Phishing Attacks
Smart Contract Vulnerability Deep Dive
Phishing Attacks in Web3: The Ultimate Guide to Defense & Detection
Let's cut right to the chase: Web3 phishing attacks are the #1 threat in the crypto ecosystem today. While complex smart contract bugs get all the headlines, a simple phishing attack targets the actual human behind the screen. It takes just one wrong click to sign a malicious transaction, draining a wallet in seconds.
Whether you're a DeFi degenerate, an NFT collector, or a smart contract auditor, you need to understand how these attacks work. In this comprehensive guide, we'll dive deep into everything from basic approval phishing and wallet drainers, to address poisoning and the wild social engineering tactics that caused the staggering $1.5B Bybit hack.
What Exactly is a Web3 Phishing Attack?
Traditional Web2 phishing tries to steal your passwords. A Web3 phishing attack is far more devious: it tricks crypto users into signing a malicious blockchain transaction or off-chain message. By doing so, you unwittingly hand the attacker the 'keys to the kingdom' - granting them explicit permission to siphon your ERC-20 tokens, sweep your NFTs, or empty your entire wallet.
Because Web3 relies entirely on cryptographic signatures and smart contract approval mechanisms, hackers don't need your private key. They just need your signature.
The "Restaurant Bill" Analogy 🍽️
Imagine you've just finished a fantastic dinner. The waiter brings you the bill, you glance at the total, and scribble your signature. But what if, buried in the fine print of that receipt, there was a clause giving the restaurant full access to your entire bank account?
That is approval phishing in a nutshell. You think you're authorizing a standard Web3 action (like verifying your wallet or claiming an airdrop), but you're actually signing away unlimited access to your crypto assets.
Why Phishing Is the #1 Threat in Web3
Phishing attacks have caused more financial damage than any other attack vector in the crypto ecosystem:
| Attack | Year | Impact |
|---|---|---|
| Bybit / Safe{Wallet} Hack | 2025 | $1.5B stolen via social engineering |
| $55M DAI Phishing | 2024 | Single victim, Inferno Drainer kit |
| Wallet Drainers Total | 2024 | $494M from 332K+ victims |
| $71M WBTC Address Poisoning | 2024 | Funds later recovered via negotiation |
| Radiant Capital | 2024 | $50M via developer social engineering |
| OpenSea Phishing | 2022 | $1.7M+ in NFTs from 32 users |
Phishing was the absolute most costly attack vector in 2024. An eye-watering $1.05 billion vanished across 296 incidents, representing almost half of all stolen Web3 funds that year.
The $55M DAI Heist: A Web3 Nightmare
Think phishing only happens to newbies? Think again. On August 21, 2024, an experienced crypto whale woke up to a nightmare, losing a staggering $55.47 million in DAI stablecoins in the largest single-victim Web3 phishing attack ever recorded.
How It Went Down
The victim, identified on-chain as 0xf2B8..., let their guard down for just a second. They unknowingly signed a setOwner transaction on their DeFi Saver Proxy contract. In plain English? They accidentally transferred the legal ownership of their highly collateralized Maker vault straight to a phishing address.
The culprit? The infamous Inferno Drainer, a sophisticated Phishing-as-a-Service (PaaS) toolkit that instantly spins up pixel-perfect fake websites mirroring legitimate DeFi protocols.
Unpacking the Devastation
Once the attacker snagged ownership of the Maker vault, they wasted no time:
-
Hijacked the protocol by switching the owner address to their own.
-
Minted a massive 55,473,618 DAI directly into their wallet.
-
Swapped 27.5 million of that DAI for 10,625 ETH to start obfuscating the trail.
-
Laundered the remaining loot across dozens of mixer addresses.
Fun, but terrifying fact: The
setOwnermethod was the star player in 31.9% of massive crypto hacks in 2024. If you take anything away from this, never sign asetOwnertransaction unless you absolutely know what you're doing.
The Autopsy: Why Did This Work?
The targeted whale fell into a classic, yet fatal, sequence:
-
Clicked a malicious link disguised as a standard DeFi interface.
-
Confirmed a prompt in their wallet, assuming it was a routine connection signature.
-
Completely missed the fine print stating they were calling
setOwner. -
Flew blind, lacking any transaction simulation extensions to warn them.
This one fateful click made up over 11% of the entire year's wallet drainer losses.
