What Is Crypto Phishing?
Phishing is a social engineering attack in which a criminal impersonates a trusted entity to trick you into revealing sensitive information or taking an action that compromises your security.
In traditional banking, phishing targets passwords and account numbers. In crypto, phishing targets:
The defining characteristic of crypto phishing is the irreversibility of any successful attack. A traditional bank can reverse a fraudulent transfer; no one can reverse a blockchain transaction.
Types of Crypto Phishing Attacks
Website Phishing: Fake MetaMask, Ledger, and Exchange Sites
The most common form of phishing creates a fake version of a site you trust — your exchange, your wallet provider, or a DeFi protocol you use regularly. These sites are visually indistinguishable from the real thing. They use copied assets, identical layouts, and domain names designed to evade a casual glance.
Common fake domain patterns:
Traffic reaches these fake sites through:
- Google Ads (scammers buy ads targeting crypto brand name searches)
- Links in emails claiming to be from exchanges or wallet providers
- DMs on Twitter/X, Discord, and Telegram
- Fake articles and social media posts
Email Phishing: Fake Exchange and Wallet Emails
Phishing emails impersonating crypto exchanges typically use one of several hooks:
Each email contains a link to a fake site. The email may appear to come from a legitimate domain through email spoofing techniques, and it may include branding, logos, and formatting identical to real exchange communications.
The link in the email is the attack vector. Clicking it takes you to a site designed to steal your credentials or prompt your wallet to approve a malicious transaction.
Wallet Drainer DApps
Wallet drainers represent the evolution of phishing into the DeFi space. Rather than stealing login credentials, they steal directly from your connected wallet by tricking you into approving a malicious transaction.
A wallet drainer typically operates as follows:
- You visit what appears to be a legitimate NFT marketplace, DeFi protocol, or token claiming page
- You connect your MetaMask or other browser wallet (this step alone is harmless)
- You are prompted to “verify your wallet,” “claim your tokens,” or “complete a transaction”
- The transaction prompt, if approved, grants the malicious contract unlimited spending rights over one or more tokens in your wallet
- The drainer contract then immediately transfers your tokens to the attacker’s address
The approval transaction often looks routine — many legitimate DApps require token approvals to function. The difference is the scope (unlimited vs. a specific amount) and the recipient contract (malicious vs. the protocol you intended to interact with).
Real-World Phishing Examples
The Ledger Data Breach and Subsequent Phishing Campaign
In June 2020, Ledger — the hardware wallet manufacturer — suffered a data breach that exposed the names, email addresses, phone numbers, and physical addresses of approximately 270,000 customers. The database was eventually published publicly in December 2020.
The aftermath was a sustained, targeted phishing campaign against those 270,000 people. Because attackers knew who owned hardware wallets and had their contact details, they could craft highly personalised phishing emails claiming to be from Ledger, directing recipients to fake sites designed to harvest seed phrases.
The lesson: even if your security practices are perfect, data held by companies you interact with can be breached. Your seed phrase is the one thing that never needs to be shared with any company — protecting it means protecting it even from Ledger-addressed emails.
Fake MetaMask Chrome Extension
In 2020 and again in subsequent years, fake MetaMask browser extensions appeared in the Chrome Web Store. These extensions were designed to look identical to the legitimate MetaMask wallet. Users who installed and set up the fake extension — entering their seed phrase to “import” an existing wallet — sent that seed phrase directly to the attacker.
The real MetaMask is available only from metamask.io. Any extension not installed directly from that source or not matching the developer “danfinlay, kumavis” with millions of verified users should be treated as potentially malicious. Check the review count and install count — a brand-new extension with few reviews is a significant warning sign.
How to Spot a Phishing Attack
Check the URL — Every Character, Every Time
The most fundamental protection against website phishing is rigorous URL verification. Before entering any credentials or connecting your wallet to a site:
- Look at the full URL in the address bar
- Verify the domain name character by character
- Confirm the protocol is HTTPS (the padlock icon does not guarantee legitimacy — phishing sites can and do use SSL certificates)
- Verify you are on the correct top-level domain (.com vs .io vs .co)
The address bar is your primary defence. Treat it as such.
Bookmark Official Sites and Never Click Links
The single most effective protection against phishing is never clicking links to exchange and wallet sites in emails, DMs, or social media posts. Instead:
- Add every crypto site you regularly use to your browser bookmarks
- Access those sites exclusively through your bookmarks
- If you need to visit a site for the first time, verify the correct URL through the project’s official documentation, official social media accounts, or established crypto news sources — not through a link someone sent you
If an exchange emails you about account activity and you want to check it, do not click the link in the email. Open a new browser tab, navigate to your bookmarked version of the exchange, and check from there.
