🌲 Web3 - The "Dark Forest" of the Internet World

Blockchain is one of the greatest inventions in human history, partially solving the precious issue of "trust". The emergence of Ethereum and smart contracts made blockchain programmable, and in less than a decade, a large number of decentralized applications (dApps) have emerged. These dApps, constituting the Web3 ecosystem and its underlying philosophy, are revolutionizing the entire internet industry at an extremely high speed.

However, such rapid development inevitably brings about unexpected negative issues, which is true for any field, including the blockchain industry.

The blockchain world resembles a dark forest, where everyone's wallet is exposed to a high-risk environment.

💡 According to ByteHunter's monitoring data, more than $4 billion in crypto assets are lost or stolen each year, with an average of over 2,000 attack incidents daily, indicating frequent risk events.

Currently, phishing techniques in Web3 are far more sophisticated than those of the Web2 era. This article emphasizes the principle of Zero Trust, as Web2 security knowledge is often inadequate to handle the potential risks of Web3. Many believe that phishing emails and websites can be easily spotted, but this is because you are not the main target of hackers.

In the Web3 domain, where industry elites converge and financial assets are concentrated, hackers use more advanced and less detectable methods to deceive and build trust. Their capabilities are limited only by imagination. Professional attackers often operate with organized and specific goals, like the North Korean hacker group Lazarus, which stole approximately $3.8 billion in cryptocurrency assets in 2022.

Fortunately, whether you are a newcomer or an OG, you’ve found this article at the right time. If you are planning to or are currently navigating the crypto world, this piece is essential reading for you.

🛡️ Always bear in mind the most crucial security rule: Zero Trust

👤 Zero Trust

Always maintain skepticism in the world of blockchain.

📋 Glossary

🎣 Endlessly Evolving Phishing Scams

Statistics show that over 90% of attacks on individual users are phishing attempts.

Read Before You Sign! ✍️

The most important one. When transacting on blockchain networks, almost every transaction requires you to sign something.

Unfortunately, not every contract you sign is safe. Malicious contracts are crafted to look like legitimate deals but are designed to execute unauthorized actions once signed, such as transferring out all your holdings.

Here are some common signing scams you should take notice:

• setapprovalForAll()* *- Often happens when you try to "mint" an NFT, but this one gives hackers permission to move your tokens.

• Permit2 - Permit2 is the improved version of Ethereum's "permit" function designed by Uniswap, while greatly improving the user experience, it's also used by hackers to make you blindly give out the permission to transfer your tokens out.

• Fake Signatures - Platforms like Opensea and Blur often see their contracts exploited by attackers who use technical means to “Zero-Dollar Purchase” all your NFTs and even some tokens.

  In these phishing sites, interaction might prompt an official contract signature from Opensea/Blur, but the parameter in the contract may have been maliciously modified. Many users, not understanding the signature content and trusting the platform, end up signing away their high-value NFTs. Attackers forge transaction orders to sell all the user's NFTs at zero price to themselves. Once the transaction is signed, all NFTs are transferred to the attacker's account.

• Modified Address - Some phishing sites will indeed use legitimate contracts, but hackers will alter certain parts of it. For example, the transaction below appears to be a normal call to the Uniswap contract but alters the recipient to the attacker's wallet address, leading users to find no new tokens added to their wallets after the exchange, as they have been transferred away by the attacker.

❓ How can I recognize this scam?

1. Read the signature detail before signing.

2. Make sure you are visiting the official website of a project.

---

Airdrop from Similar-looking Address (aka Address Poisoning) 🥸

Feedback from several affected users suggests that attackers target users who frequently transact in large volumes by continually airdropping small amounts of tokens (e.g., 0.01 USDT or 0.001 USDT), or large amount of certain tokens with the same name as the legitmate one.

The attacker's address ends with numbers very similar to the victim's, usually the last few digits. When users copy addresses from their transaction history, a slight oversight can lead to asset loss.

Some malicious software will also hijack your devices' clipboard. Replacing the original address you copied with the hacker's address.

❓ How can I recognize this scam?

1. When transferring funds, carefully verify the recipient's address to ensure accuracy.

2. Do not install suspicious/unknown software on your devices.

---

Do NOT Install Unknown Softwares/Plugins 💻

The allure of new tools and utilities can sometimes lead users down risky paths—especially when it comes to unverified software or browser plugins. These applications, often disguised as legitimate software, can steal sensitive information, such as wallet keys and session cookies, which can compromise your accounts.