Ready to stop hackers in their tracks? The industry-leading Smart Contract Hacking course includes hands-on phishing and approval exploitation exercises. You won't just read about attacks - you'll actually exploit vulnerable contracts in a safe environment, exactly like elite security researchers do.
Types of Web3 Phishing Attacks
Web3 phishing comes in several distinct forms, each exploiting different mechanisms:
Beyond these three primary types, frontend hijacking has emerged as a devastating technique. Here, attackers don't even bother making a fake site - they compromise a protocol's actual website or deployment infrastructure to serve malicious transactions to real users. The astronomical $1.5B Bybit hack and the $120M BadgerDAO attack both relied exactly on this vector.
How Approval Phishing Works: Step-by-Step
Understanding the exact mechanism of an attack is your best defense. Approval phishing (often called "ice phishing," a term coined by Microsoft back in 2022) exploits the very token approval system that makes DeFi possible.
Why Do Token Approvals Even Exist?
Every single time you use a decentralized exchange (DEX), a lending protocol, or an NFT marketplace, you must first approve that smart contract to spend your tokens. This is essentially by design - unlike native ETH, ERC-20 tokens can't just be "pushed" to contracts directly.
The fatal flaw? Attackers can trick you into approving their malicious address instead of the safe, legitimate protocol you thought you were using.
The Classic Attack Flow
| Step | What Happens | State |
|---|---|---|
| 1 | Attacker creates phishing site mimicking a DeFi protocol | Victim's tokens safe |
| 2 | Victim connects wallet to fake site | Wallet connected |
| 3 | Site prompts victim to sign an approve() transaction |
Transaction pending |
| 4 | Victim signs - granting attacker unlimited token allowance | Approval granted |
| 5 | Attacker calls transferFrom() on the token contract |
Tokens being drained |
| 6 | All approved tokens moved to attacker's wallet | Wallet drained |
The 4 Phases of an Ice Phishing Attack
Every successful approval phishing attack follows a meticulously planned four-step execution:
The attacker promotes a phishing site via hacked social media accounts, fake airdrops, Google ads, or direct messages. The site closely mimics a legitimate protocol like Uniswap, OpenSea, or an airdrop claim page.
Once the victim connects their wallet, the drainer script scans their holdings - identifying the most valuable tokens, NFTs, and staked positions. A command-and-control server decides which assets to target first.
The victim is prompted to sign a transaction - either an approve() call, a permit() off-chain signature, or a setApprovalForAll(). The wallet popup shows the action, but most users don't read the details.
The attacker uses the granted approval to call transferFrom(), moving tokens to their address. For NFTs, they use safeTransferFrom(). Often routed through legitimate protocols like SushiSwap to obfuscate the theft.
Unlike traditional hacks that exploit code, approval phishing only needs you to click "Confirm" once. The approval persists until you manually revoke it - the attacker can drain you hours, days, or weeks later.
The "Big Three" Functions Attackers Target
Understanding which smart contract functions these scammers exploit is your first line of defense:
| Function | Token Standard | What It Does | The Attacker's End Goal |
|---|---|---|---|
approve(spender, amount) |
ERC-20 | Allows a spender to transfer up to a certain amount of your tokens. |
Set the amount to max uint256 (effectively unlimited access). |
increaseAllowance(spender, amount) |
ERC-20 | Increases an existing allowance by a specified amount. |
Add a massive allowance to the attacker's own address. |
setApprovalForAll(operator, true) |
ERC-721 / ERC-1155 | Gives the operator full permission to transfer ALL your NFTs in a specific collection. |
Sweep every single NFT you own in one fell swoop. |
{
"title": "🎬 Approval phishing: one signature, drained later",
"stage": { "width": 920, "height": 440 },
"nodes": [
{ "id": "victim", "label": "Victim", "role": "wallet: 50k USDC", "emoji": "🧑", "x": 60, "y": 200, "color": "cyan" },
{ "id": "token", "label": "USDC Token", "role": "approve / transferFrom", "emoji": "🪙", "x": 440, "y": 60, "color": "purple" },
{ "id": "attacker", "label": "Attacker", "role": "malicious spender", "emoji": "🎣", "x": 720, "y": 200, "color": "red" }
