Crypto phishing isn’t a user problem, it’s a policy problem

In the first half of this year, crypto investors suffered nearly $2.5 billion in losses from scams and hacks, with phishing attacks alone accounting for approximately $411  million.

Crypto phishing scams remains one of the most common and damaging methods used to steal decentralized assets. In 2024, phishing was responsible for 31% of all attacks, affecting both individuals and organizations.

Unlike exploits that target smart contract vulnerabilities or blockchain bugs, phishing attacks often exploit users’ ability to recognize and reject malicious transactions.  

To protect users from phishing, developers need more than UI alerts or educational messaging. They need infrastructure-level controls that govern what a wallet can sign, when it can sign, and under what conditions.

This article explains how crypto phishing attacks work, outlines the most common types of these scams, and shows how policy-based signing can help stop them before they start.

What does a phishing attack mean in crypto?

In crypto, a phishing attack refers to any attempt to trick a user into revealing sensitive credentials or signing a malicious transaction. 

‍

In one recent phishing attack a crypto user lost over $908K after signing an approval transaction for a fake airdrop. The attack was successful without stealing private keys and simply exploited an unrevoked smart contract approval, giving hackers ongoing access to the user’s wallet.

Most wallets are built to sign transactions, not to understand them. When a user is tricked into signing something malicious, there is nothing in the system to stop that signature from going through. Once a crypto transaction is signed, there is no way to reverse it.

Attackers often target:

• Private keys and seed phrases
  
  
• ERC-20 approval transactions
  
  
• Transfers to attacker-controlled wallet addresses
  
  
• Malicious smart contract interactions

These attacks typically use social engineering, misleading interfaces, and impersonation. Once a signature is made, the crypto assets are usually gone for good.

Common types of crypto phishing attacks

Phishing has adapted to the unique structure of the cryptocurrency ecosystem. It is no longer just about email. Here are the most common attack patterns.

Wallet drainer and cryptodrainer scams

These attacks use wallet-connecting dApps that look like legitimate protocols. Users are prompted to sign what appears to be a normal approval. In reality, it is a high-risk approval to a malicious contract. These sites are often distributed via malicious websites, imposter websites, phishing URLs, or fake QR codes.

The above airdrop story is an example of this sort of scam. But many times these wallet-draining scams start at the social engineering level, building trust, before prompting users to connect with their malicious applications. 

Social engineering and impersonation

In these types of phishing scams, attackers reach out via social media, Discord, Telegram, or phishing emails. They often claim to be from a wallet provider, cryptocurrency exchange, or customer support team. Their goal is to collect personal information, seed phrases, or prompt a phishing authorization.

As an example, in January of 2024, hackers took over the X social media account of Mandiant, a cybersecurity company that is now part of Google cloud. Once in control of their account, the attackers rebranded the account to impersonate the Phantom wallet, posting links to a phishing site that posed as an airdrop for the $PHNTM token. The scam resulted in a loss of Solana assets valued at around $900K USD.  

Malicious browser extensions 

Some phishing attacks are deployed through fake wallet interfaces or malicious browser extensions. These can monitor clipboard data, initiate background transactions, or swap wallet addresses without the user realizing it.

As recent as July of 2025, researchers at KOI University found more than 40 fake wallet extensions in the Firefox add-on store that were attempting to impersonate trusted browser-based wallet providers in order to steal credentials and sensitive information.

This highlights how attackers continue to exploit even trusted distribution channels, making proactive security measures more critical than ever.

Investment and opportunity scams

With the rise of AI, scammers can now use deepfake videos and celebrity impersonation to lend further credibility to fake projects.

Many phishing attacks are packaged as opportunities. One such project touted a fake cryptocurrency site called AdmiralsFX which used a combination of fake celebrity endorsements and high pressure sales to steal upwards of $35 million in USD from 6,000 individuals around the world.

Victims were guided to login into fake trading platforms and shown fraudulent dashboards simulating profits to build trust. Phishing occurred when victims entered login info or crypto-transfer approvals into these malicious platforms.

Each one of these phishing scams targets a specific weakness in user behavior, something that lies fully outside of the developer’s control. Without a wallet that can enforce policies, developers must rely on users to spot phishing attempts, interpret risky transactions, and follow best practices on their own, which remains an unrealistic expectation, especially at scale.

Why wallet infrastructure often fails to block phishing

Phishing attacks have been effective because traditional crypto wallet infrastructure lacks proper enforcement controls. Most wallets assume users will recognize a scam. That is not a safe assumption.

Here are several reasons why many wallets miss the mark on mitigating phishing attacks:

1. No awareness of transaction context
Wallets often cannot detect if a transaction is dangerous or unexpected. A phishing authorization that drains a wallet looks identical to a normal approval in most signing flows.

2. No connection between application and intent
Wallets do not verify whether the request comes from a trusted platform or a suspicious source. This makes it easy for malicious websites or fake dApps to submit phishing transactions.

3. No policy layer for enforcement
Users may suspect something is wrong, but most wallets offer no way to enforce a security policy. There is no built-in support for limiting what types of transactions can be signed or under what conditions.

4. No control over persistent approvals
Attackers often exploit forgotten or unused ERC-20 approvals. These permissions remain active for months unless the user manually revokes them. Revoking old approvals should be a standard part of wallet hygiene, yet most infrastructure does not automate it.

The result is that attackers don’t need to break into wallets. They only need to wait for users to sign something they shouldn’t.

What happens after a phishing attack?

Once a phishing transaction is signed, the loss is nearly always permanent. Cryptocurrency assets are transferred instantly, often using automated scripts that batch and sweep funds across mixers, bridges, or exchanges. 

There is no rollback, no chargeback, and no customer support mechanism to recover assets.

Even users of highly trusted, very secure applications can fall victim to this. For example, in 2022, on a Coinbase browser wallet, one user joined a mining pool on a dApp that promised very high yield on Ethereum. But by signing one transaction the user unwittingly allowed for  a full withdrawal of his wallet’s funds. 

From a developer's perspective, this creates a critical asymmetry. No matter how secure your backend or smart contracts are, a single compromised wallet signature from a user can result in irreversible damage. The exploit does not need to touch your infrastructure. It only needs to hijack user intent.

What follows is often worse. In many cases, the phishing incident does not end with the initial theft. Attackers often use the stolen information or onchain activity to target the same user again, this time through more personalized and persistent social engineering.

For developers, the impact often extends beyond the initial user loss:

• Support teams may see an increase in tickets from users who mistakenly associate phishing losses with the platform, even when no internal systems were compromised.
  
  
• Brand perception can take a hit. When phishing incidents happen around your platform, users may share negative experiences publicly, which can influence how others view your product.
  
  
• User onboarding may slow down. Widespread phishing activity can create hesitation among new users, especially if the signing experience does not clearly guide or protect them.

And crucially, because traditional wallet architectures lack fine-grained policy controls, developers are stuck trying to patch over the issue with surface-level defenses: warning modals, red-banner alerts, education campaigns. But once the user signs, those defenses end.

To build secure crypto applications, developers need infrastructure that can enforce user intent.

A wallet should be able to reject transactions that don’t match expected behavior, based on the contract, the context, or a defined policy. This is the only way to take the burden off the user and build safer platforms.

How Developers Can Prevent Phishing Attacks

User education helps, but it’s never enough. Even the most experienced users can get fooled. That’s why infrastructure needs to take charge.

The best way to stop phishing is to design wallets that do not rely solely on user judgment. Instead, build in guardrails that make dangerous actions harder or impossible to complete.

Here are practical ways developers can harden wallet infrastructure:

• Set signing rules based on transaction type and destination. If something looks off, the wallet should refuse to sign it.
  
  
• Block unverified sources. Transactions from unknown apps or URLs should be automatically rejected.
  
  
• Restrict transfers to a known set of wallet addresses. If the address is not approved, the transfer does not go through.
  
  
• Deny smart contract approvals unless the contract is on an allowlist. Unknown contracts are too risky.
  
  
• Enforce session-based limits. Control how much can be transferred or how often actions can be taken within a single session.
  
  

• Require two-factor authentication for sensitive operations like approvals or large transfers.

All of this can be enforced with a policy engine. When rules are in place, wallets stop reacting to every user click and instead follow intent. That shift is essential for building truly secure crypto applications.

How Turnkey helps stop phishing with policy-based signing

Turnkey's infrastructure integrates secure enclaves and programmable policies, allowing developers to define conditions for every signature. Whether the wallet is used for DeFi, gaming, or payments, developers can create purpose-specific wallets with tightly scoped permissions.

With Turnkey, developers can:

• Restrict signing to trusted platforms and applications
  
  
• Block approval transactions to unverified smart contracts
  
  
• Prevent signing from malicious websites or browser extensions
  
  
• Detect and stop phishing flows based on app origin or user behavior
  
  
• Set custom rules that reflect the expected intent of each wallet
  
  

The result is a system that actively prevents phishing attacks instead of reacting to them after they happen.

Developers do not need to build custom logic for each scenario. Instead, they configure rules using Turnkey’s simple API, which ensures consistent enforcement across all transactions.

By shifting control from the user interface to the policy engine, Turnkey helps teams build phishing-resistant wallets from the ground up. This is not a patch or a warning screen. It is infrastructure that refuses to act against intent.

Define safe behavior and mitigate phishing with Turnkey

Phishing attacks are evolving faster than most wallets can respond. They target real weaknesses in infrastructure, not just user behavior.

Developers who build wallet infrastructure need to treat phishing as a design challenge. Policy is the only scalable way to handle this.

With Turnkey, you can define safe behavior, enforce it, and prevent malicious activity from ever reaching the chain.

Create your Turnkey account today and start building wallets that stop phishing attacks before they happen. 

‍