How to Spot a Crypto Phishing Attack

In traditional finance, a phishing attack might steal your credit card number. Your bank notices the fraud and reverses the charge. In crypto, there are no reversals. Once a transaction is on-chain, it's permanent. A successful phishing attack means permanent, total loss — and the attacker is usually anonymous and unreachable.

Phishing is not a niche technical attack. It is responsible for the majority of retail crypto theft. The attacks are increasingly sophisticated, and "just be careful" is not a reliable defence when you don't know what to look for.

Attack type 1: Fake support

You post in a Discord server, tweet about a problem with your wallet, or join a Telegram group. Within minutes, someone messages you privately: "Hi, I'm from the support team. I saw you're having an issue — I can help."

They are not from the support team. They are a scammer who monitors crypto communities for people mentioning problems. Their goal is to either:

• Get your seed phrase ("I need to verify your wallet to fix the issue")
• Get you to connect your wallet to a malicious site ("Click this link to restore your session")
• Get you to sign a transaction ("This will fix the sync problem")

Attack type 2: Lookalike domains

The attacker registers a domain that looks nearly identical to a legitimate project's site. The difference might be one character: uniswop.org instead of uniswap.org. Or a different TLD: opensea.io vs opensea.app. Or a homoglyph — a character that looks identical but is from a different alphabet.

The fake site is a pixel-perfect copy of the real one. When you connect your wallet and try to interact, it triggers a malicious signing request. If you approve it, your assets are gone.

How to protect yourself:

• Bookmark the official URL for every protocol you use. Access it only from your bookmarks, never from links in messages.
• Check the full domain carefully before connecting your wallet — not just the beginning of the URL.
• Look for HTTPS and a valid certificate, but know that phishing sites frequently have valid SSL certificates too.

Attack type 3: Fake airdrops and free mints

You receive an airdrop of tokens you don't recognise. Their names often contain URLs or instructions: "ClaimYourReward.io", "Visit-To-Claim.com". When you go to the site and connect your wallet to "claim" the tokens, you're prompted to approve a transaction that actually grants the attacker permission to drain your wallet.

Similarly, "free mint" opportunities — especially during hyped launch periods — often direct users to malicious contracts. The site looks like a real mint page. The transaction triggers setApprovalForAll or a similar drainer function instead.

The defence: treat unsolicited tokens as potential attack vectors, not free money. Ignore URLs embedded in token names entirely.

Attack type 4: Compromised accounts and official-looking announcements

Attackers sometimes compromise the social media accounts of real projects — their Twitter, Discord, or Instagram. They post from the real account, with the real project's branding, announcing a limited-time free mint or an exclusive airdrop. The link goes to a drainer.

This is particularly dangerous because you can verify the account is real and still get phished. Warning signs:

• Urgency: "Only 2 hours left to claim"
• Surprise: No prior announcement of this event
• The link is slightly different from the project's known domain
• The announcement encourages connecting your wallet immediately

Attack type 5: Address poisoning

You look up a recent transaction in your history and copy the recipient address to use again. The address looks right — same first four characters, same last four. But it's different in the middle.

This attack works by sending tiny transactions from addresses that closely mimic addresses you've previously sent to. When you're in a hurry and copy from your history instead of from a verified source, you paste the attacker's address.

Always verify the full address before sending — not just a few characters at each end. For large amounts, send a small test transaction first and confirm it arrives before sending the rest.

The red flags checklist

• 🚩 Someone messaged you first, claiming to be support
• 🚩 There's time pressure ("only 30 minutes left")
• 🚩 You're being asked for your seed phrase
• 🚩 The domain is slightly different from the one you normally use
• 🚩 The transaction description is vague, hex-only, or missing
• 🚩 You found the opportunity in a DM, not announced publicly by the official project
• 🚩 The opportunity is too good — free money, exclusive access, a reward you didn't earn

How Heldby reduces your attack surface

No wallet can protect you from clicking a malicious link. But Heldby removes the most damaging attack vector entirely: blind signing is blocked. If a phishing site gets you to connect your wallet and triggers a drainer transaction, Heldby will refuse to sign it — because the transaction cannot be described in plain English.

Additionally:

• Every recipient address is checked against community threat feeds (Forta, CryptoScamDB) before the send screen appears.
• The wallet opens read-only by default — no accidental approvals while browsing.
• Contract interactions have a mandatory 10-second delay — enough time to actually read what you're signing.

These protections don't make you invincible. But they mean that even if you land on a phishing site, the most common attack mechanisms are neutralised before you have to make a perfect decision under pressure.

If you think you've been phished

1. Don't send more transactions. Additional transactions may make things worse.
2. Revoke approvals immediately at revoke.cash. If you approved a contract, revoke it before it's used.
3. Move remaining assets to a new wallet. If the attacker has your approval but hasn't drained yet, moving assets out may save them.
4. Do not try to "fix" it by connecting your wallet to another site that promises to reverse the transaction. Reversal is impossible; this is a second phishing attempt.