phishing

According to GoPlus security alerts, phishing scams promoting black U and anti-money laundering detection websites have appeared on the X platform. Investigations reveal that the website is a phishing site hosted on the Vercel platform, aimed at tricking users into authorizing their wallets, so please do not interact.GoPlus recommends: try to avoid private transactions and use the OTC features of centralized exchanges; maintain a high level of suspicion towards unfamiliar links, especially those requiring wallet signatures or authorizations; remember the "four no choices" to prevent phishing: do not click on unfamiliar links, do not install software from unknown sources, do not sign transactions with unclear content, and do not transfer funds to unverified addresses.

On-chain analyst "b-block" posted on social media on Monday that a counterfeit Uniswap website is stealing funds from multiple wallets, with assets held by the scammers valued at over $400,000. Stacy Muur, founder of the Web3 marketing agency Green Dots, shared screenshots of false sponsored results from search engines, criticizing Google for ignoring this issue for years, leading to fake links ranking above real ones, resulting in users continuously being scammed.According to Etherscan data, the two flagged addresses hold a total of about 146 ETH, valued at approximately $306,000. DeFiLlama pointed out that fake ads on Google are a common source of phishing attacks. The crypto nonprofit organization Security Alliance (SEAL) reported in April that phishing activities on Google searches significantly increased in March, with attackers deploying highly deceptive fake ads by paying for or hijacking legitimate ad accounts, using seemingly real URLs to bypass Google's automatic checks, and loading malicious payloads through hidden iframes.SEAL has blocked over 356 malicious ad links and stated that the volume of Google ads deployed by attackers has remained stable for over a year, with no slowdown in attack activities. Reports indicate that between March 13 and 30 alone, a total of $1.27 million was stolen. Additionally, earlier this month, there were malicious ad campaigns targeting Mac users that utilized Google ads and the AI chatbot Claude for shared chats. Malwarebytes also reported that Facebook is similarly a hotspot for fake ads and scams.

According to SolanaFloor monitoring, a scam gang is impersonating Jupiter, airdropping fake CJUP tokens to wallets, and enticing users to connect to a scam website to steal assets.

According to Cointelegraph, Casa co-founder Jameson Lopp warned that a new phishing technique has emerged, where attackers abuse legitimate Google recovery forms to hide malicious links within lengthy messages filled with a lot of blank space.

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.

According to Cointelegraph, Robinhood users have recently encountered a phishing attack. The attackers exploited the Gmail feature that ignores the "." in email usernames, along with a vulnerability in the Robinhood account creation process, to register accounts that are very similar to the target email addresses. This allowed them to send fake reminder emails with phishing links to the victims' inboxes from the Robinhood official mail server.Cybersecurity researcher Alex Eckelberry stated that the email could pass SPF, DKIM, and DMARC verification, appearing to come from an official address. Robinhood stated that this incident did not involve a system or customer account breach, and that user funds and personal information were not affected, but advised users to delete the related emails and not to click on suspicious links.

According to CertiK senior blockchain investigator Natalie Newson, real-time deepfakes, phishing, supply chain attacks, and cross-chain vulnerabilities will be the main sources of crypto hacking attacks.To date, the industry has lost over $600 million due to hacking attacks, including the $293 million vulnerability incident at Kelp DAO and the $280 million theft incident at Drift Protocol, both of which are related to North Korean hacker groups. Newson warned that the accelerated development of AI will make attack methods more complex, including more realistic deepfakes, autonomous attack agents, and "agent AI" that can automatically scan for vulnerabilities in smart contracts, but AI can also serve as a defense tool. CertiK advises investors to verify the authenticity of URLs and use cold wallets to store assets to reduce risk.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

