Cointime

Download App
iOS & Android

SlowMist: How to Choose an Anti-Phishing Plugin

Background

The idea of Bitcoin was first presented by Satoshi Nakamoto in November 2008, and it was officially launched in January 2009. As the global digital economy gained momentum, the notion of encrypted assets, such as NFTs, began to gain traction. Colored Coin, a token similar to NFTs, was developed in 2012 using small denominations of Bitcoin, with the minimum unit being one satoshi. With the continued advancement of technology, NFTs gained immense popularity in 2021 and gradually became one of the most popular investment trends in the market.

NFTs are currently fetching exorbitant prices, with examples such as “Everydays: The First 5000 Days” by Beeple selling for $69,346,250 on Christie’s official website and a virtual plot of land on the Sandbox virtual gaming platform selling for $4.3 million. As the craze persists, a wave of costly projects is keeping people on edge. However, this steep valuation has also attracted the notice of criminals, resulting in a rise in phishing and theft aimed at NFTs.

The Current State of NFTs

The opening narration of the Netflix documentary “Trust No One: The Hunt for the Crypto King” recounts the tale of the CEO of QuadrigaCX, the biggest cryptocurrency exchange in Canada, who passed away under puzzling circumstances, leaving behind $250 million in customer funds. Many of the concerned investors reject the official explanation, suspecting that the CEO’s alleged demise may have been part of a “Phoenix Scam,” in which he faked his death and ran away with their money.

The QuadrigaCX saga, however, is just one example of the many issues faced by the Web3 community. Theft is almost a routine occurrence in the NFT world that we are discussing today, and there are numerous high-profile cases to illustrate this fact:

On February 21, 2021, a phishing attack of the personal_sign type was perpetrated against an OpenSea user. As a result, 32 users signed a harmful transaction from the attacker, leading to the loss of various NFTs, including BAYC, Azuki, and close to a hundred others, with a value of $4.2 million at the time.

On April 29, 2022, a Bored Ape NFT belonging to Jay Chou was stolen, with a value of 3.2 million RMB.

On May 25, 2022, A Twitter user with the handle @0xLosingMoney reported that a user named @Dvincent_ had stolen 29 Moonbird NFTs, valued at over $700,000, by means of a phishing website named p2peers[.]io.

On June 28, 2022, Nickydooodles.eth, the creator of the Web3 initiative Metabergs, disclosed that his wallet had been hacked through a phishing attempt. The attacker made off with 17 ETH, which was approximately worth $21,077 at the time, as well as all of his NFT collections, including Goblintown NFT, Doodles NFT, Sandbox Land, and many others.

On November 1, 2022, the Discord channel of the KUMALEON initiative was breached, and nearly 111 NFTs belonging to the community were taken, which included BAYC #5313, ENS, ALIENFRENS, Art Blocks, and various other assets.

On December 31, 2021, Kramer, a user of Twitter, claimed that he fell victim to a phishing attack. He clicked on a link that seemed to belong to a legitimate NFT DApp, but in reality, it was a scam. The result was the loss of 16 of his NFTs, consisting of 8 Bored Apes, 7 Mutant Apes, and 1 Clonex, with a total worth of $1.9 million.

On January 15, 2023, the famous blogger @NFT_GOD suffered a severe loss when all of his accounts, cryptocurrencies, and NFTs were stolen. The theft occurred after he clicked on a phishing ad link on Google. The compromised accounts included Substack, Twitter, and various other platforms.

On January 26, 2023, Kevin Rose, the creator of the renowned NFT initiative Moonbirds, suffered a hacking incident that led to the loss of over 40 NFTs, which had a value of over $2 million.

On January 28, 2023, the official Twitter account of the famed NFT venture Azuki was compromised. As a result, its followers were directed to phishing links, which led to the theft of over 122 NFTs, valued at over $780,000.

On February 8, 2023, a victim lost more than $1.2 million in USDC to a long-running NFT phishing scam that was linked to a fraudulent address.

….

In response to the frequent and significant consequences of NFT theft, SlowMist Technology has released two specialized tracking analyses to address NFT phishing groups.

In light of the frequency and severity of NFT theft, SlowMist Technologies has published two targeted tracking analyses to combat NFT phishing groups. On December 24, 2022, SlowMist Technologies released the “Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users” worldwide. An APT group carried out widespread phishing attacks against NFT users within the encrypted ecosystem. The involved addresses have been flagged as high-risk phishing addresses by MistTrack, and the APT group managed to obtain 1,055 NFTs, resulting in a profit of almost 300 ETH.

