Web3 Phishing Attacks: Methods, Risks, and Countermeasures

With the rapid development of the Web3 industry and evolving regulatory policies, Web3 security has become a critical issue, and phishing attacks now rank among the most damaging threats to users and projects.

Web3 phishing originates from traditional Web2 phishing techniques—such as malicious browser extensions, fake wallets, social engineering, and DNS hijacking—that aim to steal mnemonic phrases or private keys. Since 2022, transaction‑based phishing has surged, where attackers create counterfeit sites that mimic legitimate DApps to trick users into signing transactions that transfer crypto assets.

Three main factors drive the prevalence of Web3 phishing: economic incentives, insecure DApp interaction flows, and the lack of comprehensive centralized regulation due to blockchain’s decentralized nature.

The typical DApp interaction process (visit site → connect wallet → confirm transaction) contains multiple points where phishing can occur, including malicious URLs, fake “Connect” prompts, and deceptive transaction details.

From a transaction perspective, the article outlines several phishing techniques:

Transfer phishing : victims are lured to send ETH or ERC‑20 tokens directly to a phishing address, either via a simple transfer or by invoking TransferFrom on a token contract.

eth_sign blind‑sign phishing : attackers request an eth_sign on arbitrary data, effectively signing a “blank check” that can be used to move assets.

Modal phishing : malicious UI modals in wallets disguise malicious function calls (e.g., SecurityUpdate ) as legitimate updates.

Approval phishing : users are tricked into granting token allowances (via Approval , increaseAllowance , or Permit ) to attacker‑controlled contracts, enabling later token transfers.

NFT order phishing : attackers exploit the Seaport protocol’s order signing flow to obtain a near‑zero‑cost order signature, allowing them to acquire high‑value NFTs for free.

Proxy contract upgrade phishing : victims sign a malicious upgradeTo() call on their OpenSea proxy contract, giving attackers control over the proxy and the associated NFTs.

Address‑poisoning attacks : attackers generate addresses that share the same prefix and suffix as legitimate targets, exploiting truncated address displays in wallets and block explorers.

Zero‑transfer phishing : attackers send a transaction with a zero token amount, which still emits a transfer event that can be mistaken for a legitimate transfer.

Small‑transfer and fake‑token phishing : attackers use tiny amounts of real tokens or counterfeit tokens with forged symbols to bypass detection and lure victims into copying malicious addresses.

To mitigate these threats, Ant Group’s Web3 Multi‑Dimensional Intelligent Joint Anti‑Money‑Laundering Platform continuously monitors DApp interactions, simulates transactions, and maintains extensive phishing site and address databases. The platform can detect suspicious transactions, flag address‑poisoning attempts, and trace illicit fund flows in real time.

Overall, as Web3 adoption grows, the proportion of illicit activities rises, making AI‑assisted risk analysis and robust security solutions essential for safeguarding the digital economy.