For example, just recently, a user lost over $10M due to a malicious browser plugin called "Aggr Trade", disguised as a normal plugin that allow users to check market trends, it actually steal the browser's cookies and use them to impersonate the user, and bypass logins on many sites.

There are also plenty of fake crypto wallets out there, sending and storing your private keys to their servers, controlling your wallet and stealing your assets when you least expect it.

❓ How can I recognize this scam?

1. Do not install any unknown software/apps to your device.

2. Only install software from the official channel.

---

Beware of Unknown Token Airdrops! 🪙

On July 11, a Uniswap user fell victim to an airdrop phishing attack, resulting in the theft of 7,574 ETH, valued at approximately $8 million.

The phishing attackers created a token and airdropped it to 73,399 users holding $UNI tokens. The aim was to redirect recipients to a fraudulent website mimicking Uniswap's official site (uniswap.org) with a deceptive domain (uniswaplp[.]com).

Victims were enticed to "claim" their supposed "Uniswap V3: Positions NFT", which in reality granted the attackers full access to their digital assets, allowing the attackers to transfer out all high-value assets in the wallets.

Also notice that some phishing websites will also ask you for your private key or mnemonic phrase, entering such information basically equal to letting malicious hackers gain full control of your wallet.

❓ How can I recognize this scam?

1. Carefully check the URL to ensure it’s the official site.

2. Throughly check the contract info of the airdropped token, make sure it’s the legitimate one.

3. Be suspicious if the airdrop amount is unusually large and lacks information when searched online.

---

Beware of Unknown DMs & @ Mentions on X/Discord 💬

Do you frequently receive DMs from strangers on Twitter? Notifications about being @ mentioned by unknown users claiming you've won something? Congratulations, hackers have targeted your account.

Do not respond! This type of phishing is low-level but widespread due to its low cost and broad coverage. The method typically involves direct phishing tactics, such as utilizing eth_sign, which would transfer all ETH from your wallet. (However, this method is being phased out due to security issues, and most wallets, including Metamask, now provide clear warnings to prevent signing.)

❓ How can I recognize this scam?

1. Carefully vet any DMs or @ mentions from unknown users.

2. Refuse transactions involving eth_sign (Your wallet will likely block them for you automatically)

---

Task Platforms Mixed with Deception 🤥

While platforms like Premint, Quest3, and TaskOn have become the perfect channels for project owners to gain traffic. For attackers though, it’s also a great place to find opportunities.

Attackers often register "official Twitter" accounts, buy a large number of followers and interactions, and set up "official communities" (including Discord, Telegram, etc.), even utilizing AI to generate NFTs in bulk.

They operate under the guise of legitimate projects, often in collaboration with well-known projects (which are usually innocent), and rush to monetize. Hence, “official accounts” typically announce minting within a month of operation, attracting massive traffic shortly.

Before the mint, attackers prepare a contract for the attack; once users click to mint and confirm the transaction, all assets are immediately transferred out, leaving only a bit of gas money.

❓ How can I recognize this scam?

1. Check whether the “project” disabled its Twitter comments during mint.

2. Closely check the transaction details while minting.

---

Be Careful with Messages in Projects’ Group 👥

Attackers often deploy or hijack bots on Discord or Telegram communities. These bots can @everyone and notify users of “early minting” or “airdrop rewards” with eye-catching messages, linking to phishing websites that closely mimic the project’s official site.

Once users enter and engage with the site, all their assets can be transferred out.

❓ How can I recognize this scam?

1. Carefully read all community messages; if in doubt, confirm with a moderator.

2. Verify that the website URL matches the official site announced by the project.

---

Watch Out for Fake RPC Nodes! 🛜

This is a relatively new and rare one. Advanced blockchain users often connect their wallets to Remote Procedure Call (RPC) nodes to interact with different blockchains. However, not all RPC nodes are safe. Fake or compromised nodes can misrepresent wallet balances, manipulate transaction data, or redirect transactions entirely.

Earlier this year, a user fell for this trap when a hacker claimed they could help the user convert mining fees (ETH) into USDT. The hacker first gained the user’s trust with a small transfer, then convinced the user to connect to an RPC node provided by them.

This RPC node had been maliciously modified by the hacker to arbitrarily alter the balances displayed in the user’s wallet, and even modify contract information.

After the user transferred the mining fees to the specified address, although the hacker did not send any assets, the RPC faked the USDT balance, leading the user to believe they had received the payment. By the time the user realized what had happened, the hacker had already vanished without a trace.

