Phishing is the number one attack vector in crypto. Learn to recognize fake dApps, malicious token approvals, Discord scams, and social engineering tactics -- with interactive examples you can practice on.
Phishing attacks are the single most costly threat in the web3 ecosystem. Unlike traditional finance where banks can reverse fraudulent transactions, blockchain transactions are irreversible. Once your assets are gone, they are gone forever.
Crypto users are uniquely attractive targets for phishers compared to traditional banking customers:
| Dimension | Traditional Phishing | Web3 Phishing |
|---|---|---|
| Goal | Steal login credentials | Get a malicious transaction signed |
| Method | Fake login forms | Fake dApp frontends, malicious approvals |
| Recovery | Bank reversal, password reset | None -- funds are permanently lost |
| Attack Surface | Email, SMS | Discord, Twitter/X, Telegram, fake sites, NFT airdrops |
| Technical Complexity | Simple HTML clones | Full dApp clones with wallet connectors and smart contract interactions |
In traditional banking, phishing might compromise a password that can be reset. In web3, a single signed transaction can drain your entire wallet -- every token, every NFT, every DeFi position -- in one block. There is no customer support to call.
Web3 phishing has evolved far beyond simple email scams. Attackers use a sophisticated combination of technical exploits and social engineering. Here are the most common attack vectors you need to recognize.
Attackers create pixel-perfect clones of popular DeFi protocols like Uniswap, Aave, OpenSea, and others. These cloned sites look identical to the real thing, but the smart contract interactions route your funds or approvals to the attacker.
Red flag: "uniswvp" instead of "uniswap" -- a single character swap
Verified: Correct domain "uniswap.org" with valid SSL certificate
Common typosquatting techniques attackers use include:
uniswvp.com instead of uniswap.orguniswap.com.evil-site.xyzuniswap.io instead of uniswap.orgDiscord and Telegram have become primary hunting grounds for crypto phishers. Attackers exploit the trust within project communities using several tactics:
Attackers create bots that mimic official project announcement channels. They post fake mint links, "emergency migration" notices, or "limited-time airdrop" messages. These bots can appear in legitimate servers when moderator accounts are compromised, or they send mass DMs to server members.
When attackers gain access to a server moderator's account (through token theft, malware, or phishing the mod themselves), they can post in official announcement channels. These messages appear fully legitimate because they come from a trusted, verified role. Multiple high-profile NFT projects have been hit this way.
Attackers scrape member lists from project servers and send targeted DMs impersonating project team members or "support staff." They often claim there is an issue with the victim's wallet, a special airdrop, or an exclusive whitelist opportunity. Legitimate projects will never DM you first about offers or airdrops.
When users ask for help in public channels, scammers immediately DM them posing as "official support." They guide victims to connect their wallet to a fake support portal, or ask them to "verify" their wallet by entering their seed phrase. No legitimate project will ever ask for your seed phrase or private key.
This is one of the most dangerous and least understood attack vectors. When you interact with a DeFi protocol, you often need to approve() the contract to spend your tokens. Attackers exploit this mechanism by tricking you into approving their malicious contract to spend unlimited amounts of your tokens.
Unlike a direct transfer, an approval transaction does not move your funds immediately. The attacker can drain your wallet hours, days, or even weeks later -- after you have forgotten about the approval entirely. You may not realize you have been phished until it is too late.
The attack typically works like this:
approve() transactiontransferFrom() to drain the tokens at their convenienceAirdrop phishing is extremely common because it exploits the natural excitement around free tokens. Attackers create convincing airdrop claim pages for tokens that either do not exist or have no real value.
Twitter/X, YouTube, and other platforms are rife with impersonation attacks. Common patterns include:
Sometimes attackers do not need to create fake sites -- they compromise the real ones:
In December 2023, the Ledger Connect Kit library was compromised via a supply chain attack, affecting multiple dApps including SushiSwap, Zapper, and Revoke.cash. Any user who connected their wallet on affected sites during the attack window had their funds at risk. This shows that even legitimate sites can become phishing vectors.
The best way to develop a sharp eye for phishing is to study real examples. Below are reconstructed scenarios based on actual attacks that have drained millions from web3 users.
Dear MetaMask User,
We have detected suspicious activity on your MetaMask wallet. Due to our updated security policy, you are required to verify your wallet within 24 hours or your wallet will be permanently suspended.
To verify your wallet and prevent suspension, please click the button below:
If you did not initiate this request, click the link above immediately to secure your account.
Best regards,
MetaMask Security Team
Congratulations! You have been selected for an exclusive AAVE token airdrop based on your on-chain activity.
