The average crypto user has probably received at least three phishing attempts in the past year — they just don’t recognize them yet. I spent three years working in blockchain security, and what I learned is this: phishing isn’t a technical problem you solve with better software. It’s a psychological problem that requires you to understand how attackers think. Most security guides tell you what to do without explaining why attackers use certain techniques. This guide does the opposite. I’m going to show you exactly how these attacks work, walk through real examples from 2023-2024, and give you a detection framework that actually holds up against sophisticated threats.
What Is Crypto Phishing and Why Attackers Target Crypto
Crypto phishing is a social engineering attack where fraudsters trick you into revealing private keys, seed phrases, login credentials, or approving malicious blockchain transactions. Unlike traditional banking fraud, crypto transactions are irreversible by design. When someone drains your wallet, there’s no bank customer service line to call, no chargeback mechanism, no fraud department that can reverse the transfer.
The attackers target crypto for three reasons that most security articles gloss over:
First, the anonymity of blockchain makes recovery nearly impossible. Once funds leave your wallet and cascade through mixers or cross-chain bridges, tracking them requires resources that most individuals simply don’t have.
Second, crypto users tend to be early adopters — people who own multiple wallets, interact with dozens of DeFi protocols, and maintain active accounts across Discord, Telegram, and Twitter. This expanded attack surface creates more opportunities for social engineering than traditional banking.
Third, and this is the part nobody talks about, crypto culture actively discourages basic security practices. The community celebrates self-custody and hardware wallets while simultaneously sharing seed phrases in screenshots, discussing portfolio balances publicly, and clicking links in project announcements without verification. Attackers know this. They exploit the culture of trust that makes crypto function.
Common Types of Crypto Phishing Attacks
The attack types below represent the threat landscape as of early 2025. I’ve ordered them by prevalence, starting with what you’ll encounter most frequently.
Email Phishing
Email phishing remains the dominant attack vector because it scales effortlessly. Attackers impersonate exchanges, wallet providers, or DeFi protocols with increasingly convincing templates. The typical execution includes urgent language about account security, fake login pages hosted on typosquatted domains, or malicious attachments disguised as tax documents or wallet software updates.
What makes modern email phishing dangerous is its specificity. Attackers pull data from previous data breaches to personalize emails. If your email appeared in the Ledger database leak from 2020, you might receive an email that references your specific hardware wallet model and asks you to “verify your device.” The 2024 campaign targeting Ledger users reportedly netted attackers over $1 million in crypto before being shut down.
Fake Websites and Domain Spoofing
Typosquatting — registering domains that closely resemble legitimate ones — has evolved into something worse. Attackers now use punycode to create domains that look identical to trusted sites in most browsers. A fake “uniswap.org” might resolve to something that renders identically to the real site but operates under a different domain entirely.
The more sophisticated version involves compromising legitimate infrastructure. In late 2023, attackers managed to hijack the DNS for a popular DeFi aggregator, redirecting users to a clone site for approximately six hours. During that window, anyone who connected their wallet had their assets drained. This wasn’t a phishing email — it was a direct attack on the infrastructure itself.
Social Media Phishing
Crypto lives on social media, and attackers have colonized every major platform. You’ll encounter fake project accounts that reply to legitimate announcements, impersonating the real team with slightly different handles. They’ll post fake airdrop links, promotional codes, or “official” giveaways that require connecting your wallet.
Twitter/X remains the highest-risk platform because of how quickly fake accounts can gain credibility through reply chains and retweets. The “address poisoning” technique also emerged here — attackers send tiny amounts of crypto to your wallet from an address that looks remarkably similar to one you’ve used before, hoping you’ll copy that address from your transaction history when sending funds later.
SMS Phishing (Smishing)
Smishing attacks target phone numbers associated with crypto accounts. Attackers send text messages claiming to be from exchanges, warning of suspicious activity or requiring “account verification.” The link leads to a fake login page designed to harvest credentials.
The 2024 Twilio breach exposed how attackers obtain phone number data at scale. Crypto-focused SMS campaigns have become increasingly common, with some targeting specific exchange users based on stolen customer databases.
SIM Swapping
SIM swapping represents the attack that most users underestimate until it happens to them. Attackers convince your mobile carrier to transfer your phone number to a SIM card they control, typically through social engineering of carrier employees or by purchasing insider access on dark web forums.
Once they have your number, they can intercept 2FA codes sent via SMS, reset passwords, and drain accounts. The 2022 attack on crypto influencer “Bitmama” resulted in $1.2 million stolen through SIM swapping, and similar incidents have continued through 2024.
Ice Phishing
Ice phishing is a newer technique that specifically targets Web3 permissions rather than private keys. Attackers trick users into signing transactions that grant token allowances to malicious contracts. Unlike a private key compromise, which immediately drains your wallet, ice phishing can go unnoticed for weeks as attackers slowly drain approved tokens.