Verify Before Connecting Your Wallet
Before connecting your wallet to any DeFi protocol or DApp:
- Verify the site through the project’s official Twitter/X account or documentation
- Check that the URL matches the official domain exactly
- Use a burner wallet with minimal funds for interacting with new or unverified protocols
- Read the connection and approval prompts carefully — understand what you are authorising
Approval Phishing: The Most Dangerous Variant
Approval phishing deserves special attention because it is technically sophisticated, easily missed, and catastrophic when successful.
How Token Approvals Work (And How They Are Abused)
ERC-20 tokens on Ethereum and similar standards on other chains use an “approve” function that lets you authorise a contract to spend tokens on your behalf. This is legitimate functionality — DeFi protocols need it to process trades, provide liquidity, and execute swaps.
The attack works by getting you to grant an unlimited approval to a malicious contract. The malicious contract’s “approve” call looks similar to a legitimate DeFi approval — both show up as a transaction in MetaMask. The difference is that the malicious version grants permission to a contract controlled by an attacker, who can drain your wallet at any time after the approval is granted.
This means the theft may not happen immediately. You might approve a transaction today and be drained weeks later, making it harder to connect the cause.
Using Revoke.cash
Revoke.cash is a free tool that lets you view all active token approvals connected to your wallet address and revoke any you did not intend to grant or no longer need.
Best practices for token approvals:
- Audit your approvals on revoke.cash regularly (monthly for active DeFi users)
- After interacting with any new DApp, check what approvals were granted
- Revoke approvals from any protocol you no longer use
- For new interactions with unverified DApps, use a separate wallet with minimal funds
Reading Transaction Prompts Carefully
MetaMask and other wallets show a summary of what a transaction does before you confirm it. Before approving any transaction:
- Check what type of transaction it is (transfer, approve, etc.)
- For approvals, check the spending limit — “Unlimited” or an extremely large number is a warning sign unless you understand why that specific protocol requires it
- Verify the contract address you are interacting with against the official documentation of the protocol
Wallet Drainers on NFT Sites
During NFT bull markets, malicious sites posing as NFT minting pages, NFT marketplaces, or “exclusive mint access” pages have drained millions of dollars from wallets. The mechanics are standard approval phishing, but the targeting takes advantage of the urgency and FOMO common in NFT culture.
A typical attack:
- A fake “allowlist mint” announcement appears on Twitter/X, Discord, or via DM
- The link leads to a professionally designed fake minting site
- The “Mint” button triggers an approval transaction for your ETH or NFT holdings
- Approval drains your wallet immediately
The urgency manufactured around NFT mints — “only 30 minutes left,” “almost sold out” — is designed to suppress careful evaluation of what you are approving.
Protection: Verify every NFT mint page through the project’s official announcement channels. Never click mint links from DMs. Check the contract address being interacted with against the official contract listed in the project’s documentation.
FAQ
Q: Is it safe to connect my wallet to read-only — just “view” mode?
A: Yes. Simply connecting your wallet (wallet connection alone) does not grant any spending permissions. Theft occurs when you approve a transaction, not when you connect. The risk begins with approvals, not connections.
Q: I clicked a suspicious link but did not enter anything. Am I safe?
A: Visiting a site does not by itself compromise your wallet or credentials. You are at risk only if you entered your seed phrase, entered exchange login credentials, or approved a wallet transaction on that site. If you did none of those things, you are almost certainly safe — but run a malware scan on your device as a precaution.
Q: Can phishing sites steal my crypto just from visiting them?
A: Very rarely. “Drive-by” attacks that install malware via a browser visit are possible but uncommon and typically require unpatched browser vulnerabilities. The vast majority of crypto phishing requires you to take an action: enter credentials, enter a seed phrase, or approve a transaction. Keep your browser updated to minimise drive-by risks.
Q: The email from my exchange looks completely legitimate. How can I tell if it is real?
A: You cannot reliably tell from the email itself. Phishing emails can replicate official branding perfectly. The safest approach: do not trust any email asking you to take action on your account. Instead, go directly to your bookmarked exchange URL and check your account there. If the exchange sent a real alert, it will be visible in your account.
Q: How do I know if MetaMask is asking me to approve a legitimate transaction?
A: Check the contract address in the transaction details against the official contract address published in the DApp’s documentation. Verify the site URL before approving anything. If approving a token allowance, question whether “Unlimited” approval is necessary — many legitimate protocols allow you to set a specific limit.
Related guides:
