Securing crypto wallets against external attacks with Turnkey

August 27, 2025

Bryce Ferguson, Co-Founder & CEO of Turnkey

With the increased adoption of crypto, threats to digital wallets, whether external or internal, continue to expand in scope and sophistication.

In the first part of 2025 alone, hackers have stolen more than $2.5 billion from web3 services, and personal wallets are increasingly at risk too, now accounting for nearly 24% of all stolen funds.

These attacks are no longer just about tricking users. Instead, they target the technical foundations of wallets themselves. A recent $1 million breach by Russian group Greedy Bear illustrates the shift: over 150 fake browser extensions and 600 malicious tools were deployed to compromise MetaMask, TronLink, and similar wallet infrastructure.

For developers building decentralized applications, it’s clear that security can’t be an afterthought. As these threats grow more sophisticated, wallets must also evolve, delivering modern defenses that go beyond the basics.

This article unpacks the most common external threats targeting crypto wallets today, and shows how Turnkey’s programmable wallet infrastructure equips developers to build applications that stay secure under real-world attacks.

Why crypto wallets are high-value targets in the digital threat landscape

At their core, wallets don’t “store” digital assets, they manage private keys and onchain authorization, making them the single point of truth for user funds and dApp transactions.

That centrality makes them irresistible to attackers. There are several reasons for this:

Control equals capital: Whoever controls the wallet’s keys effectively controls the assets. Unlike traditional banking, there’s no customer support line or chargeback when credentials are compromised.
Shifted responsibility: Non-custodial wallets hand users and developers the responsibility of key security. Weak seed phrase storage, poor implementation, or accidental exposure can mean instant loss.
Human error + technical flaws: Social engineering, phishing, and malicious extensions exploit user behavior, while exploits like address poisoning and API misconfigurations target the wallet stack itself.

For developers, this means wallet infrastructure isn’t just a background component, but it’s the attack surface most likely to be tested first. And if the foundation is weak, everything built on top inherits that weakness.

Alchemy Statement

Learn why Alchemy turned to Turnkey for its developer smart accounts because of its unmatched approach to security

Common external threats to crypto wallets (and how to mitigate them)

The threats facing wallets today fall into several recurring patterns. Each has its own tactics, examples, and mitigation strategies that highlight why modern wallet infrastructure matters.

1. Phishing attacks and credential misuse

How it works: Scammers deploy fake wallet sites, phishing emails, and malicious signing prompts to trick users into revealing credentials or authorizing fraudulent transactions. Adversary-in-the-Middle (AiTM) phishing campaigns can even bypass MFA.

Example: The Inferno Drainer phishing-as-a-service platform impersonated major Web3 protocols like WalletConnect and Coinbase. It targeted users via fake airdrop sites, resulting in over $80 million stolen by late 2023.

Mitigation through modern wallet infrastructure:

Origin controls: Restrict signing to verified domains and apps.
Payload inspection: Simulate and validate transactions before execution.
Key isolation: Keep keys in secure enclaves, never exposed to the browser.
User & runtime safeguards: Implement programmable approvals and anomaly monitoring to cut off compromised sessions.

2. Man-in-the-Middle (MitM) and Browser Injection Attacks

How it works: Wallet interactions are hijacked at the network level or injected through compromised browsers. Browser extension wallets are especially exposed, as unverified scripts can alter signing prompts or redirect API calls.

Example: The JSCEAL campaign distributed over 35,000 malicious ads pushing trojanized browser extensions across Europe, injecting code into wallet sessions and stealing credentials at scale.

Mitigation through modern wallet infrastructure:

Origin controls: Enforce TLS, mutual auth, and secure API endpoints.
Payload inspection: Require integrity-verified, signed frontend code before signing transactions.
Key isolation: Sign exclusively within hardware-backed enclaves, never exposing keys to compromised browsers.
User & runtime safeguards: Ensure session integrity and detect persistent anomalous behavior across endpoints.

3. Malicious Software Targeting Wallet Secrets

How it works: From keyloggers to clipboard hijackers to specialized “drainer” malware, attackers increasingly plant malicious software to exfiltrate wallet keys or silently reroute funds. Cracked software and trojanized browser extensions remain common infection vectors.

Example: In January 2024, researchers uncovered a macOS backdoor embedded in cracked software installers. This malware replaced legitimate wallets like Bitcoin and Exodus with versions that stealthily harvested private keys and seeded phrases from victims’ systems.

Mitigation through modern wallet infrastructure:

Origin controls: Block execution of wallet actions from unapproved apps or devices.
Payload inspection: Detect suspicious transfers and flag unusual destination addresses.
Key isolation: Never store raw keys locally—sign only in secure enclaves
User & runtime safeguards: Force delays for large transactions and limit the impact of malware-initiated requests with policy-driven approvals

4. Address Poisoning and Transaction Interface Spoofing

How it works: Attackers generate lookalike addresses or insert fake histories into a wallet’s transaction log. Victims then “autofill” or copy-paste a poisoned address, sending funds straight to the attacker. Losses are rising sharply across Ethereum and EVM chains.