According to MistTrack-related data statistics, SlowMist Technologies released “ Analysis of Monkey Drainer NFT Phishing Group” on February 10, 2023. The Monkey Drainer group made roughly $12.97 million through phishing, obtaining 7,059 NFTs and 4,695.91 ETH, which equated to $7.61 million and constituted 58.66% of the stolen funds. The profit from ERC20 tokens amounted to around $5.362 million, representing 41.34% of the stolen funds. The primary ERC20 token types included USDC, USDT, LINK, ENS, and stETH.

As of January 2023, hundreds of high-profile security breaches have resulted in the loss of almost $200 million worth of NFTs, according to data from SlowMist’s blockchain hacking event database (hacked.slowmist.io) and Elliptic.

https://hacked.slowmist.io/

SlowMist’s findings indicate that in 2022, NFT theft incidents were primarily centered around the Ethereum network and social media channels. Attackers employed a variety of techniques, including counterfeit domains, fake domain names that resembled project parties, malicious trojans, and phishing attacks through false links distributed via Discord intrusions. The average loss per phishing attack was around $100,000. It appears that hackers are the only ones benefiting, irrespective of whether the market is bullish or bearish.

Given the hostile environment of phishing and fraud, in which both regular users and project creators are frequent targets, what measures can NFT users take to protect themselves? Are users merely regarded as defenseless prey in these scenarios?

Absolutely not! We have been promoting a blend of human prevention and technical prevention measures, encompassing personal security awareness defense and technical defense tactics. Personal security awareness defense pertains to an individual’s security consciousness. We suggest that cryptocurrency users take a cue from the Blockchain Dark Forest Self-Defense Manual.

Given that humans are intricate, advanced beings, we will not delve into personal security awareness defense in-depth today. Instead, we strongly encourage everyone to carefully peruse the Blockchain Dark Forest Self-Defense Manual.

What do technical defense measures entail? In essence, it involves utilizing security measures such as software, hardware, and browser plug-ins to safeguard assets. Within the NFT user community, the most frequently used operational technique is browser interaction, accounting for 90%, and it is also the most susceptible environment. Currently, numerous anti-phishing browser plug-ins are available on the market. In the following section, we will scrutinize and contrast these plug-ins, with the hope of offering some security guidance to NFT users.

Security Plugin Comparison

Disclaimer: The ensuing evaluation of various browser security plug-ins is solely grounded on fundamental information, live phishing detection for NFTs, and basic operational comparisons. SlowMist is simply an impartial third party and does not accept any liability or legal responsibility.

Let us now compare multiple well-known anti-phishing browser plug-ins from various perspectives and examine their respective features:

1. This will encompass parameters such as open-source availability, download counts, supported networks, and primary descriptions:

2. Real-time testing of NFT phishing websites and blacklists:

We looked for the most prevalent characteristics of North Korean APT NFT phishing and Monkey Drainer NFT phishing, conducted real-time feature scans, and detected the newest phishing websites of these groups, which were discovered roughly three hours apart. Let’s examine the responses provided by each anti-phishing plug-in:

The latest malicious NFT phishing website: https://blur.do (discovered on February 19, 2020, at 17:32:12 Beijing time)

The testing content is presented below:

1 - PeckShieldAlert (Aegis)

Outcome: No alerts; the phishing website opens without issue.

2 - Pocket Universe

Outcome: No alerts; the phishing website opens without issue.

3 - Revoke.cash

Outcome: No alerts; the phishing website opens without issue.

4 - Fire

Outcome: No alerts; the phishing website opens without issue.

5 - Scam Sniffer

Outcome: The phishing website was identified, and access to the site was blocked with a warning.

6 -Wallet Guard

Outcome: No alerts; the phishing website opens without issue.

7 -MetaDock

Outcome: No alerts; the phishing website opens without issue.

8-Metashield

Outcome: No alerts; the phishing website opens without issue.

9 - Stelo

Outcome: No alerts; the phishing website opens without issue.

To verify the real-time nature and authenticity of NFT phishing sites, the findings from nine installed plug-ins with a 3-hour time discrepancy are displayed below. (Please note that Wallet Guard has already been featured in the installed plug-ins.)

