. This costs a small amount of gas per revocation.

Yes. Any EVM-compatible chain (BNB Chain, Polygon, Arbitrum, Avalanche, Base, etc.) is susceptible because they all use the same ERC-20/ERC-721 approval mechanism. Address poisoning attacks have been documented across all major EVM chains. Non-EVM chains like Solana have their own phishing vectors targeting token account delegations.

Address poisoning is when an attacker sends tiny transactions from a wallet address that looks similar to one you frequently use. When you later copy an address from your transaction history, you might accidentally paste the attacker's lookalike address. Protect yourself by always verifying the full address (not just first/last characters), using address book features, sending test transactions first, and using ENS names when possible.


The Ultimate Anti-Phishing Checklist

Whether you're a casual Web3 user or a lead protocol developer, use this tactical checklist to drastically reduce your phishing exposure:

For Everyday Web3 Users

  • Install a transaction simulation tool (Pocket Universe, Fire, or Blowfish)

  • Use a hardware wallet for significant holdings

  • Never approve unlimited token amounts - edit to exact amounts needed

  • Regularly check and revoke unused approvals via Revoke.cash

  • Verify the full address when sending transactions - not just first/last characters

  • Never sign messages or transactions from links in Discord, Twitter, or email

  • Use separate wallets: hot wallet for DeFi, cold wallet for storage

  • Send a small test transaction before large transfers to new addresses

  • Bookmark DeFi sites - never click links from search ads or social media

For Protocol Developers & Smart Contract Auditors

  • Implement expiring approvals in token contracts (like Permit2)

  • Request exact approval amounts in your frontend, not type(uint256).max

  • Add Content Security Policy headers to prevent script injection

  • Use Subresource Integrity (SRI) for all external scripts

  • Implement transaction preview/simulation in your dApp UI

  • Display clear, human-readable approval details to users

  • Monitor for unauthorized changes to your frontend deployment

  • Secure CI/CD pipelines and cloud credentials with hardware keys


Take Your Security Skills to the Next Level

Understanding how Web3 phishing attacks operate on paper is just the first step. To become a top-tier professional smart contract auditor, you need to get your hands dirty. You need to identify, exploit, and patch these very approval mechanisms in a controlled environment.

The Smart Contract Hacking course offers everything you need to master Web3 security:

  • 320+ in-depth video lessons covering approval exploitation, signature phishing, flash loan attacks, reentrancy, and more.

  • 40+ hands-on exercises where you'll actively exploit and secure real-world smart contracts.

  • Expert instruction from legendary hackers like JohnnyTime, Trust (the #1 Code4rena warden), and Pashov.

  • An exclusive 2,000+ member Discord community for mentorship, exclusive alpha, and high-paying audit job opportunities.

  • The prestigious SSCH Certification to prove your expertise to employers.

Our students consistently dominate competitive audit contests, secure lucrative security roles, and take home massive bug bounties. Don't just read about hacks - learn how to stop them. Check out our students' success stories.

Start Your Journey as a Web3 Security Researcher Today

Sources and editorial notes

Reviewed by JohnnyTime. Last updated .

Master Phishing Attacks in a safe lab

Practice the exploit path, debug the vulnerable code, and learn the prevention workflow auditors use in real reviews.

Exploit setup Root-cause tracing Patch review
Practice Phishing Attacks Free Trial