Phishing attacks accelerated in 2024, cost $800M year-to-date

Phishing attacks did not abate in 2024 and were especially consistent in the past three months. Certik tallies up the losses at $800M for the year to date. 

Attacks through malicious links led to a record number of major incidents. According to Certik, phishing attacks in the year to date led to $800M in losses. The value of the attacks rose additionally as the crypto market appreciated. A total of 26 significant attacks happened in October, and so far seven by the middle of November. 

Some of the phishing and address poisoning attacks manage to target the occasional large-scale wallet, leading to deeper losses. However, the attack’s model relies on wide distribution and producing as many attacks to wallets as possible. Scams with fake copied addresses happen almost daily and sometimes drain significant personal holdings. In a recent case, the poisoned address spoofed the legitimate wallet of a centralized exchange. 

🚨 ALERT: Another victim lost $111,726 just 10 minutes ago by copying the wrong CEX deposit address from a contaminated transfer history.

Tips to stay safe 🔐:
• Always verify addresses carefully 📝
• Use bookmarks 🔖
• Double-check before sending large amounts ✅ https://t.co/t1uZRiRTev pic.twitter.com/V3K4ONWkzW

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) November 15, 2024

A more sophisticated form of wallet draining features a test attack. Recently, another address lost over $110K, when a malicious wallet spoofed the original transaction by introducing its own address. The scammer’s wallet even passed the test transaction test, before the user was convinced to send the entire sum. 

Another user lost $220K by being convinced to click on a malicious link and give permission to connect with the wallet-draining smart contract. The wallet recipient has already been labeled among the growing list of fake phishing wallets. As with other similar exploits, scammers still rely on Tornado Cash to cover their tracks.

Most of the attacks focused on the Ethereum and Solana ecosystem, with much fewer BTC losses. The habitual interaction with multiple protocols for Web3, NFT, or meme tokens, made users more likely to sign permissions and trust prompts to connect their wallet. Multi-asset wallets are also vulnerable, which is one of the main sources of BTC losses. 

Web3 still faces ‘ice fishing’ attacks

Certik noted that Web3 projects are especially vulnerable to so-called ‘ice fishing’ techniques. Ice fishing uses faked links, spoofed sites, or more creative tools to insert a link. The links call for a wallet approval and issue an approval transaction. 

Later, the malicious attacker can initiate a transaction once the wallet is opened. Until permission is revoked, the wallet connected to a phishing link remains vulnerable. Certik warns users to check their wallet approvals through a legitimate tool, and not through third-party links. Etherscan’s token approval protocol can help revoke suspicious links. 

Decentralized exchanges and lending protocols are the most widely attacked and spoofed apps. More than $200M so far has been spoofed by scammers in connection with DEX activity. 

Certik excludes wallet scams from other exploits. Big hacks and attacks were more rare in October, but wallet scams remained at their usual elevated level both in terms of raw numbers and funds taken. 

Certik proposes using vanity addresses

One of the ways to create a more recognizable address is to create a vanity string. The tools to generate wallets rely on multiple attempts until they produce the right address with the desired number string. 

Vanity addresses can also be spoofed, but the chance is lower. Certik has also noticed that some spoof wallets generate vanity addresses with a preferred string of characters in the middle. 

Other widely used services like the 1Inch DEX aggregator have generated an easily recognizable vanity address to make deposits easier. Over time, scammer addresses grew to a total of 269,705, following community reporting. Pink Drainer remains one of the biggest recipients of user funds, but new addresses with smaller hausl are added all the time. 

Risky addresses often gain a label as Fake Phishing, but only after being reported multiple times. Other flagged addresses contain zero-sum transactions. To bypass the flagging of zero-value tokens, scammers will also send a legitimate amount of USDT. The scam still hinges on the end user copying the addresses from the transaction history.