What is a Phishing Attack in Crypto?
A crypto phishing attack is a social engineering exploit in which an attacker deceives a user into taking an action — signing a malicious transaction, approving unlimited token spend on a contract, or manually revealing a seed phrase — that transfers control of the user’s assets to the attacker. Unlike traditional web phishing (which steals passwords that can be reset), crypto phishing is often instantly irreversible: once a malicious setApprovalForAll or transfer transaction is signed and included in a block, the assets are gone within seconds, routed through mixers (Tornado Cash) and cross-chain bridges before the victim even realizes what happened.
The financial impact is staggering. Chainalysis and on-chain security firms (ScamSniffer, PeckShield) documented that phishing drainers stole over $295 million from 324,000+ victims in 2023 alone, and the cumulative total from 2021–2024 exceeds $1 billion. The single largest documented pure-phishing loss: in May 2024, a single victim lost $68 million in wrapped Bitcoin (WBTC) after signing a drainer transaction disguised as a Permit2 interaction. These losses dwarf those of traditional web phishing because crypto wallets lack the consumer protections (chargebacks, FDIC insurance, two-factor transaction reversal) that bank accounts enjoy.
The evolution of crypto phishing has been rapid. The 2017–2020 era was dominated by crude “send me your seed phrase” Discord DMs. By 2021, attackers built fake Uniswap and MetaMask frontends that tricked users into signing token approvals. The breakthrough came in 2022–2023 with wallet drainers-as-a-service: sophisticated, professionally built JavaScript dApps that, when a victim connects their wallet and clicks “Claim Airdrop,” construct a transaction that is actually a setApprovalForAll granting the attacker unlimited transfer rights over the victim’s NFTs and ERC-20 tokens. Drainer kits like Inferno Drainer, Pink Drainer, Angel Drainer, and Monkey Drainer are licensed to affiliates for a 20–30% cut of stolen funds, industrializing crypto theft.
How It Works / Key Mechanics
The setApprovalForAll Vector
The most devastating crypto phishing vector is the ERC-721/ERC-1155 setApprovalForAll(address operator, bool approved) function. Unlike approve() (which grants a specific token allowance), setApprovalForAll grants the operator address the right to transfer every NFT the victim owns from the specified contract. Once signed, the attacker can drain the victim’s entire BAYC, CryptoPunks, or Pudgy Penguins holdings in a single batch transaction. The victim sees only a generic “Approve” prompt in their wallet — they often do not read the encoded function data. Drainer dApps obfuscate this by labeling the button “Claim 2.5 ETH Airdrop” or “Verify Wallet.”
Malicious dApp Approval Flow
A typical drainer attack follows this sequence:
- Lure: Victim receives a DM, tweet, or email (“Claim your $ARB airdrop,” “Your OpenSea listing expired—re-sign,” “Uniswap airdrop active”).
- Fake site: Victim lands on a lookalike domain (
opensea-pro.com,uniswap-claim.io) with cloned UI and a real-looking “Connect Wallet” button. - Connection: Victim connects MetaMask (or WalletConnect) to the site. No funds move yet — this is trust-building.
- Malicious sign request: Site prompts a transaction that looks benign. Under the hood it is
setApprovalForAll(attackerContract, true)or apermit()signature granting ERC-20 allowance via gasless EIP-2612. - Drain: Attacker’s bot detects the approval within seconds and calls
transferFromto move all approved NFTs and tokens to attacker wallets, then routes them through Tornado Cash or bridges to obfuscate.
Address Poisoning (Zero-Value Transfer Attack)
A subtler vector is address poisoning. The attacker monitors the mempool or on-chain history for transfers involving the victim, then sends a zero-value transaction from an address whose first and last 6 characters match the victim’s legitimate counterparty. When the victim later copies the “from” address from their transaction history to send funds, they copy the attacker’s poisoned address instead. Because Ethereum addresses are 42 characters and humans only verify the first/last few, the spoof succeeds. Victims have lost $50,000–$400,000+ in single USDT transfers this way. Hardware wallets and address book entries (saved recipients) defeat this.
Wallet Drainer Kits (2023–2024)
| Drainer Kit | Active Period | Estimated Stolen | Notable Tactics |
|---|---|---|---|
| Inferno Drainer | 2022–2024 | $80M+ (132,000+ victims) | Multi-chain, real-time NFT appraisal, selective drain |
| Pink Drainer | 2023–2024 | $75M+ | Twitter account hijacking for promotion |
| Angel Drainer | 2023 | $25M+ | Sign-in-with-Ethereum (SIWE) abuse |
| Monkey Drainer | 2022 (first major kit) | $1M+ | Pioneered the drainer-as-a-service model |
These kits are rented to “affiliates” who handle the social engineering (hacked verified Twitter accounts, Discord raids, Google Ads for fake sites) in exchange for a 20–30% cut. Inference engines in modern drainers check the victim’s portfolio in real time and drain only high-value items to minimize suspicion.