Example: A January 2025 study uncovered over 270 million address poisoning attempts targeting Ethereum and BNB Chain between July 2022 and June 2024. Of those, 6,633 incidents succeeded. This caused more than $83.8 million in losses, making it one of the largest phishing schemes in crypto history.

Mitigation through modern wallet infrastructure:

Origin controls: Bind transactions to approved apps and interfaces, blocking spoofed UIs.
Payload inspection: Verify destination addresses against allowlists and past usage automatically.
Key isolation: Ensure address and transaction checks are enforced before signing within the enclave.
User & runtime safeguards: Provide programmable UI warnings and enforce user confirmations on suspicious or new addresses.

5. Dusting Attacks for Tracking and Profiling

How it works: By sending minuscule amounts of tokens to wallets, attackers can track and cluster activity onchain, deanonymizing users. Dust is often a prelude to more targeted phishing or extortion attempts.

Example: In October 2025, analysts identified coordinated dusting campaigns on the BNB Chain that preceded targeted phishing efforts, highlighting a growing trend in behavioral profiling.

Mitigation through modern wallet infrastructure:

Origin controls: Filter unsolicited or unverified token contracts at the infrastructure layer.
Payload inspection: Block or label interactions with suspicious dust assets.
Key isolation: Prevent signing interactions with unrecognized assets at the key level.
User & runtime safeguards: Enact automated privacy features such as address rotation and user alerts.

6. Physical Coercion and Executive Impersonation (“Wrench Attacks”)

How it works: Increasingly, threats extend beyond cyberspace. Public-facing executives and known crypto holders face coercion, blackmail, or even physical violence to force fund transfers. In parallel, social engineering campaigns impersonate leadership to push fraudulent approvals.

Example: In January 2025, French authorities reported that a Ledger co-founder and his wife were kidnapped near Paris and held for a crypto ransom, underscoring the growing risk of physical coercion against high-profile crypto holders.

Mitigation through modern wallet infrastructure:

Origin controls: Restrict wallet actions to geo-fenced or device-bound environments to protect assets from threats and coercion in countries outside your place of origin.
Payload inspection: Enforce strict checks on transaction size, frequency, and counterparties to make it more difficult for attackers to steal funds all at once.
Key isolation: Require multiple enclave-backed keys for any high-value approval, in order to protect assets even if one key is compromised.
User & runtime safeguards: Multi-party policies, enforced time delays, and emergency kill-switches to prevent instant coercion-based drains.

How Turnkey Protects Against Today’s External Threats

Enterprise-grade security, built by the team behind Coinbase Custody, is at the core of Turnkey’s design.

Instead of juggling manual key management and patchwork security practices, teams can rely on programmable wallet infrastructure that automates secure workflows and hardens every attack surface.

Turnkey Threat Protections, by Category

Threat	Turnkey Protection
Phishing / credential misuse	OAuth-based login with enforced 2FA, domain-locked signing flows, and detailed audit logs that flag suspicious activity.
MitM / browser injections	End-to-end TLS, enclave-isolated key operations, and signed API requests that cannot be tampered with mid-flow.
Malware / key theft	Non-custodial key storage where raw keys never leave the enclave, combined with strict non-exportability and full audit trails.
Address poisoning	Transaction simulation and policy-driven checks validate destination addresses before signing, preventing mismatches or lookalike substitutions.
Dusting attacks	API-level controls identify unsolicited or suspicious token interactions and automatically block signing requests involving those assets.
Physical coercion	Enforce multi-party approvals, programmable delays, and geo-restricted policies at the infrastructure level to prevent unauthorized high-value transfers.

With these protections, wallet security is no longer a bolt-on, but it’s embedded directly into the infrastructure. Developers can focus on shipping seamless dApp experiences, while knowing that every transaction, approval, and key interaction is guarded by the same institutional safeguards trusted by the largest players in crypto.

Turnkey brings those safeguards into a programmable form, giving builders not just security but also the flexibility to define custom policies, automate secure workflows, and adapt to evolving threats without sacrificing user experience.
‍

Layer3 Statement

See how Layer3 chose Turnkey to power its crypto discovery platform because of its security-first infrastructure

External threats are real but avoidable with Turnkey

Wallets remain one of the most attractive and consistently targeted attack surfaces in crypto. From phishing campaigns and poisoned addresses to malware and physical coercion, attackers are evolving quickly, and losses are measured in billions.

The lesson for developers is straightforward: security must be embedded into wallet infrastructure itself, not added as an afterthought. When protections like domain-locked flows, enclave-backed key management, and programmable approval policies are part of the foundation, external threats can be effectively contained.

Turnkey delivers that foundation, bringing institutional-grade safeguards to programmable wallet infrastructure so developers can focus on building seamless applications while staying secure.

Start building with Turnkey

‍

In this article

This is some text inside of a div block.