Stop Web3 phishing before you sign
Independent defensive guide to social engineering and wallet-draining scams in Web3.
TL;DR. Most Web3 theft is consent-based: you are tricked into signing an approval or message that hands assets to an attacker. Decode every signature, prefer exact-amount approvals, revoke unused allowances, and never enter a seed phrase online.
Attack vectors
- Approval phishing (ice phishing)
- You sign an ERC-20/721 approval or Permit2 message granting spending rights, then assets are drained. Defense: exact-amount approvals; revoke unused allowances.
- Address poisoning
- Lookalike or zero-value transfers seed a similar address into your history, hoping you copy it. Defense: verify the full address; use an address book.
- Seed-phrase phishing
- Fake sites, support agents or pop-ups request your recovery phrase. Defense: never type a seed phrase online; legitimate services never ask.
- Malicious signature requests
- Blind-signing eth_sign or crafted typed-data (Permit, Permit2, Seaport) authorizes transfers without an obvious spend. Defense: sign only decoded, understood messages.
- Fake airdrop / wallet drainer
- Spoofed claim or mint pages route clicks into drainer contracts. Defense: open dApps via bookmarks; simulate transactions; distrust unsolicited claims.
- Impersonation & fake support
- Attackers pose as team or support on Discord/Telegram/X and DM you. Defense: teams never DM first or ask for a seed phrase.
Protect your wallet
- Store the recovery phrase offline; never type it into any website.
- Keep high-value assets in a hardware wallet.
- Reach dApps via bookmarks; avoid search ads and DM links.
- Decode and simulate every signature and transaction before approving.
- Periodically revoke unused token approvals.
- Verify identities; teams never DM first.
FAQ
How do I revoke a malicious token approval?
Use a reputable approvals manager or your wallet's approvals view to set the allowance to zero for the suspicious contract.
Is signing a message always safe?
No. Signatures such as Permit and Permit2 can authorize asset transfers. Only sign messages you can fully decode and understand.
What if I already signed a drainer?
Immediately revoke approvals, move remaining assets to a fresh wallet, and stop using the compromised key.