Phishing Campaigns Take Aim at Web3 DeFi Applications

MakerDAO, Uniswap, Synthetix and have been mimicked in a recent wave of phishing sites.

This domain (sai2dai.com) hosted a simple interface that indicated you would be initiating a 1:1 conversion from Single-Collateral DAI (SAI) to the new DAI — just like the official bridge. However, the transaction you would actually sign would simply send SAI to an address owned by the attackers.

These phishing kits capitalize on a dangerous UX pattern used by legitimate apps but now are increasingly being taken advantage of by illegitimate apps: entering your private key directly in a web interface.

If you enter your private key or mnemonic phrase on these websites, it will send your secrets to a server-side PHP script called submit.php which will then be processed by the bad actor. Transactions will then be signed, authorizing the move of your assets to their address. Due to the fact they have your private key, this account is now fully compromised — from today until the end of time.

As we come across malicious domains, we archive certain data to help with articles like this and track the patterns and evolutions being observed in the wild. We also use this data to find more cryptocurrency phishing domains with the hopes of preventing cryptocurrency users from falling victim to new domains and scams as quickly as possible.

Here’s a group of domains using the “Web3 phishing kit” described above:

We also noticed that the brands being targeted are increasingly related to DeFi. This makes sense as DeFi has grown significantly over the past year and often attracts new, naive users with promises of easy returns. Namely, these kits steal the branding of:

Since then, the “top” list has shifted a bit. The recent explosion of #YieldFarming has shot Compound to the top. Aave too has quickly risen up the list after gaining major traction in Feb/March 2020. Fulcrum/bZx has moved down the list.

We suspect that these kits will continue to evolve to target the most used, most talked about, or most “in the news” cryptocurrency dapps, especially if the dapp attracts less experienced users who may not be as vigilant.

When the reward is as valuable and anonymous as cryptocurrency assets and secrets, these attackers quickly iterate and target the most used and most talked about apps. In 2017 and 2018, we often saw phishing emails and messages that used a real event that was in the news—an ICO, a hard fork, another hack—in order to increase their ROI. Now they are using the DAI-to-SAI migration. Tomorrow it will be something else.

They use a combination of urgency, fear of missing out, and fear of being negatively affected (by a hard fork, ICO, token migration, or other actionable item) with the hopes that the targeted person will act quickly and never notice they are interacting with a malicious application.

As your product, application, or service gains usage and popularity, we urge you to take steps to educate your community and your users about these types of attacks.

If your product does accept private keys/ keystores/ mnemonics/ seeds, stop it right now. You are normalising a fundamentally unsafe behavior that will lead to more loss and more harm. Remember, the worst user experience is when people lose all their money.

Related posts:

A poem on the plight of migrant workers, poor and oppressed going through this pandemic. We should be empathetic towards them and support them in whatever ways we can. Do you believe you can pluck us…

The last day of PAX South 2016, Tons0fun attended a meetup at Dave & Busters just a few blocks from the convention center. This is where he met the organizer of Stream Texas (then Twitch Texas)…

Satsang is a Sanskrit word that means “gathering together for the truth” or, more simply, “being with the truth.” Truth is what is real, what exists. So, all there is, is Truth. Whenever something…