❓ How can I recognize this scam?

1. Only use official or reputable RPC endpoints if possible.

---

🏥 Remedial Methods

If you unfortunately fall victim to these scams, stay calm! The sooner you detect the incident, the higher the chances of recovering your assets.

Here are some remedial steps we’ve summarized:

❗️Please note that these methods cannot guarantee 100% recovery of funds, but they can significantly increase the success rate of recovering stolen assets.

Once an incident occurs, every second counts in racing against the hacker. Remember these five methods and utilize them to stay ahead.

1. Immediately revoke any relevant contract/account permissions. You can quickly revoke permissions via revoke.cash or certain wallets that offer this feature.

2. Transfer other assets out of your wallet to prevent further attacks.

3. Document the type and amount of stolen assets, their corresponding fiat currency value, the suspected hacker's address, the time of theft, and specific actions that led to the risk.

4. If you have substantial technical knowledge, you can track the hacker's movements and the stolen assets using ByteHunter’s Transaction Tracking or Theft Analysis feature. Don’t hesitate to contact ByteHunter, or other third-party security services for professional assistance.

5. Promptly contact the project team or exchange for assistance; major projects often offer some compensation, and for significant funds, report to the police and contact international lawyers.

6. If you don't mind directly contacting the hacker and spending some gas fee, send a zero-amount transaction to the hacker's account with a note in English asking for the return of the assets. (It's also suggested that you let the hacker keep a small percentage of the fund, to increase the success rate of such negotiation. Here's a nice article detailing how you could do that: https://hoangtrinhj.com/articles/send-on-chain-message-using-ethereum-transaction/)

7. You can offer a bounty for the return of the assets, otherwise, the funds might be frozen by exchanges/professional institutions, making them non-withdrawable. Hackers ultimately aim to cash out, and some are not skilled in laundering money; they might consider returning the assets for some rewards.

🛡️ Protect Your Digital Assets with ByteHunter

As you navigate the complex landscape of Web3, it's crucial to arm yourself with tools that can provide both proactive and reactive security measures. ByteHunter’s blockchain security suite offers:

• Browser Security Plugin: Use our open-source Web3 security extension to intercept all potential risks on your Web3 journey.

• Wallet Security Monitoring: Stay ahead of unauthorized transactions with our state-of-the-art monitoring tool that alerts you the moment suspicious activity is detected.

• Theft Analysis: If you fall victim to a security breach, quickly understand the possible reasons and learn from the incident with our comprehensive theft analysis feature.

• Transaction Tracking: Visualize the flow of your assets through interactive charts to understand your financial movements and pinpoint risks. For users who prefer handling their crypto transactions on the go, our upcoming mobile security browser app will provide all these features in a handheld format, ensuring you're protected wherever you are.

For users who prefer handling their crypto transactions on the go, our upcoming mobile security browser app - Tap3 will provide all these features in a handheld format, ensuring you're protected wherever you are.

✍️ Conclusion

As observed from the above cases, most phishing attacks are carried out through phishing websites. Although the techniques vary, the losses incurred are very real.

If you carefully read through this article, you will gain a deeper understanding of the Web3 world and learn to start checking information meticulously before any operation to protect your assets. If you are concerned about the increasing sophistication of phishing techniques threatening your assets, there are shortcuts in this world. To avoid potential risky operations and recover stolen assets, consider using established security products like ByteHunter, which includes wallet risk monitoring and asset traceability functions.

Here are several security suggestions based on Zero Trust:

1. When receiving airdrops, verify information such as the website's domain name before clicking any buttons. Verifying the authenticity of the website is the best way to avoid becoming a victim.

2. Do NOT trust any signature information, even if it calls from an official contract.

3. Be skeptical of any information on social media.

4. Do NOT trust any platform, even those with an official verified 'blue checkmark'.

5. Prepare multiple wallets to diversify your assets.

6. Do NOT publicly disclose your private key or mnemonic phrase online, and do NOT store them on cloud-based software/platforms (e.g. Online file hosting services like Google Drive, iCloud, etc.)

Ready to secure your blockchain experience? Visit ByteHunter's website to learn more about our products and download our tools. Stay safe with ByteHunter — your partner in blockchain security.

If you want to know more about on-chain security, we highly recommend reading the "Blockchain Dark Forest Selfguard Handbook" written by SlowMist.

---

ByteHunter — Your Web3 Wallet Security Steward

Website | Tap3 | X | Discord | Mirror | Medium | SecWareX | GoPlus Labs