The victim signs what appears to be a legitimate transaction — perhaps a token swap or staking deposit — but the underlying contract contains hidden functionality that drains approved tokens over time. This technique is particularly insidious because it doesn’t require stealing anything. You’re giving permission willingly, just to the wrong party.
Real Examples of Crypto Phishing Attacks
Understanding attack mechanics matters less than recognizing how they appear in the wild. Here are documented incidents from the past two years:
The “Metamask Support” campaign ran throughout 2023 and into early 2024. Attackers created Twitter accounts with verified checkmarks (purchased through various means) that replied to users posting support questions. They offered “official help” and directed users to a fake support portal that harvested seed phrases. The campaign was particularly effective because it targeted users who were actively seeking help — people already in a vulnerable, confused state.
The “Uniswap V4” pre-launch scam emerged in mid-2024, before Uniswap V4 was even deployed. Attackers created fake websites, documentation, and social media accounts claiming users could “earn V4 tokens” by connecting wallets. Approximately $2.3 million was stolen before the scam was widely reported.
The “Drainer” kits sold on Telegram represent an industrialization of phishing. These are commercially available phishing packages that include fake exchange interfaces, wallet connection prompts, and automatic fund extraction. Non-technical criminals purchase these kits and launch their own campaigns. In 2024, security researchers identified over 400 active drainer operations, many of which target specific demographics or regions.
Warning Signs of Crypto Phishing
Recognizing phishing requires knowing what legitimate communications look like. Here are the indicators that should trigger immediate skepticism:
Urgency or threats — Legitimate services rarely demand immediate action through unsolicited communications. “Your account will be suspended in 24 hours” is almost always phishing.
Requests for seed phrases — No legitimate service, exchange, or support team will ever ask for your seed phrase. Not via email. Not via social media. Not via any channel.
Slightly incorrect URLs — Check domains character by character. Watch for letter swaps (rn instead of m), extra characters (coinbaese instead of coinbase), or different TLDs (.xyz instead of .com).
Unsolicited airdrops — If you receive tokens you didn’t claim, don’t interact with them. “Dust” attacks send tiny token amounts to thousands of wallets; interacting with them can grant approval permissions that drain your holdings.
Poor grammar and formatting — Professional companies proofread their communications. Multiple errors indicate phishing, though some sophisticated campaigns have eliminated this tell.
Requests to disable security features — Anyone telling you to turn off 2FA, disable alerts, or whitelist an address for “easier” transactions is attempting to remove your protections.
How to Protect Your Crypto
Protection isn’t about one tool or technique. It’s about building habits that make phishing mechanically impossible.
Never enter seed phrases online — Hardware wallets keep your private keys offline. Even if you type your phrase into a fake website, a hardware wallet won’t expose your keys to that website. This is the single most effective protection available.
Use dedicated devices for crypto — Consider maintaining a separate device — an old phone or laptop — that you use exclusively for crypto transactions. Never browse social media, check email, or install unknown software on this device.
Verify everything independently — When you receive a link in a Discord announcement, don’t click it. Navigate to the official website through your bookmarks. When you receive an email from your exchange, don’t use the link in the email. Type the exchange URL directly.
Use hardware 2FA — Hardware security keys like YubiKeys or Ledger’s own device can prevent SIM swapping because the authentication happens on a physical device, not your phone number.
Review transactions before signing — Don’t approve transactions without understanding what you’re authorizing. If a transaction asks for unlimited token allowances, decline it. Tools like Revoke.cash let you audit and revoke permissions you’ve granted to DeFi protocols.
What to Do If You’re Phished
If you discover unauthorized transactions or believe your seed phrase has been compromised, act immediately but recognize the limitations:
First, immediately move remaining assets to a new wallet. Generate a fresh seed phrase offline, ideally on a hardware device, and transfer everything before the attacker has time to drain the account.
Second, document everything. Screenshot the phishing site, preserve emails, save transaction hashes. This won’t help you recover funds, but it helps security researchers track attacks and may assist in future investigations.
Third, report to the relevant platforms. File reports with the exchange involved, submit the phishing site to Google Safe Browsing, and report fraudulent accounts to Twitter/X. Your report might prevent others from falling victim.
Here’s the uncomfortable truth: recovery is unlikely. Blockchain’s immutability is a feature, not a bug, but it means stolen funds are effectively gone. Services claiming to recover scammed crypto are almost always follow-up scams. Anyone promising to track and return your funds is likely running a second operation targeting desperate victims.
The Hard Truth About Crypto Security
The security community has a credibility problem. We tell users to be vigilant, to verify everything, to never click links — but we’re asking humans to be perfect across every interaction. That’s not realistic.
What actually works is engineering security into your habits so that phishing becomes mechanically impossible, not just psychologically unlikely. Use hardware wallets. Don’t keep your seed phrase digitally. Assume every unsolicited message is hostile until proven otherwise.
The attacks will keep evolving. Attackers are professional, well-funded, and unencumbered by ethics. Your protection isn’t about outsmarting them in any individual encounter — it’s about building systems where it doesn’t matter what tricks they use.