],
"links": [
{ "from": "victim", "to": "token" },
{ "from": "attacker", "to": "token" },
{ "from": "token", "to": "attacker" }
],
"nets": [
{ "id": "victim", "label": "Victim wallet" },
{ "id": "atk", "label": "Attacker" }
],
"legend": [
{ "cls": "call", "label": "contract call" },
{ "cls": "token", "label": "token transfer" },
{ "cls": "sig", "label": "approval / signature" },
{ "cls": "fail", "label": "rejected / blocked" }
],
"scenarios": {
"Vulnerable (blind unlimited approve)": [
{ "note": "Victim holds 50,000 USDC. A pixel-perfect phishing site prompts what looks like a routine 'connect' signature.", "hi": ["victim"], "bal": { "victim": "50,000 USDC" }, "net": { "victim": "50,000", "atk": "0" } },
{ "note": "It is actually <b>approve(attacker, unlimited)</b>. The victim signs without reading the fine print.", "tone": "bad", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "✍️ approve(attacker, ∞)", "cls": "sig" } },
{ "note": "The token's allowance ledger now lets the attacker move <b>all</b> of the victim's USDC - forever, until revoked.", "tone": "bad", "hi": ["token"], "bal": { "token": "allowance: ∞" } },
{ "note": "Hours later, the attacker calls <b>transferFrom(victim, attacker, 50k)</b>. No new victim signature needed.", "tone": "bad", "hi": ["attacker","token"], "chip": { "from": "attacker", "to": "token", "label": "📞 transferFrom(50k)", "cls": "call" } },
{ "note": "The token moves every approved USDC to the attacker. The wallet is drained from a single past click.", "tone": "bad", "hi": ["token","attacker"], "chip": { "from": "token", "to": "attacker", "label": "💸 50,000 USDC", "cls": "token" }, "bal": { "victim": "0 USDC", "attacker": "+50k" }, "net": { "victim": "0", "atk": "+50,000" } }
],
"Fixed (scoped approval + simulation)": [
{ "note": "Same lure - but the victim's wallet runs a transaction simulator that decodes the prompt before signing.", "hi": ["victim"], "bal": { "victim": "50,000 USDC" }, "net": { "victim": "50,000", "atk": "0" } },
{ "note": "It flags it: 'this grants UNLIMITED spend to an unknown address.' The victim rejects.", "tone": "ok", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "⛔ approve rejected", "cls": "fail" } },
{ "note": "For real use, the victim approves only the <b>exact amount</b> needed (or uses Permit2 with an expiry), never unlimited.", "tone": "ok", "hi": ["victim","token"], "chip": { "from": "victim", "to": "token", "label": "✍️ approve(dapp, 100)", "cls": "sig" }, "bal": { "token": "allowance: 100" } },
{ "note": "With no standing unlimited allowance, a phishing spender has nothing to drain.", "tone": "ok", "hi": ["victim"], "bal": { "victim": "50,000 USDC safe" }, "net": { "victim": "50,000", "atk": "0" } }
]
}
}
Under the Hood: Why Unlimited Approvals Are So Dangerous
Let's drop down to the code level. Why exactly does the standard ERC-20 approval mechanism create such a massive surface area for phishing attacks?
Note: The vulnerability isn't necessarily a "bug" in the code. The flaw lies in the widespread user habit (and frontend design patterns) of granting permanent, unlimited approvals.
The Risky Pattern in Action
// VULNERABLE PATTERN - DO NOT USE IN PRODUCTION
// This shows how unlimited approvals enable phishing attacks
contract VulnerableToken is ERC20 {
// Standard ERC-20 approve - allows UNLIMITED approvals
function approve(address spender, uint256 amount) public override returns (bool) {
// No limit on amount - can be type(uint256).max
// No expiration - approval lasts FOREVER
// No notification - user may forget about this approval
_approve(msg.sender, spender, amount);
return true;
}
// A DeFi frontend typically requests:
// approve(contractAddress, type(uint256).max)
// This grants PERMANENT, UNLIMITED access to your tokens
}
// When a phishing site calls:
// token.approve(ATTACKER_ADDRESS, type(uint256).max)
// The attacker can drain ALL your tokens at ANY time
Why Is This Dangerous?
The problem isn't a bug - it's a design flaw in the approval model:
-
Approvals default to unlimited amounts (
type(uint256).max) -
Approvals have no expiration - they last forever
-
Users can't easily see or manage active approvals
-
A single approval grants access to all tokens of that type
In 2024, ERC-20 tokens represented 89.5% of the $71.5 million lost to phishing in March alone.

Phishing Attacker Contract Example
Here's how an attacker exploits approvals they've obtained through phishing.
