Last week, a crypto whale lost $24 million in staked ETH in a phishing attack. It’s one of the biggest losses ever reported in the industry, but unfortunately won’t be the last. Permissionless transactions and FOMO mean phishing isn’t going away anytime soon. To help users stay safe, we’re introducing real-time phishing defense to warn you about dangerous websites.
What is phishing?
Phishing is a cyber attack in which hackers trick someone into entering or sharing their credentials they wouldn’t otherwise disclose.
In the Web 2 world, phishing typically involves a fake website that would steal the login and password. Or a fake email or call that would ask for your credit card number. The damage would typically be limited — they can’t really steal all your life savings.
In Web3, phishing attackers try to trick you into sharing your seed phrase or private key or signing a malicious transaction. If the attackers are successful, they can drain your entire wallet, whether only a few dollars or thousands of ETH. And there is nobody to stop them or recover your money.
Because crypto phishing is potentially so lucrative, scammers continue to find new creative ways to trick people.
Types of crypto phishing
Sadly, today, phishing crypto attacks are everywhere.
-
Emails — “account suspended” messages from non-custodial wallets or regulators are always fake
-
Twitter posts — bots in replies promote fake airdrops and often impersonate popular people and influencers
-
Search ads — anyone can create an ad for a fake Opensea or Uniswap website
-
Discord messages — attackers can disguise a link by writing a legit domain like opensea.io and instead putting a URL that points to a fake website
-
Telegram messages — anyone who DMs you first is likely to be a scammer
-
YouTube streams — deepfaked streamers or celebrities promote fake airdrops
Regardless of the medium, phishing often plays on powerful emotions — you should watch out for anything that gets you out of your normal state of state.
-
Fear — something about your wallet security or privacy
-
Authority — pretending to be your boss, the SEC, the police
-
Greed — airdrops, whitelists, free mints… all the stuff degens love
-
Urgency — deadlines, ticking clocks, limited quantity all try to get you to act before you can think it through
The most basic phishing attacks are asking to share your seed phrase or private key under some pretext (like “investigation,” “unblocking your account,” or “to send you the prize”).
In more sophisticated cases, phishers create an exact copy of a website, but when you connect your wallet, they request dangerous transactions. Even if you usually examine what you sign (and Zerion’s transaction simulator helps with that), you can always accidentally approve something in a rush.
It’s safer just never to connect your wallet to suspicious websites.
That’s where Zerion’s new defense comes in.
Phishing defense in Zerion Wallet
Because connecting a wallet to a phishing website represents the greatest threat to users, Zerion has partnered with Blockaid to identify high-risk sites in real time.
Whenever you try to connect to a website, Zerion Wallet checks the URL against Blockaid’s dApp Scanning API. And if the website is suspicious, you get a big warning message.
On mobile, Zerion Wallet scans all URLs you open in the built-in browser, even before trying to connect the wallet.
On a desktop, Zerion’s browser extension wallet scans the URL when you request to connect the wallet.
Unlike most other wallets, Zerion checks the URL in real time. This means that you'll get the warning even if a new scam was added to the list just minutes before you try to connect to it.
For example, when Vitalik Buterin’s Twitter was hacked, the attackers posted a link to a fake website.
The attackers tricked some Zerion Wallet users into clicking through to that website. But when connecting a wallet, they got a message warning about the danger.
That’s not the only case where phishing defense has saved wallets from attackers.
In the first week since Zerion Wallet added Blockaid-powered phishing defense, users tried to connect 5,763 dapps, and 595, or over 10%, turned out to be wallet drainers!
Even if you are an experienced Web3 user, extra protection won’t hurt you. It can save your wallet, especially when you are in a hurry or doing something late at night when you are tired.
If your current wallet doesn’t have real-time phishing protection, move your seed phrase to Zerion’s mobile wallet or the new browser extension (early access only).