OKX Web3 On-Chain Anti-Phishing Security Trading Guide

6 min readApr 24, 2024

Aurthor: OKX Web3

As we enter a new cycle, the risks of on-chain interactions are becoming increasingly exposed with the rise in user activity. Phishers typically use methods such as creating counterfeit wallet websites, stealing social media accounts, creating malicious browser extensions, sending phishing emails and messages, and publishing fake applications to lure users into disclosing sensitive information, leading to asset losses. Phishing activities exhibit characteristics of diversity, complexity, and stealthiness.

For example, phishers often create counterfeit websites that resemble legitimate wallet platforms, enticing users to input their private keys or mnemonic phrases. These counterfeit websites are usually promoted through social media, emails, or advertisements, misleading users into believing they are accessing legitimate wallet services, thereby stealing their assets. Additionally, phishers may impersonate wallet customer support or community administrators, sending users fake messages requesting wallet information or private keys, exploiting users’ trust in official channels to elicit private information and more.

In summary, these cases highlight the threat of phishing to Web3 wallet users. To help users enhance their awareness of Web3 wallet security and protect their assets from losses, OKX Web3 has conducted in-depth community research and collected numerous phishing incidents encountered by Web3 wallet users. This has resulted in the identification of the four most common phishing scenarios faced by users. Through detailed case studies in different scenarios, using a combination of visuals and text, we have compiled the latest guide on how Web3 users can conduct secure transactions for everyone to study and reference.

Malicious Information Sources

1. Popular Project Twitter Replies

Replying through popular project Twitter accounts is one of the primary methods for spreading malicious information. Phishing Twitter accounts can replicate logos, names, verification marks, etc., to be identical to official accounts, even with follower counts in the tens of thousands. The only distinguishing factor is the Twitter handle (pay attention to similar characters), so users must stay vigilant.

Additionally, fake accounts often deliberately reply to official tweets, but their replies contain phishing links, easily tricking users into thinking they are official links, leading to deception. Currently, some official accounts include “End of Tweet” messages in their tweets, warning users about the risk of phishing links in subsequent replies.

2. Stealing Official Twitter/Discord Accounts

To enhance credibility, phishers may steal project or Key Opinion Leader (KOL) official Twitter/Discord accounts to post phishing links under official names. Many users easily fall victim to this. For example, Vitalik’s Twitter account and the official Twitter account of the TON project have been compromised, allowing phishers to publish false information or phishing links.

3. Google Search Ads

Phishers sometimes use Google Search Ads to publish malicious links. Users may perceive these links as official domain names based on their browser displays, but clicking them redirects to phishing links.

4. Fake Apps

Phishers also lure users through fake apps. For instance, downloading and installing a fake wallet released by a phisher can lead to private key leaks and asset losses. Phishers have modified Telegram installation packages, altering the on-chain addresses for receiving and sending tokens, resulting in user asset losses.

5. Countermeasures: OKX Web3 Wallet Supports Phishing Link Detection and Risk Alerts

Currently, the OKX Web3 wallet supports phishing link detection and risk alerts to help users better address these issues. For instance, when users use the OKX Web3 plugin wallet to access websites via browsers, if the domain is a known malicious one, users receive immediate warning alerts. Additionally, when users use the OKX Web3 APP to access third-party DApps in the Discover interface, the OKX Web3 wallet automatically conducts risk detection on domains. If it’s a malicious domain, users are alerted and prevented from accessing it.

Secure Wallet Private Keys

1. Project Interaction or Qualification Verification

Phishers often disguise themselves as plugin wallet pop-up pages or any other webpage when users interact with projects or undergo qualification verification, asking users to fill in their mnemonic phrases/private keys. These are generally malicious websites, and users should be cautious.

2. Impersonating Project Customer Support or Administrators

Phishers frequently impersonate project customer support or Discord administrators, providing website links for users to input mnemonic phrases or private keys. In such cases, the other party is a phisher.