You are eligible to claim 2,500 AAVE tokens ($250,000+) before the distribution window closes.
Claim Period: 2 hours remaining
This is an automated message. Do not share this link with others.
Here is what a malicious approve() call looks like compared to a legitimate one. Pay close attention to the spender address and the amount:
When your wallet asks you to approve token spending, click "Edit" or "Use Custom Amount" and enter only the exact amount you need for the current transaction. Never approve unlimited (MAX) amounts unless you fully trust the contract and understand the implications.
Think you can spot a phish? Test your skills with these scenarios based on real attacks. For each one, decide whether it is legitimate or a phishing attempt.
Someone offered 8.5 WETH for your Bored Ape #7291. This offer expires in 45 minutes.
Hello valued staker,
Your accumulated ETH staking rewards through Lido are now available for claiming. Based on your staking history, you have 3.82 ETH in pending rewards.
Please claim your rewards within 48 hours or they will be redistributed to the staking pool.
Lido Finance Team
Prevention is the only real defense against phishing in web3. Once funds are stolen, recovery is almost impossible. Follow these practices to dramatically reduce your risk.
The simplest and most effective defense is to always access dApps through bookmarks you have personally verified, never through search results, social media links, or Discord messages. Create bookmarks for every DeFi protocol and marketplace you use regularly.
Before connecting your wallet to any site, carefully examine the full URL. Look for:
uniswvp vs uniswap).com vs .org)uniswap.evil.com where "evil.com" is the real domain)uniswap-app.com)A hardware wallet like Ledger or Trezor adds a critical layer of protection. Every transaction must be physically confirmed on the device, giving you a moment to review what you are actually signing. Many hardware wallets now show human-readable transaction details on their screens.
Keep a "hot wallet" with small amounts for daily DeFi interactions. Store the majority of your assets on a hardware wallet that you only connect for significant, planned transactions. This limits your exposure if you accidentally interact with a phishing site.
Regularly audit and revoke token approvals you no longer need. Use tools like:
Make it a habit to revoke approvals after every DeFi session. Think of it like logging out of a website.
Several browser extensions can warn you before you interact with known phishing sites:
No legitimate crypto project will ever DM you first. Not on Discord, not on Telegram, not on Twitter. If someone DMs you about an airdrop, a mint, a "support issue," or anything involving your wallet, it is a scam. No exceptions. Turn off DMs from server members in Discord settings.
Token approvals are a fundamental part of how DeFi works, but they are also one of the most exploited mechanisms in web3. Understanding how they work is essential to protecting your assets.
The ERC-20 token standard includes an approve() function that allows a contract (the "spender") to transfer tokens on your behalf. This is necessary for DeFi -- when you swap tokens on Uniswap, you first approve the Uniswap Router to spend your tokens, and then it executes the swap.
For convenience, many dApps request infinite approval (the maximum uint256 value: 2^256 - 1). This means you only have to approve once, rather than before every transaction. However, this creates a dangerous attack surface:
Follow these steps to check and clean up your token approvals:
Each revocation is an on-chain transaction that costs gas. During high gas periods, batch your revocations or prioritize revoking approvals on high-value tokens first. Even with gas costs, the peace of mind is worth it.
If you suspect you have fallen for a phishing attack or notice unauthorized transactions from your wallet, time is critical. Follow these steps immediately.
Do not sign any more transactions. Close the suspicious site immediately. Disconnect your wallet from all dApps.
Go to revoke.cash immediately and revoke ALL active token approvals, starting with the highest-value tokens. This prevents the attacker from draining tokens they have been approved to spend.
Transfer all remaining tokens, NFTs, and ETH/native tokens to a brand new, clean wallet that has never been exposed. Do NOT reuse any wallet that may be compromised.
If you have assets in DeFi protocols (liquidity pools, lending, staking), withdraw them immediately to your new wallet. Use a portfolio tracker like Zapper or DeBank to find all positions.
If you shared your seed phrase or private key (or suspect malware captured it), you must assume ALL wallets derived from that seed are compromised. Transfer assets from every account derived from that seed to fresh wallets generated from a new seed phrase. The old seed phrase should never be used again.
Use this checklist as a quick reference before interacting with any website, message, or transaction. If you spot even one of these red flags, stop and verify through an independent channel.
If something feels off -- even slightly -- do not sign the transaction. Close the site, navigate to the official site through your bookmarks, and verify independently. A legitimate opportunity will still be there tomorrow. A phishing attack will drain your wallet in seconds.
Now that you understand phishing threats, learn how to protect organizational funds with multi-signature wallets.