// ATTACKER CONTRACT - Educational purposes only
// Demonstrates how phishing-obtained approvals are exploited
contract PhishingDrainer {
address public attacker;
constructor() {
attacker = msg.sender;
}
// After tricking a victim into calling:
// token.approve(address(this), type(uint256).max)
// The attacker can drain all their tokens:
function drainERC20(
IERC20 token,
address victim,
uint256 amount
) external {
require(msg.sender == attacker, "Not attacker");
// This works because the victim already approved this contract
token.transferFrom(victim, attacker, amount);
}
// For NFTs, after victim calls:
// nft.setApprovalForAll(address(this), true)
function drainNFT(
IERC721 nft,
address victim,
uint256 tokenId
) external {
require(msg.sender == attacker, "Not attacker");
// Transfer NFT from victim to attacker
nft.safeTransferFrom(victim, attacker, tokenId);
}
// Advanced: Drain multiple tokens in a single transaction
function drainMultiple(
address victim,
IERC20[] calldata tokens,
uint256[] calldata amounts
) external {
require(msg.sender == attacker, "Not attacker");
for (uint i = 0; i < tokens.length; i++) {
uint256 balance = tokens[i].balanceOf(victim);
uint256 amount = amounts[i] < balance ? amounts[i] : balance;
tokens[i].transferFrom(victim, attacker, amount);
}
}
}
Attack Execution Summary
-
Deploy the drainer contract (or use a drainer-as-a-service kit)
-
Lure victims to a fake site mimicking a legitimate protocol
-
Request approval - the wallet popup asks to approve the drainer contract
-
Wait - the approval persists indefinitely
-
Call
drainERC20()ordrainNFT()to steal all approved assets
Modern wallet drainers like Inferno Drainer automate this entire flow, scanning wallets for valuable assets and generating the optimal drain transaction automatically.
Want to learn how to write exploits like this to secure billion-dollar protocols? The Smart Contract Hacking course covers advanced phishing mechanics, deep-dive approval exploitation, and wallet drainer analysis. Learn from the best: JohnnyTime (12+ years in cybersecurity) and Trust (the #1 Code4rena warden).
How to Prevent Phishing Attacks: Best Practices
Stopping a Web3 phishing attack before it happens requires a defense-in-depth approach. We have to secure every layer - from the foundational smart contract architecture all the way down to a user's daily browsing habits.
What it does: Tools like Pocket Universe, Fire, and Blowfish simulate transactions before you sign, showing you exactly what will happen - including token transfers, approvals, and ownership changes.
When to use: Install as a browser extension and use for every transaction. They intercept wallet popups and add human-readable warnings.
Limitation: Cannot protect against all social engineering - a determined user may still click through warnings.
What it does: Revoke.cash and Etherscan's Token Approval Checker let you view and revoke all active token approvals. Regularly cleaning up old approvals reduces your attack surface.
When to use: Check and revoke unused approvals monthly. Immediately revoke any suspicious approvals.
Limitation: Costs gas to revoke each approval. Cannot undo damage if tokens were already drained.
What it does: Hardware wallets require physical confirmation of every transaction. Always verify the full address and transaction details on the hardware device screen.
When to use: For any wallet holding significant value. Use separate wallets for DeFi interactions vs. long-term storage.
Limitation: Hardware wallets cannot parse complex multisig transactions (as demonstrated in the Radiant Capital hack). Users may still blindly confirm.
What it does: Instead of approving type(uint256).max, approve only the exact amount needed for each transaction. Many wallets now let you edit the approval amount.
When to use: Every time a dApp requests a token approval. Manually reduce the amount to match the actual transaction.
Limitation: Requires extra gas for re-approvals. Many dApps default to unlimited and users don't change it.
Building a Fortress: Phishing-Resistant Approvals in Smart Contracts
As developers, we have a responsibility to protect our users. Here is how smart contracts can and should be designed to severely minimize phishing risks using modern safety patterns.
