What is Phishing?

How it works

Phishing in crypto specifically targets the irreversible nature of blockchain transactions. Common attack patterns:

• Fake exchange login pages. Email arrives "Coinbase: unusual login detected" with a link to a near-perfect clone of coinbase.com. You log in, attacker captures credentials.
• Wallet drainer dApps. A site looks like a legitimate NFT mint or airdrop claim. You connect your wallet and approve a transaction that grants the site permission to move all your tokens.
• Seed phrase phishing. "Verify your wallet to continue" forms ask you to type in your seed phrase. Real wallets never ask for this.
• Address swappers. Malware on your computer watches the clipboard for addresses; replaces a copied destination with the attacker's address before you paste into your wallet.
• Discord/Telegram impersonation. Fake "support" agents DM users, get them to share screen or paste a "verification" string that's actually their seed phrase.
• SIM swap → SMS 2FA. Already covered in 2FA.

Phishing has gotten more sophisticated with AI: voice-cloned calls from "your bank's fraud department," personalized emails referencing real accounts, fake support numbers in Google ads above the real result.

Example

Three real-world patterns from 2023-2024:

1. Ledger Connect Kit hack (Dec 2023) — Compromised JS dependency in Ledger's Connect Kit injected wallet-draining code into multiple legitimate dApps for ~2 hours. Users on Sushi, ZapperFi, Revoke.cash signed transactions that looked normal but actually approved a drainer contract. Net theft ~$600k.

2. Search ad spoofing — Attackers buy Google ads for "phantom wallet" or "metamask" so their fake site appears above the real result. Users download the malicious extension, type their seed phrase to "import their wallet," lose everything.

3. NFT airdrop phishing (continuous) — Token owner gets an "airdrop claim" link in their wallet's transaction history (anyone can send tokens to anyone). Click leads to a drainer site. Single click, all assets gone.

Why it matters

Phishing is the #1 self-custody loss vector for retail users — bigger than smart-contract bugs by some estimates. The good news: it's mostly defeatable with disciplined hygiene.

Defensive habits worth building:

• Type URLs by hand, never click email links. For exchanges, banks, anywhere with funds. Make a habit. Use bookmarks for repeat visits.
• Never type a seed phrase anywhere except your wallet's own setup/recovery flow. Real wallets, real exchanges, real services do not ask. Anyone asking is phishing.
• Verify destination addresses on the hardware wallet's own screen. Compare first 4 + last 4 characters. Malware can fool the computer; can't fool the device's own display.
• Approve token spend permissions cautiously. Use revoke.cash or similar to audit and revoke active approvals every few months. Watch for "infinite approvals" — those let the dApp drain everything if ever compromised.
• Whitelist withdrawal addresses on exchanges. Coinbase, Kraken let you require a 24-hour delay for new withdrawal destinations. An attacker who got into your account still can't pull funds during the delay window.
• Bookmark official URLs. ledger.com, metamask.io, app.uniswap.org. Don't reach them via search.
• Treat unsolicited DMs as hostile. Discord, Telegram, X — real support agents do not DM first.

The pattern recognition: real services patiently let you take your time. Anything urgent, anything threatening account suspension, anything offering free tokens with a deadline — pause, verify, reach the service through a known official channel before doing anything.