Back to Blog

How to Avoid Being a Web3 Phishing Victim

MetaSleuth
April 26, 2024

We observe an increasing trend of phishing attacks that caused hundreds of millions of losses. Therefore, besides the technique perspective, we must inform users of common phishing methods and educate how to avoid a phishing attack.

Types of Phishing Attacks

We find four types of common phishing attacks exist.

  • Direct token transfer: The attacker lures users to directly transfer the native token (Ether) or ERC20/ERC711 tokens to attacker-controlled accounts.

  • Approval phishing: Approval is a mechanism that delegates a user's token to a spender by signing an approval transaction. The attacker can lure users to sign a transaction to approve his/her tokens to the attacker, and then the attacker can transfer the victim's token.

  • Address Poisoning: Like fake-token attacks, zero-value attacks, and dust-transfer attacks.

  • NFT Zerobuy phishing: The attacker lures users to sign a transaction to sell their NFT at a low price or even for free.

  • Others.

Direct Token Transfer

The first type is called direct token transfer. Attackers ask users to sign a transaction to transfer their Ether directly to the attacker-controlled account. An advanced one leverages a malicious smart contract with a function named SecurityUpdate or ClaimRewards to make users sign the transaction.

The previous figure (the right one) shows an example of a phishing transaction with SecurityUpdate function in the smart contract. If users sign this transaction, his/her Ether will be transferred to this smart contract and then to the attacker.

Approval Phishing

Approval is a mechanism that makes users let other users (spenders) spend his/her tokens. For instance, a user can approve his USDC to a smart contract so that the smart contract can operate on the USDC token on behalf of the user, e.g., swapping the USDC to other tokens. Since the user has approved his tokens to the smart contract, the operation on the user's USDC token by the smart contract does not need another confirmation (or a new signed message) from the user. This can make the whole flow smooth.

However, attackers have abused this mechanism. They can lure users to sign a transaction to approve his USDC (or other valuable tokens) to the attacker-controlled contract or EOA address. After that, the attacker can transfer the user's tokens to the attacker.

The previous figure shows a transaction that approves the USDT to the attacker. Note that approval permission does not expire until the user explicitly revokes it. So, revoke the malicious approval as soon as possible.

We also note a new type of phishing attack leveraging the legitimate contract, which we called it as ROP in Web3 phishing attack. See our blog for more information.

Address Poisoning

In this video, we'll show you how address poisoning happens, including fake-token attacks, zero-value attacks, and dust-transfer attacks, and how to spot fishy transactions on Etherscan.

Zero-value transfer: The attacker makes a zero-value transfer record of popular tokens (USDC, for example) from the victim to a phishing address. This phishing address is similar to the address in the victim's transaction history. When the victim directly copies the address for the next transfer, they may copy the phishing address from the transaction history. Read more on our Twittter, Coinbase investigation 1 2 3, and more.

NFT Zerobuy Phishing

When selling an NFT on NFT markets, e.g., OpenSea, the user first signs a transaction, stating the intention to sell their NFT with a price. Then, those who want to buy this NFT can take the signed order message to fill the order.

This gives the scammer an opportunity to lure users into signing a transaction to sell their NFTs at a particularly low price (or even for free). The attacker can then take this transaction and fill this order on the NFT market to get the victim's NFT at a low price (or for free).

This phishing is prevalent since the user needs help understanding the meaning when signing an order.

The previous figure shows MetaMask's UI when signing an order for OpenSea. Unfortunately, such information is challenging for users to understand.

How to Protect Ourselves

  • First, only sign a transaction you understand! If you have any questions about the transaction, please do not sign it.
  • Second, take multiple wallets to perform the transaction. Use a wallet address for daily transactions but with a small number of tokens. Put most tokens in a separate wallet address that does not sign transactions except transferring tokens to the first wallet.
  • Third, please check your approval and remove unnecessary ones. You can leverage the Approval Diagnosis of MetaSuites for this purpose.
Sign up for the latest updates
Tracing $1.6B in TRON USDT: Inside the VerilyHK Ponzi Infrastructure
Case Studies

Tracing $1.6B in TRON USDT: Inside the VerilyHK Ponzi Infrastructure

An on-chain investigation into VerilyHK, a fraudulent platform that moved $1.6B in TRON USDT through a multi-layered fund-routing infrastructure of rotating wallets, paired payout channels, and exchange exit funnels, with traced connections to the FinCEN-sanctioned Huione Group.

Weekly Web3 Security Incident Roundup | Mar 30 – Apr 5, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Mar 30 – Apr 5, 2026

This BlockSec weekly security report covers nine DeFi attack incidents detected between March 30 and April 5, 2026, across Solana, BNB Chain, Arbitrum, and Polygon, with total estimated losses of approximately $287M. The week was dominated by the $285.3M Drift Protocol exploit on Solana, where attackers combined multisig signer social engineering with Solana's durable nonce mechanism to bypass a zero-timelock 2-of-5 Security Council, alongside notable incidents including a $950K flash loan TWAP manipulation against the LML staking protocol, a $359K Silo Finance vault inflation via an external `wstUSR` market donation exploiting a depegged-asset oracle and `totalAssets()` accounting flaw, and an EIP-7702 delegated-code access control failure. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident, covering flawed business logic, access control, price manipulation, phishing, and misconfiguration attack types.

Drift Protocol Incident: Multisig Governance Compromise via Durable Nonce Exploitation
Security Insights

Drift Protocol Incident: Multisig Governance Compromise via Durable Nonce Exploitation

On April 1, 2026 (UTC), Drift Protocol on Solana suffered a $285.3M loss after an attacker exploited Solana's durable nonce mechanism to delay the execution of phished multisig approvals, ultimately transferring administrative control of the protocol's 2-of-5 Squads governance with zero timelock. With full admin privileges, the attacker created a malicious collateral market (CVT), inflated its oracle price, relaxed withdrawal protections, and drained USDC, JLP, SOL, cbBTC, and other assets through 31 rapid withdrawals in approximately 12 minutes. This incident highlights how durable nonce-based delayed execution can decouple signer intent from on-chain execution, bypassing the temporal assumptions that multisig security implicitly relies on.

Go Deeper with MetaSleuth Investigation

Extend your crypto compliance capabilities with Blocksec's MetaSleuth Investigation, the first platform for tracing funds, mapping transaction networks and revealing hidden on-chain relationships.

Move from detection to resolution faster with clear visual insights and evidence-ready workflows across the digital assets ecosystem.

MetaSleuth Investigation