The aforementioned outcomes are actual and current NFT phishing site findings, taken around three hours apart.

3. Basic Content Operation Layer Test

1 - PeckShieldAlert (Aegis)

Upon installation, users must manually enter a Token Contract to initiate detection. This approach fails to satisfy NFT users’ pressing demand for immediate identification of phishing sites. It is akin to an online malevolent contract scanning plug-in.

personal_sign test: No prompt

2-Pocket Universe

Once installed, the plug-in commences detection only when the user initiates a transaction. As a result, it is unable to instantly notify users when they initially access an NFT phishing website. Let’s move on to the second step:

personal_sign test: The plug-in warns users when a high-risk address is identified based on the chain address and advises against signing, which is commendable and aligns with security plug-in expectations.

3 - Revoke.cash

In the first step, the NFT phishing website remains unmarked. However, in the second step, when the user visits the phishing website, the risky address is identified based on the chain address, and a warning is issued against signing. This corresponds with security plug-in expectations.

4-Fire

In the first step, the NFT phishing website is not labeled. In the second step, when the user accesses the phishing website, the high-risk address is not identified based on the chain address, and there is no warning concerning signing risk. Nonetheless, Fire can present the legibility of the signature pre-execution content, which is quite beneficial.

personal_sign test:No prompt

5 -Scam Sniffer

Upon installation, when users access an NFT phishing website, they are instantly alerted with a warning, and entry to the site is prohibited. This conforms to security plug-in standards.

personal_sign test:No prompt

6 -Wallet Guard

Once installed, the plug-in initiates detection only when the user triggers a transaction. Consequently, it is unable to promptly alert the user when they first open an NFT phishing website. Let’s proceed to the second step:

Personal_sign test: The plug-in prompts the user that the phishing website is marked (as identified by Wallet Guard’s malicious address library of Scam Sniffer), warns them against the risks, and advises against signing. This is still commendable and consistent with security plug-in standards.

7 -MetaDock

Once installed, the plug-in fails to provide any prompts or warnings about the risk when users connect to a phishing website. It appears to function more as a plug-in that necessitates active submission of a scan, rather than an anti-phishing plug-in, which doesn’t satisfy security plug-in standards. It’s probable that MetaDock is not an anti-phishing plug-in, and users who are interested can verify this with the project team.

personal_sign test:No prompt

8 -Metashield

Like “MetaDock” and “PeckShieldAlert”, these plugins do not provide immediate prompts or warnings when users connect to a phishing website and are tricked into signing. Instead, users need to actively submit a scan for the plugin to detect any potential risks. This approach may not meet the expectations of a security plugin.

personal_sign test:No prompt

9 - Stelo

Once installed, the plugin fails to provide any warnings or prompts to the user when they connect to a phishing website and are tricked into signing.

personal_sign test: The malicious information prompt provided by the plugin is low risk, which doesn’t meet the expectations of a security plugin.

And that concludes our comparison.

Comparison Results

The comparison results are presented in the following image:

After conducting the comparison, it was found that most of the security plugins did not perform well in the first step of the recognition process, which involves recognizing the phishing website when the user first opens it. Only Scam Sniffer managed to recognize the latest NFT phishing website with a time difference of 3 hours. However, in the second step, when the user connects to the phishing website and performs dangerous operations such as eth_sign and personal_sign, Pocket Universe, Revoke.cash, and Wallet Guard provide security risk alerts.

However, this is only a basic comparison, and there may be further refinements and updates in the future.

The accompanying image includes the list of tested security plugins and their respective version numbers.

We want to extend our appreciation to Wu Shuo Blockchain for initiating this comparison, and to the outstanding project teams of the security plugins that underwent testing. Although their product positioning and comparison results may vary, there is always room for improvement, and their efforts have undoubtedly elevated the standards of blockchain security.