// SECURE CONTRACT - Phishing-resistant token approval pattern
// Uses expiring approvals and amount limits
contract PhishingResistantToken is ERC20 {
// IMPROVEMENT 1: Approval expiration
struct Approval {
uint256 amount;
uint256 expiry;
}
mapping(address => mapping(address => Approval)) private _timedAllowances;
event ApprovalWithExpiry(
address indexed owner,
address indexed spender,
uint256 amount,
uint256 expiry
);
// STEP 1: CHECKS - Validate the approval parameters
function approveWithExpiry(
address spender,
uint256 amount,
uint256 duration
) public returns (bool) {
require(spender != address(0), "Invalid spender");
require(amount > 0, "Amount must be positive");
require(duration <= 30 days, "Max approval: 30 days");
// STEP 2: EFFECTS - Store approval with expiration
uint256 expiry = block.timestamp + duration;
_timedAllowances[msg.sender][spender] = Approval({
amount: amount,
expiry: expiry
});
emit ApprovalWithExpiry(msg.sender, spender, amount, expiry);
return true;
}
// Override transferFrom to check expiration
function transferFrom(
address from,
address to,
uint256 amount
) public override returns (bool) {
Approval storage approval = _timedAllowances[from][msg.sender];
// STEP 1: CHECK - Is the approval still valid?
require(block.timestamp <= approval.expiry, "Approval expired");
require(approval.amount >= amount, "Insufficient allowance");
// STEP 2: EFFECTS - Decrease the allowance
approval.amount -= amount;
// STEP 3: INTERACTIONS - Execute the transfer
_transfer(from, to, amount);
return true;
}
}
Security Features
| Feature | Protection | How It Helps |
|---|---|---|
| Expiring approvals | Time-limited access | Even if phished, approval auto-expires in 30 days max |
| Exact amounts | No unlimited access | Attacker can only drain the approved amount, not everything |
| Event logging | Transparency | Wallet UIs can display active approvals with countdown timers |
| Amount tracking | Spend accounting | Each transfer reduces the remaining allowance |
Real-World Defense: Uniswap's Permit2 already implements expiring approvals in production today. Its
AllowanceTransfercontract inherently stores auint48 expirationalongside every user approval, andSignatureTransferenforces one-time signatures that are absolutely useless after a single use.
Mastering these contract-level defenses is exactly what separates junior developers from elite, senior auditors. The Smart Contract Hacking course dives deep into complex approval security, Permit2 internals, and bulletproof phishing prevention constraints. Step up your game and join 2,000+ security researchers in our exclusive Discord community.
Advanced Phishing Variations: They Keep Evolving
Attackers never sleep. When the Web3 community gets wise to one tactic, hackers pivot to something more insidious. Here are the advanced variations you absolutely must know about.
1. Off-Chain Permit Signature Phishing (The Silent Killer)
The deadliest evolution of approval phishing leverages EIP-2612 permit(). This allows an attacker to obtain approval via an off-chain signature. The terrifying part? It requires zero gas and zero on-chain transactions from the victim.
How the trap is sprung:
-
You are prompted to "verify" your wallet by signing what looks like a harmless message.
-
In reality, that signature is heavily structured and contains: your token address, the malicious spender, an approved amount, a deadline, and a nonce.
-
The attacker takes your raw signature and submits it on-chain via the
permit()function. -
Armed with valid approval, the attacker instantly calls
transferFrom()and empties your wallet.
Why it's so devastating: Because you only signed a "message" and not a transaction, the approval never initially appears in your on-chain history. Wallet UIs have historically struggled to flag these correctly.
The largest single phishing theft of 2025 was $6.5 million in September - caused directly by a malicious Permit signature.
2. Address Poisoning: The Phantom Duplicate
Address poisoning targets a habit almost everyone in crypto has: copy-pasting addresses directly from their transaction history.
The subtle attack:
-
The Setup: The attacker uses software to generate a "vanity" wallet address that identically matches the first 4-6 and last 4-6 characters of an address you frequently use.
-
The Bait: They send a tiny amount of tokens (or a zero-value transaction) to you using this lookalike address.
-
The Trap: This fake address now secretly resides in your recent transaction history on block explorers or your wallet UI.
-
The Catch: The next time you go to send funds, you lazily check your history, copy the poisoned address by mistake, and shoot your funds straight to the hacker.
Real incidents:
-
December 2025: A trader lost $50M in USDT after copying a poisoned address. Binance's CZ later pushed for wallet-level poison address blocking.
-
May 2024: A victim lost $71M in WBTC but recovered funds after negotiating with the attacker.
-
November 2023: Florence Finance lost $1.45M USDC to the same technique.
Over 270 million address poisoning attempts have been detected across Ethereum and BNB Chain, with $83 million in confirmed losses.
3. Frontend Hijacking
The most sophisticated phishing attacks don't create fake websites - they compromise real ones.