Binance announced its participation in the international law enforcement operation "Operation Atlantic," led by the UK's National Crime Agency (NCA), in collaboration with multiple countries' law enforcement agencies to combat cryptocurrency and investment fraud, focusing on "approval phishing" scams.The operation was jointly initiated by the NCA, the U.S. Secret Service, and relevant law enforcement and regulatory agencies in Ontario, Canada, aiming to identify victims who have been compromised or are at risk. Approval phishing typically disguises itself as an investment opportunity, luring users into granting wallet access permissions, thereby transferring assets. During the operation, Binance's special investigation team provided on-site support in London, including fraud identification processes, risk screening, and intelligence analysis, and assisted in identifying potential victims and related malicious websites.At the same time, Binance also provided law enforcement agencies with addresses and suspect intelligence related to the case, supporting asset tracking and enforcement actions. The NCA stated that this operation has successfully protected thousands of potential victims in the UK and overseas. Binance emphasized that it will continue to cooperate with global law enforcement agencies to strengthen the fight against cryptocurrency fraud.

According to CoinDesk, the Financial Services Commission of South Korea and the Financial Supervisory Service jointly issued new regulations requiring all domestic cryptocurrency exchanges to adopt a unified withdrawal delay review standard to curb voice phishing scams.The new regulations eliminate the authority of each exchange to set its own withdrawal exemption conditions, and reviews will be conducted uniformly based on standards such as account history, trading patterns, and behavioral anomalies. It is expected that less than 1% of users will qualify for instant withdrawals. Platforms must also enhance identity verification and fund flow monitoring.Previously, scam groups exploited the exemption rules of various platforms to guide victims to convert cash into cryptocurrency and complete withdrawals within minutes. This new regulation marks a shift in South Korea's cryptocurrency risk control system from industry self-regulation to a national unified standard.

According to Decrypt, the U.S. Attorney's Office for the District of Connecticut announced that it has recovered and seized over $600,000 in cryptocurrency after a Ledger hardware wallet user fell victim to a phishing scam, being lured into performing a so-called security check by a letter impersonating "Ledger Security and Compliance," resulting in approximately $234,000 in crypto assets being stolen.The FBI and state police tracked the flow of funds, successfully seizing about $600,000 in USDT and filing a civil forfeiture lawsuit, alleging that the source of the funds involved wire fraud and money laundering. It is reported that this is one of a series of phishing incidents targeting hardware wallet users, where scammers used physical mail letters featuring company logos, holograms, and QR codes to enhance the credibility of the fraud. Similar incidents have affected companies like Ledger and Trezor, accompanied by data breaches and vulnerabilities in third-party services, leading to ongoing phishing attacks.

According to a warning from on-chain detective ZachXBT, the Discord link for Trust Wallet (discord[.]gg/trustwallet) has been hijacked by hackers and currently points to a phishing server.ZachXBT reminds users not to join through the Discord link in official channels such as the official website, Telegram, or blog to avoid asset loss.

According to GoPlus security monitoring, an address starting with 0x9709 signed malicious Permit and Approve transactions, resulting in approximately $200,000 worth of USDC and wmtUSDT being stolen by phishing attackers.GoPlus states that users should carefully verify transaction details and contract addresses when signing any on-chain authorizations (Approve) or offline signatures (Permit) to avoid signing unknown malicious requests and prevent asset theft.

According to market news, the security platform OX Security has disclosed that the developers of the AI agent project OpenClaw are becoming targets of cryptocurrency phishing activities.Attackers create fake GitHub accounts, initiate topics in repositories controlled by them, and @ dozens of developers, claiming they have won a $5000 CLAW token reward, leading them to a clone website that is almost identical to openclaw.ai. This phishing site includes a "Connect Wallet" button, aimed at stealing the assets of connected wallets. Malicious code is hidden in deeply obfuscated JavaScript files, featuring a "nuke" function that clears browser local storage data to hinder forensic analysis, and encodes information such as wallet addresses and transaction values to send back to the C2 server. Researchers identified a suspected cryptocurrency wallet address used to receive stolen funds. The related accounts were created last week and deleted within hours, with no confirmed victims at this time. OpenClaw has become a target for scammers due to its high visibility, and its Discord community has previously encountered a large amount of cryptocurrency spam. Earlier reports indicated that OpenClaw's founder warned to be cautious of cryptocurrency scam emails sent in the name of OpenClaw.