3. Other Paths for Mnemonic Phrases/Private Key Leaks

There are various paths for mnemonic phrases and private key leaks. Common ones include computers infected with Trojan horse malware, computers using fingerprint browsers for mining purposes, computers using remote control or proxy tools, screenshots of mnemonic phrases/private keys saved in albums but uploaded by malicious apps, backed up to the cloud but the cloud platform gets hacked, monitoring during the input of mnemonic phrases/private keys, physical access to mnemonic phrase/private key files or paper by individuals nearby, and developers pushing private key code to platforms like Github, etc.

In conclusion, users need to securely store and use mnemonic phrases/private keys to better protect wallet assets. For example, as a decentralized self-custodial wallet, the OKX Web3 wallet offers various backup methods for mnemonic phrases/private keys, including iCloud/Google Drive cloud, manual, hardware, etc., making it one of the wallets with comprehensive private key backup methods on the market, providing users with a relatively secure private key storage method. Regarding private key theft issues, the OKX Web3 wallet supports popular hardware wallets such as Ledger, Keystone, Onekey, etc., providing users with comprehensive hardware wallet functions. The private keys of hardware wallets are stored in the hardware wallet device, controlled by users themselves, ensuring asset security. In addition, the OKX Web3 wallet has now launched MPC non-private key wallets and AA smart contract wallets, further simplifying private key issues for users.

Four Classic Phishing Scenarios

Scenario 1: Stealing Mainnet Tokens

Phishers often name malicious contract functions as “Claim,” “SecurityUpdate,” etc., with suggestive names, but the actual function logic is empty, only transferring users’ mainnet tokens. Currently, the OKX Web3 wallet has introduced transaction pre-execution functionality, displaying asset and authorization changes after the transaction is on-chain, further reminding users to stay safe. Additionally, if the interacting contract or authorization address is a known malicious one, it triggers a red safety warning.

Scenario 2: Similar Address Transfers

When large transfers are monitored, phishers generate receiving addresses with the same initial digits as the target address, using “transferFrom” for zero-amount transfers or using fake USDT for transfers of specific amounts, polluting users’ transaction history. They hope users will copy incorrect addresses from transaction history for subsequent transfers, completing the fraud.

Scenario 3: On-Chain Authorizations

Phishers often induce users to sign “approve/increaseAllowance/decreaseAllowance/setApprovalForAll” transactions, or upgrade using “Create2” to generate pre-calculated new addresses, bypassing security checks and deceiving users into authorizing related actions. The OKX Web3 wallet provides security reminders for authorization transactions, warning users about the risks involved. Moreover, if the authorized address for a transaction is a known malicious one, it displays a red warning message to prevent users from being deceived.

Scenario 4: Off-Chain Signatures

In addition to on-chain authorizations, phishers also conduct phishing through off-chain signature inducements. For example, ERC-20 token authorizations allow users to authorize another address or contract a certain amount. The authorized address can transfer assets using “transferFrom,” which phishers exploit for scams. Currently, the OKX Web3 wallet is developing risk warning functions for such scenarios. When users sign offline signatures, if the parsed authorization address matches a known malicious address, users receive a risk warning.

Other Phishing Scenarios

Scenario 5: TRON Account Permissions

This scenario is relatively abstract, where phishers control users’ assets by obtaining TRON account permissions. TRON account permissions are similar to EOS, divided into Owner and Active permissions, with options for multi-signature forms of control. For example, setting the Owner threshold to 2, with two addresses having weights of 1 and 2 respectively, where the first address is the user’s address with a weight of 1 that cannot operate the account independently.

Scenario 6: Solana Token and Account Permissions

Phishers modify the ownership of Solana tokens and accounts through “SetAuthroity,” transferring tokens to a new owner address. Once users fall for this, assets are transferred to the phisher. Additionally, if users sign “Assign” transactions, their regular account’s Owner is changed from System Program to a malicious contract.

Scenario 7: EigenLayer’s queueWithdrawal Invocation

Due to design mechanisms and other issues, this protocol can also be exploited by phishers. Based on the Ethereum middleware protocol EigenLayer, the “queueWithdrawal” invocation allows specifying another address as the withdrawer, and when users sign this transaction, the specified address can obtain the user’s staked assets after seven days.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish




Colin Wu, Chinese journalist, won 2013 China News Award