Bybit / Safe{Wallet} (2025)
Attackers compromised a Safe{Wallet} developer via social engineering, stole AWS session tokens, bypassed MFA, and injected malicious JavaScript that replaced Bybit's transaction destination. The team signed what appeared to be a routine transfer.
Radiant Capital (2024)
A developer received a Telegram message from a "contractor" with a malicious PDF. The INLETDRIFT malware intercepted Gnosis Safe transactions, replacing them with transferOwnership() calls. Ledger wallets couldn't parse the multisig data.
BadgerDAO (2021)
Attackers compromised BadgerDAO's Cloudflare API key and injected malicious scripts into the frontend. Users visiting the legitimate site were prompted to sign increaseAllowance() transactions granting the attacker unlimited token access.
4. Wallet Drainer-as-a-Service (DaaS): The Illicit Industry
Gone are the days of solo hackers writing custom exploits. Modern Web3 phishing is powered by professional, organized criminal syndicates. Wallet drainer kits are quite literally sold as subscription SaaS products (Drainer-as-a-Service) on the dark web or Telegram, complete with dedicated customer support, polished UI updates, and fully automated revenue-sharing models.
The Staggering Evolution of Drainers:
| Drainer | Active Period | Estimated Stolen | Business Model |
|---|---|---|---|
| Monkey Drainer | Aug 2022 – Feb 2023 | $16M+ | 30% cut + $1,000 entry fee |
| Inferno Drainer | Mar 2023 – Q4 2024 | $81M+ | Revenue sharing |
| MS Drainer | 2023 | $59M+ | Sold to 63,000+ victims |
| Angel Drainer | 2023 – 2024 | $20M+ | Market leader by Q1 2024 (42%) |
| Pink Drainer | 2023 – Q2 2024 | Significant | Exited market mid-2024 |
| Acedrainer | Q4 2024+ | Growing | Captured 20% market share rapidly |
In 2024, the top three drainers (Angel, Pink, Inferno) controlled 92% of the market in Q1. The ecosystem constantly evolves - as old drainers exit, new ones fill the gap.
Debunking Dangerous Phishing Myths
Because this space moves so incredibly fast, a lot of outdated or frankly dangerous advice circulates online. Let's set the record straight:
"Hardware wallets protect you from phishing attacks."
Tap to revealHardware wallets protect your private keys, but they still require you to approve transactions. If you confirm a malicious approval on your Ledger or Trezor, the attacker gets permission to drain your tokens - as demonstrated in the $50M Radiant Capital hack.
"Phishing only steals private keys or seed phrases."
Tap to revealWeb3 phishing rarely targets private keys. Instead, it exploits the approval mechanism - tricking you into granting token spending permission. Your keys stay safe, but your tokens don't. This is why it's called "ice phishing."
"If I don't see a suspicious transaction in my history, I'm safe."
Tap to revealPermit signature phishing operates entirely off-chain. The victim signs a message (not a transaction), so the approval never appears in transaction history. The attacker submits it later. Address poisoning also works by planting fake entries IN your transaction history.
"Approvals are safe because I only approved a legitimate protocol."
Tap to revealApproving a legitimate protocol IS safe - the danger is that approvals are permanent and unlimited by default. If that protocol gets hacked later (like BadgerDAO's frontend), your existing approval becomes the attack vector. Always revoke unused approvals.
Keep Learning: Related Web3 Vulnerabilities
Phishing attacks don't happen in a vacuum - they are closely connected to other critical smart contract attack vectors.
-
Access Control Attacks: These share a massive root cause with phishing. Both exploit unauthorized permission grants, regardless of whether it's through code flaws or social engineering.
-
Call Attacks: To truly understand drainers, brush up on the low-level mechanics of
call(),delegatecall(), and external interactions that these phishing exploits rely on under the hood. -
Flash Loan Attacks: Phishing is frequently combined with flash loans. Once an attacker gets approval access to a victim's tokens in deep DeFi positions, they use flash loans to artificially amplify the financial damage.
Test Your Web3 Phishing IQ
Test Your Web3 Phishing IQ
5 questions. How well do you really know this attack?
Frequently Asked Questions (FAQ): Web3 Phishing
A Web3 phishing attack is a scam that tricks you into signing a malicious blockchain transaction, unknowingly giving a hacker permission to steal your cryptocurrency or NFTs. Unlike traditional Web2 phishing that steals your passwords, smart contract phishing exploits token approval mechanisms. You keep your private keys securely in your hardware wallet, but you still lose all your assets because you cryptographically signed a malicious approval.
