You check your wallet and the balance is zero. You never shared your seed phrase. You never clicked anything suspicious — or so you thought. But somewhere in your transaction history, there is a token approval you don’t remember signing. That approval let a smart contract spend your tokens without asking again.

Crypto phishing is not like email phishing. It doesn’t ask for your password — it asks for your permission. And once granted, that permission is permanent, automatic, and devastating.

BLUF: Crypto phishing works by tricking you into signing a transaction that gives a malicious contract control over your wallet. The most common vectors are fake websites (wallet drainers), malicious token approvals, and fraudulent airdrop claims. Defense: verify every URL, revoke unused approvals regularly, and use a hardware wallet for large holdings.

How Crypto Phishing Differs from Traditional Phishing

Traditional phishing steals credentials — passwords, credit card numbers, banking logins. The attack is transactional: you give up information, the attacker uses it, and your bank may reverse the fraud.

Crypto phishing steals authorization. Instead of taking your keys, it convinces you to grant a smart contract permission to move your assets. This is far more dangerous because:

  • Blockchain transactions are irreversible — no chargebacks, no fraud department
  • Approvals persist — a single signed approval can drain your wallet days or weeks later
  • No intermediary — there is no bank or payment processor to flag suspicious activity

The fundamental shift is this: in crypto, you are the security layer. Every signature is final.

The Five Most Common Attack Vectors

1. Wallet Drainer Websites

Wallet drainers are malicious dApps that look like legitimate DeFi platforms, NFT marketplaces, or airdrop claim sites. When you connect your wallet and click what appears to be a normal action — “claim tokens,” “mint NFT,” “verify eligibility” — the site presents a transaction that grants the drainer contract unlimited spending approval over your tokens.

Red flags:

  • A site you found through a Twitter/X link or Discord message
  • Urgency language (“claim before deadline,” “limited spots”)
  • A wallet popup asking for approval when you didn’t expect to make a transaction
  • Any prompt to sign a message you don’t fully understand

Defense: Bookmark legitimate sites. Never click crypto links from social media or chat apps. If a site asks you to connect your wallet, close the tab and navigate to the known URL manually.

2. Malicious Token Approvals

Token approvals are a normal part of DeFi — you approve a contract to spend your tokens so you can trade on a DEX or provide liquidity. But malicious contracts abuse this mechanism by requesting unlimited approval (type(uint256).max), which lets them drain your entire balance at any time.

Many legitimate dApps also request unlimited approval for convenience. This is why you should:

  • Check the approval amount before signing — if it says “unlimited,” consider whether the dApp truly needs it
  • Revoke approvals you no longer use using tools like revoke.cash or Etherscan’s Token Approval Checker
  • Review approvals monthly as part of wallet hygiene

3. Permit Signature Phishing

Permit-sign phishing is a more advanced attack that exploits the ERC-2612 permit function. Instead of asking you to send a transaction (which costs gas and appears in your wallet as a clear transfer), the attacker asks you to sign an off-chain message. This message is a legally valid approval that the attacker can submit to the blockchain later — without any further action from you.

The danger: signing a message feels harmless because it doesn’t cost gas and doesn’t immediately move funds. But a permit signature is just as powerful as an on-chain approval.

Defense: Never sign messages from untrusted dApps. If a site asks you to “verify” your wallet by signing a message, close it immediately. Legitimate platforms rarely require message signing for basic access.

4. Fake Airdrops and Giveaways

Scammers create websites mimicking popular protocols (Arbitrum, Layer2 projects, restaking platforms) announcing fake airdrops. The site asks you to connect your wallet and “claim” — which triggers a malicious approval or direct transfer.

These scams spread through:

  • Compromised Twitter/X accounts of legitimate projects
  • Discord server raids with bot-posted links
  • Fake LinkedIn profiles posing as project team members
  • Google Ads targeting searches for “[protocol name] airdrop”

Defense: Verify airdrop announcements through official documentation pages, not social media. Cross-check any claim URL against the project’s official documentation or GitHub.