After Slow Mist founder Yu Xian disclosed that the Coinbase Commerce asset recovery page directly requires users to enter plaintext mnemonic phrases, Slow Mist's Chief Information Security Officer 23pds added that the sitemap of that page also has flaws, allowing malicious attackers to easily use tools like ResourcesSaver to download the frontend code and deploy similar websites.If combined with similar domain names like Coinbase for phishing attacks, users can easily fall victim.

According to Decrypt, cybersecurity company Malwarebytes Labs has warned that a fake website impersonating the newly released game Pudgy World from Pudgy Penguins is attempting to steal cryptocurrency wallet passwords.The phishing site pudgypengu-gamegifts[.]live uses a highly realistic replica of a cryptocurrency wallet interface to deceive users. When visitors select a wallet on this fake site, a seemingly authentic wallet unlock interface is displayed, leading users to mistakenly believe it is a trustworthy cryptocurrency wallet software.Malwarebytes points out that the timing of this phishing campaign appears to be carefully planned, coinciding with the game's launch and a surge of new users, and the attack almost covers all mainstream wallets, indicating that it may be backed by well-resourced threat actors or using commercial phishing toolkits. Users are advised to access the official website only through trusted bookmarks, avoid clicking on social media links, and be cautious of wallet password prompts that appear on web pages.

According to CoinDesk, law enforcement agencies from the United States, the United Kingdom, and Canada have jointly launched a multinational operation called "Operation Atlantic," focusing on combating "approval-phishing" scams targeting cryptocurrency users.The Ontario Securities Commission stated that these scams typically use pop-ups and prompts disguised as trustworthy applications or services to guide users into authorizing malicious wallet permissions. Once authorized, attackers can control the wallet and transfer assets. Data shows that cryptocurrency scams are expected to generate at least approximately $14 billion in on-chain illegal revenue by 2025, with the total scale potentially approaching $17 billion as more involved wallets are identified.Law enforcement agencies pointed out that current scam activities increasingly rely on social engineering, AI-generated content, and "Phishing-as-a-Service" platforms. The operation is being coordinated by multiple national law enforcement agencies, and regulators stated that the new initiative will help identify victim wallets, timely warn potential victims, and attempt to track and freeze stolen cryptocurrency assets to reduce the space for criminals to profit further.

According to Scam Sniffer monitoring, an address lost 720,108 valBUSD + valTUSD after signing the phishing email increase Allowance.

The Chief Information Security Officer of Slow Fog Technology, 23pds, issued a reminder stating that ClawHub developers should be aware of phishing and credential leakage risks. Currently, ClawHub relies on developers' GitHub one-click login. Previously, the Sha1-Hulud worm stole a large number of developers' GitHub credentials, and attackers may take the opportunity to attack Skills.The attack path is: credential theft → attacker gains GitHub permissions → logs into ClawHub as a developer → publishes malicious Skills to implant backdoors → users download and install, executing malicious code leading to system intrusion.

According to market news, Coinbase, in collaboration with Microsoft, Europol, and more than ten other organizations, successfully shut down the phishing-as-a-service platform Tycoon 2FA and seized 330 related domains.Since its launch in August 2023, Tycoon has had approximately 2,000 users, operating over 24,000 domains, and sending tens of millions of fraudulent emails each month to over 500,000 businesses worldwide. It bypassed multi-factor authentication by stealing session cookies and tokens, primarily targeting email and online service accounts such as Microsoft 365, Outlook, and Gmail.In this operation, Coinbase assisted in tracking the cryptocurrency payments funding Tycoon’s operations and supported the civil lawsuit to seize the domains. The main developer has been identified as Saad Fridi, a Pakistani national.