The recommended combinations are presented for reference purposes only and should not be considered as advice. These combinations may potentially offer improved security for users based on the current comparison results:

  1. Rabby wallet + Scam Sniffer
  2. Rabby wallet + Pocket Universe
  3. MetaMask + Pocket Universe
  4. MetaMask + Revoke.cash

After Thoughts

In the blockchain industry, the main risks for individual users in phishing attacks are related to domain names and signatures. Approximately 90% of NFT phishing scams are associated with fraudulent domain names. Therefore, it is crucial for users to check the risk level of their target addresses before engaging in any on-chain transactions. If browser security plugins or wallets can provide immediate alerts to users when they encounter a phishing page, then the risk can be blocked at the very first step, preventing any further harm to the user. Similarly, in the Web 2.0 era, a 360 antivirus solution could solve the problem of viruses attacking inexperienced users, but it couldn’t solve all malware problems, such as virus elimination and bypassing. The effectiveness of antivirus software is determined by how much it can reduce the time gap, increase the number of samples, and improve its accuracy. The recommended combinations provided are for reference only and should not be construed as advice.

The ability of an anti-phishing security plugin to quickly identify and alert users of the real-time situation of phishing sites at the very first step, as well as to provide fast feedback and identification of phishing websites, will determine its effectiveness in the blockchain and NFT industries. Failure to recognize these phishing domains due to time lag significantly increases the risk of users losing their assets.

Moving on to the second step, when the user interacts with the authorization link and signature process, the browser security plugin or wallet with phishing signature recognition should be able to identify and display the detailed information that the user is authorizing, such as the authorized cryptocurrency, amount, recipient, and other user-readable data. For example, Rabby Wallet can prompt the user of the risk to a certain extent and help avoid the situation of financial losses.

To enhance the security of wallet projects, project teams should start by conducting a comprehensive security audit, with a focus on improving the security of user interactions, strengthening the “What you see is what you sign” mechanism, and reducing the risk of phishing attacks for users.

Here are some examples of measures that project teams can take to enhance security:

  • Phishing Website Warning: One measure that can be taken is implementing a phishing website warning system that leverages the power of the blockchain community to identify and collect all types of phishing websites. This way, users can be provided with prominent reminders and alerts whenever they interact with these sites to reduce the risk of falling victim to phishing attacks.
  • Signature Identification and Alerts: It is important to implement signature identification and alerts for requests such as eth_sign, personal_sign, and signTypedData to notify users and draw their attention to the risks of blind signing with eth_sign.
  • What You See Is What You Sign: To avoid phishing approvals, it is important to perform a detailed analysis of contract calls in wallets and provide users with specific details of DApp transaction construction.
  • Pre-execution Mechanism: A pre-execution mechanism is useful in helping users understand the potential effects of a transaction before it is broadcast and executed. This allows users to make informed decisions and judgments about whether or not to proceed with the transaction, thereby enhancing their overall security.
  • Fraud Alerts for Identical Ending Digits: A mechanism can be set up to display addresses with an alert, reminding users to check the complete target address to avoid fraud problems with identical ending digits. Additionally, a whitelist address mechanism can be implemented for users to add commonly used addresses to the whitelist, which can prevent similar attacks with identical ending digits.
  • AML Compliance: Using AML mechanisms, users can be reminded whether the target address will trigger AML rules when making transfers

SlowMist, a prominent blockchain security company, has been deeply involved in security audits for many years. Security audits not only provide users with peace of mind but also serve as one of the means to reduce the occurrence of attacks. Moreover, different institutions face difficulty in identifying and associating money laundering groups across different organizations, presenting a significant challenge to anti-money laundering efforts. For project teams, blocking and preventing the transfer of funds to malicious addresses in a timely manner is also crucial. The MistTrack anti-money laundering tracking system has accumulated over 200 million address labels, which can identify various wallet addresses of major global trading platforms, including over 1,000 address entities, more than 100,000 threat intelligence data, and over 90 million risk addresses. Interested parties can contact SlowMist to access the API. In conclusion, SlowMist hopes that all parties will collaborate to make the blockchain ecosystem more secure.

Get the latest news here: Cointime channel — https://t.me/cointime_en

NFT
Comments

All Comments

Recommended for you

  • A Total of 37,212.18 DMD Permanently Burned Over the Past 7 Days

    July 9, 2026 — According to the latest on-chain data released by DMDAO, a total of 37,212.18 DMD has been permanently burned over the past seven calendar days through the protocol's predefined trading and wealth management burn mechanisms.

  • Whale Transfers 1,133 BTC to Coinbase Prime, Valued at $71.48 Million

    According to Onchain Lens monitoring, a whale transferred 1,133 BTC from Coinbase to Coinbase Prime through an intermediary wallet, valued at $71.48 million.