5. Address Poisoning

Address poisoning plants look-alike addresses in your transaction history. When you later copy-paste a recipient from history, you grab the attacker’s address instead of the real one. This attack doesn’t require wallet connection or approvals — it exploits copy-paste behavior.

Defense: Never copy-paste addresses from transaction history. Use an address book or ENS names. For large transfers, send a test transaction first.

Building a Phishing-Resistant Workflow

Layer 1: Browser Hygiene

  • Use a dedicated browser profile for crypto activity
  • Install Pocket Universe or Wallet Guard — browser extensions that simulate transactions and flag malicious contract interactions before you sign
  • Disable crypto-related browser extensions you don’t actively use (each extension is an attack surface)
  • Check URLs character-by-character — phishing sites use homoglyph attacks (аrbitrum.io with a Cyrillic а)

Layer 2: Wallet Segmentation

Maintain separate wallets for different risk levels:

WalletPurposeHoldingsConnection Policy
VaultLong-term storage90%+ of assetsHardware wallet, never connects to any dApp
DeFiActive trading, liquidity5-10%Hot wallet, connects only to verified dApps
ExperimentalNew platforms, airdropsMinimalHot wallet, acceptable risk of loss

This way, even if an experimental wallet is drained, your core holdings remain safe.

Layer 3: Hardware Wallet for Approvals

A hardware wallet displays the full transaction details on its screen before you confirm. This creates a physical checkpoint between the phishing site and the signature:

  1. The phishing site sends a malicious approval
  2. Your hot wallet software shows the request
  3. Your hardware wallet displays the actual contract address and approval amount on its screen
  4. You review the hardware display — if the contract address is unknown or the approval is unlimited, you reject

This stops attacks that hot wallet software fails to warn about, because you verify on a separate, trusted device.

Layer 4: Regular Approval Audits

Make it a habit to review and revoke token approvals:

  1. Go to revoke.cash or Etherscan Token Approval Checker
  2. Review every active approval
  3. Revoke any approval to contracts you no longer use
  4. Pay special attention to unlimited approvals on high-value tokens

A monthly approval audit takes five minutes and closes one of the most common post-attack vectors: the “I forgot I approved that contract” scenario.

What to Do If You’ve Been Phished

If you suspect a malicious approval is active on your wallet:

  1. Immediately revoke the approval using revoke.cash — this stops further draining
  2. Move remaining assets to a new wallet with a fresh seed phrase
  3. Do not interact with any contract from the compromised wallet — even revoking can sometimes trigger additional traps
  4. Report the address to blockchain security databases (Chainabuse, EtherSecurityLookup)
  5. Document everything — transaction hashes, timestamps, the phishing URL — for potential insurance claims or law enforcement reports

If funds have already been moved by the attacker, recovery is extremely unlikely. The irreversible nature of blockchain transactions means prevention is the only reliable strategy.

Checking Addresses and Contracts

Before interacting with any new contract or sending funds to an unfamiliar address, run a risk check to see if it has been flagged as associated with phishing, rug pulls, honeypots, or other malicious activity.

Frequently Asked Questions

Q: I accidentally connected my wallet to a suspicious site. Am I compromised? A: Connecting your wallet (read-only) does not grant spending permissions. You are only compromised if you signed a transaction or message. Check your active approvals at revoke.cash. If there are no unexpected approvals, you’re safe — but don’t return to that site.

Q: Can a hardware wallet be phished? A: The hardware wallet itself is not phished, but you can still be tricked into confirming a malicious transaction on the device. Always read the contract address and approval amount on the hardware screen. If something doesn’t match what you intended, reject it.

Q: Are browser extensions like MetaMask safe? A: Hot wallets like MetaMask are safe if used correctly — the risk comes from what you sign, not the wallet itself. The key is to never sign transactions or messages from untrusted sources, regardless of which wallet you use.

Q: How do I know if a token approval is dangerous? A: Check three things: the contract address (is it a known, verified contract?), the approval amount (is it unlimited?), and the token being approved (is it a high-value token?). When in doubt, revoke it.