Real-World Examples / Notable Cases
Inferno Drainer (2023–2024): The largest documented drainer operation. Active from at least November 2022, Inferno targeted over 100,000 victims via thousands of phishing sites impersonating projects like Collab.Land, zkSync, and Linea. In June 2023, a single victim lost $24 million in assets including CryptoPunks and Bored Apes after signing a malicious permit on a fake Collab.Land site. Inferno announced a “shutdown” in June 2023 but resurfaced in 2024, stealing an additional $40M+ before another reported wind-down.
The May 2024 $68M WBTC Phish: A victim was tricked into signing a transaction on a spoofed site mimicking a Permit2 (Uniswap’s universal approval contract) interaction. The attacker exploited the victim’s pre-existing Permit2 allowance to transfer 1,155 WBTC (~$68 million) in a single transaction. The funds were bridged to other chains within minutes. This is one of the largest single-victim phishing losses on record.
OpenSea Spoofing (February 2022): A widespread campaign used fake “OpenSea listing expired—re-sign” emails and sites to get users to sign setApprovalForAll on the real OpenSea Wyvern Exchange contract. Over $1.7 million was stolen in a single weekend, affecting 32 users.
Address Poisoning on Tron/USDT (2023–2024): Attackers sent zero-value USDT transactions from vanity addresses mimicking major exchanges. PeckShield tracked $50M+ in losses from address poisoning across 2023–2024.
Phishing Vectors Comparison
| Vector | What Victim Does | What Happens | Prevention |
|---|---|---|---|
| Drainer dApp (setApprovalForAll) | Signs “Claim” on fake site | Attacker drains all NFTs/tokens | Transaction simulation, revoke.cash |
| Seed phrase phishing | Pastes seed phrase in chat/Discord | Wallet emptied instantly | Never type seed phrase anywhere except hardware wallet setup |
| Address poisoning | Copies address from history | Sends to attacker’s lookalike address | Address book, hardware wallet confirmation |
| Permit/signature phishing | Signs gasless message | Attacker gains ERC-20 allowance | Decode every signature; distrust unknown dApps |
| Clipboard hijacker | Pastes copied address | Replaced with attacker’s address | Verify full address before sending; use hardware wallet |
Risks / Considerations
- Irreversibility: There is no chargeback, no fraud department, no insurance for most wallets. Once signed, a malicious transaction is final. This asymmetry — attacker needs one signed transaction, victim needs to be vigilant every time — is why education and tooling are the only defenses.
- Approval fatigue: DeFi users sign dozens of token approvals daily and stop reading them. Drainers exploit this “approval blindness.” Use transaction simulators (Tenderly, PocketUniverse, Rabby Wallet, Blockaid) that decode what a transaction will actually do before you sign.
- Permit2 and gasless signatures: Uniswap’s Permit2 and EIP-2612
permit()allow gasless approvals via signature alone — no on-chain transaction needed. This is convenient but dangerous: signing a single off-chain message can grant an attacker allowance. Treat every signature request as carefully as a transaction. - Hot wallet exposure: Keeping all assets in a single hot wallet (MetaMask browser extension) maximizes blast radius. Segregate: a cold/hardware wallet for long-term holdings, a dedicated hot wallet with small allowances for active DeFi, and revoke unused approvals regularly via revoke.cash.
- Trusted-source failures: Even verified Twitter accounts and official Discord servers get hacked. In 2023, the official OpenSea Discord and multiple project Discords were compromised to push phishing links. Verify links from multiple independent sources, and prefer typing known-good URLs directly.
Frequently Asked Questions
Q: If I only “connect” my wallet to a site, can it steal my funds? A: No, not by connecting alone. Connecting only shares your public address with the site. To move funds, the site must prompt you to sign a transaction or message, and you must approve it. The danger is the deceptive signing step that follows connection. Never sign transactions or messages on sites you did not intend to visit, and always decode what you are signing.
Q: How do I check and revoke token approvals?
A: Use revoke.cash or etherscan.io/tokenapprovalchecker (and equivalents like debank.com for multi-chain). These tools list all contracts you have granted approve or setApprovalForAll to, with a one-click revoke button (which costs a small gas fee). Audit and revoke approvals monthly, especially for dApps you no longer use. Set approvals to specific amounts rather than unlimited where possible.
Q: Will a hardware wallet protect me from phishing?
A: A hardware wallet (Ledger, Trezor) protects your seed phrase and forces transaction confirmation on the device screen. However, it does not protect you from signing a malicious setApprovalForAll if you approve it without reading the decoded transaction — most hardware wallets show only raw hex. Always combine a hardware wallet with a transaction simulator (Rabby, Blockaid) that decodes the action in human-readable form.
Q: What should I do immediately if I suspect I was phished? A: (1) Revoke all token approvals immediately via revoke.cash. (2) Move all remaining assets to a brand-new wallet with a fresh seed phrase. (3) If NFTs were stolen, report to marketplaces (OpenSea, Blur) to flag stolen items. (4) Report to Chainabuse, the FBI’s IC3, and ScamSniffer. Realistically, recovery is rare; the goal is containment. Speed matters — attackers sweep within seconds.