  • U.S. AI Chip Stocks Decline Before Market Open, Intel Falls Over 3%

    On July 7, U.S. AI chip stocks experienced widespread declines before the market opened. Intel dropped over 3%, while AMD, Qualcomm, and NXP fell more than 2%. TSMC, Broadcom, and Tesla decreased by over 1%, and NVIDIA declined by 0.7%.

  • China's Central Bank Increases Gold Reserves for the 20th Consecutive Month

    As of the end of June, China's gold reserves stood at 75.44 million ounces (approximately 2,346.446 tons), an increase of 480,000 ounces (about 14.93 tons) from the end of May, which reported 74.96 million ounces (approximately 2,331.52 tons). This marks the 20th consecutive month of gold accumulation.

  • China's Foreign Exchange Reserves in June at $341.6262 Billion

    On July 7, China's foreign exchange reserves for June stood at $341.6262 billion, a decrease of $26 billion from the end of May, representing a decline of 0.75%, with expectations set at $343.2 billion.

  • U.S. Storage Stocks Drop Pre-Market, SanDisk and Micron Down Over 4%

    On July 7, U.S. storage concept stocks collectively fell in pre-market trading. Western Digital dropped over 5%, SanDisk and Micron Technology fell over 4%, Seagate Technology declined over 3%, Rambus fell over 2%, and SMI fell over 1%.

  • U.S. Stocks in Optical Communication Sector Drop Pre-Market

    On July 7, stocks in the optical communication sector of the U.S. market collectively fell pre-market. Astera Labs dropped over 4%, while Marvell Technology, Credo Technology, and AXT Inc. fell more than 3%. Tower Semiconductor, MaxLinear, Corning, Applied Optoelectronics, GlobalFoundries, Lumentum, and Qorvo all declined by more than 2%. Coherent, Nokia, Amphenol, and Broadcom dropped over 1%.

  • Pre-market Decline in U.S. Storage Stocks

    In pre-market trading, U.S. storage concept stocks experienced a widespread decline, with Micron Technology falling by 4.8%, SanDisk dropping over 4%, Corning down more than 2%, and Intel decreasing by over 3%.

  • Two Departments: Support for Reinsurance Institutions to Increase Capital and Issue Supplementary Capital Tools

    On July 7, the National Financial Supervision and Administration Bureau and the Shanghai Municipal Government released several measures to accelerate the construction of the Shanghai International Reinsurance Center. Among these measures, they proposed to enhance the quality and efficiency of the reinsurance industry, support reinsurance institutions in increasing capital and expanding shares, and issuing supplementary capital tools to improve the capacity for internal capital accumulation and external capital supplementation, thereby strengthening the reinsurance industry's capabilities. The initiative aims to guide the insurance industry to focus on major national projects, strategic emerging industries, and livelihood security, consolidating insurance and reinsurance underwriting capabilities to enhance risk protection levels. It also supports reinsurance institutions in leveraging their professional technical advantages to assist the insurance industry in reducing risk.

  • Sources: Saudi Arabia Plans to Expand Oil Pipeline to Red Sea, Increasing Capacity by 2 Million Barrels Daily to Bypass Strait of Hormuz

    On July 7, five informed sources revealed that Saudi Arabia is considering expanding the crude oil pipeline capacity to its western coast on the Red Sea, allowing Saudi Arabia and its neighbors to transport more oil without passing through the Strait of Hormuz. This east-west pipeline, built in the early 1980s, has gained strategic importance since the outbreak of the Iran war in February and the disruption of shipping in the Strait of Hormuz. The pipeline can deliver up to 7 million barrels of crude oil per day to the Red Sea port. The CEO of Saudi Aramco stated in May that approximately 2 million barrels are supplied to west coast refineries, while about 5 million barrels are for export. Sources indicate that Saudi Arabia is in preliminary discussions with some neighboring countries regarding the pipeline expansion, aiming to add about 2 million barrels of pipeline capacity per day. It remains unclear whether Aramco's planned expansion involves upgrading existing infrastructure or constructing new pipelines. One source mentioned that the expansion plan also includes a smaller refined oil pipeline. Two sources indicated that the expansion scale could range from 1 million to 2 million barrels per day, with refined oil also being considered. Another source stated that the project would take several years and cost billions of dollars, requiring adjustments to Saudi crude pricing mechanisms.