Phishing was the most costly attack vector in 2024, with over $1 billion lost across 296 incidents. Wallet drainers specifically stole $494 million from 332,000+ victims in 2024. Since May 2021, Chainalysis has tracked approximately $1 billion in approval phishing losses alone. Including the $1.5B Bybit hack in 2025, total phishing-related losses in Web3 exceed several billion dollars.
A wallet drainer is a malicious script embedded in phishing websites that automatically scans your wallet for valuable assets and generates optimized transactions to steal them. When you connect your wallet and sign the transaction, the drainer uses approve(), permit(), or setApprovalForAll() to gain permission, then transfers your assets to the attacker. Drainer kits are sold as a service (DaaS) with the operator taking a 20-30% cut.
Use Revoke.cash or Etherscan's Token Approval Checker to view all active approvals on your wallet. Connect your wallet, review each approval, and revoke any that are no longer needed - especially unlimited approvals to contracts you no longer use. This costs a small amount of gas per revocation.
Yes. Any EVM-compatible chain (BNB Chain, Polygon, Arbitrum, Avalanche, Base, etc.) is susceptible because they all use the same ERC-20/ERC-721 approval mechanism. Address poisoning attacks have been documented across all major EVM chains. Non-EVM chains like Solana have their own phishing vectors targeting token account delegations.
Address poisoning is when an attacker sends tiny transactions from a wallet address that looks similar to one you frequently use. When you later copy an address from your transaction history, you might accidentally paste the attacker's lookalike address. Protect yourself by always verifying the full address (not just first/last characters), using address book features, sending test transactions first, and using ENS names when possible.
The Ultimate Anti-Phishing Checklist
Whether you're a casual Web3 user or a lead protocol developer, use this tactical checklist to drastically reduce your phishing exposure:
For Everyday Web3 Users
-
Install a transaction simulation tool (Pocket Universe, Fire, or Blowfish)
-
Use a hardware wallet for significant holdings
-
Never approve unlimited token amounts - edit to exact amounts needed
-
Regularly check and revoke unused approvals via Revoke.cash
-
Verify the full address when sending transactions - not just first/last characters
-
Never sign messages or transactions from links in Discord, Twitter, or email
-
Use separate wallets: hot wallet for DeFi, cold wallet for storage
-
Send a small test transaction before large transfers to new addresses
-
Bookmark DeFi sites - never click links from search ads or social media
For Protocol Developers & Smart Contract Auditors
-
Implement expiring approvals in token contracts (like Permit2)
-
Request exact approval amounts in your frontend, not
type(uint256).max -
Add Content Security Policy headers to prevent script injection
-
Use Subresource Integrity (SRI) for all external scripts
-
Implement transaction preview/simulation in your dApp UI
-
Display clear, human-readable approval details to users
-
Monitor for unauthorized changes to your frontend deployment
-
Secure CI/CD pipelines and cloud credentials with hardware keys
Take Your Security Skills to the Next Level
Understanding how Web3 phishing attacks operate on paper is just the first step. To become a top-tier professional smart contract auditor, you need to get your hands dirty. You need to identify, exploit, and patch these very approval mechanisms in a controlled environment.
The Smart Contract Hacking course offers everything you need to master Web3 security:
-
320+ in-depth video lessons covering approval exploitation, signature phishing, flash loan attacks, reentrancy, and more.
-
40+ hands-on exercises where you'll actively exploit and secure real-world smart contracts.
-
Expert instruction from legendary hackers like JohnnyTime, Trust (the #1 Code4rena warden), and Pashov.
-
An exclusive 2,000+ member Discord community for mentorship, exclusive alpha, and high-paying audit job opportunities.
-
The prestigious SSCH Certification to prove your expertise to employers.
Our students consistently dominate competitive audit contests, secure lucrative security roles, and take home massive bug bounties. Don't just read about hacks - learn how to stop them. Check out our students' success stories.
Sources and editorial notes
Reviewed by JohnnyTime. Last updated .
Real Phishing Attacks hacks to study
A stable selection of high-signal incidents linked to this attack class, ordered by reported loss and recency.
Master Phishing Attacks in a safe lab
Practice the exploit path, debug the vulnerable code, and learn the prevention workflow auditors use in real reviews.