Phishing Campaigns Take Aim at Web3 DeFi Applications

MakerDAO, Uniswap, Synthetix and have been mimicked in a recent wave of phishing sites.

Jun 24, 2020 · 6 min read
This investigation was carried out by MyCrypto and PhishFort

This is the second collaboration piece with PhishFort. In the first piece, we wrote about our discovery of a large campaign that targets cryptocurrency users with browser extensions. We predicted these campaigns would continue to grow in size and quantity, and there would be many more malicious browser extensions hitting as the year progressed. You can read our first post here: Discovering Fake Browser Extensions That Target Users of Ledger, Trezor, MEW, Metamask, and More.

PhishFort also published an article at the start of this year to bring awareness about this type of phishing.

This article aims to bring awareness to “phishing dapps”—malicious Web3 applications that are designed to steal your cryptocurrency by pretending to be a legitimate application or service. These types of phishing kits appeared our radar during the MakerDAO SAI shutdown, which required a new tool to help users migrate from SAI to DAI.

This domain ( hosted a simple interface that indicated you would be initiating a 1:1 conversion from Single-Collateral DAI (SAI) to the new DAI — just like the official bridge. However, the transaction you would actually sign would simply send SAI to an address owned by the attackers.

Via our own analysis and reports that have come in through CryptoScamDB, we’ve tracked over $100k USD in SAI that has been sent to these bad actors.

SAI sent to known bad actor addresses over time — Source

These phishing kits capitalize on a dangerous UX pattern used by legitimate apps but now are increasingly being taken advantage of by illegitimate apps: entering your private key directly in a web interface.

Examples of the malicious Web3 apps imitating legitimate branding to steal secrets

This iteration of Web3 phishing, at least from the samples we discovered, appears to be run by a group of bad actors. A cluster of them resided on the same infrastructure along with other cryptocurrency scams — This appears to be a shared web hosting server offered by Namecheap, but due to the overlap in content and method of attack, it is safe to assume the campaigns are being run by the same actors.

If you enter your private key or mnemonic phrase on these websites, it will send your secrets to a server-side PHP script called submit.php which will then be processed by the bad actor. Transactions will then be signed, authorizing the move of your assets to their address. Due to the fact they have your private key, this account is now fully compromised — from today until the end of time.

As we come across malicious domains, we archive certain data to help with articles like this and track the patterns and evolutions being observed in the wild. We also use this data to find more cryptocurrency phishing domains with the hopes of preventing cryptocurrency users from falling victim to new domains and scams as quickly as possible.

Here’s a group of domains using the “Web3 phishing kit” described above:

From our dataset, the first transaction of SAI to a known bad actor’s address was in block 8,983,524 (2019/11/23), which is an address that belongs to The domain was registered only two days prior, according to WHOIS. This could mean…

  • There was another URL used by the same actor that we aren’t aware of (most likely)
  • The actor seeded the address with some funds to make it look more legitimate

Phishing groups have spent an increasing amount of time working to get these scams in front of users. With these URLs, they utilize search engine optimization and Telegram DMs.

A scam domain being pushed to the first result on DuckDuckGo

We also noticed that the brands being targeted are increasingly related to DeFi. This makes sense as DeFi has grown significantly over the past year and often attracts new, naive users with promises of easy returns. Namely, these kits steal the branding of:

  • MakerDao
  • Uniswap
  • Fulcrum
  • Synthetix
  • Curve Finance

At the time these URLs were in the wild, these were the top DeFi applications (top usually being measured by “total value locked”).

Since then, the “top” list has shifted a bit. The recent explosion of #YieldFarming has shot Compound to the top. Aave too has quickly risen up the list after gaining major traction in Feb/March 2020. Fulcrum/bZx has moved down the list.

#FOMO > everything.

A Call To Action

We suspect that these kits will continue to evolve to target the most used, most talked about, or most “in the news” cryptocurrency dapps, especially if the dapp attracts less experienced users who may not be as vigilant.

When the reward is as valuable and anonymous as cryptocurrency assets and secrets, these attackers quickly iterate and target the most used and most talked about apps. In 2017 and 2018, we often saw phishing emails and messages that used a real event that was in the news—an ICO, a hard fork, another hack—in order to increase their ROI. Now they are using the DAI-to-SAI migration. Tomorrow it will be something else.

They use a combination of urgency, fear of missing out, and fear of being negatively affected (by a hard fork, ICO, token migration, or other actionable item) with the hopes that the targeted person will act quickly and never notice they are interacting with a malicious application.

As your product, application, or service gains usage and popularity, we urge you to take steps to educate your community and your users about these types of attacks.

  • Remind them that neither your site nor your team will ever ask them for their private keys/mnemonic phrases/seed phrases/passwords.
  • Remind them that secrets are secret for a reason.
  • Remind them to be vigilant and bookmark the dapps they interact with.
  • Remind them to be more careful when they fear missing out, not less, and always check the URL they are on and address they are sending to.
  • Share educational tidbits across your social media and directly in your product.

If your product does accept private keys/ keystores/ mnemonics/ seeds, stop it right now. You are normalising a fundamentally unsafe behavior that will lead to more loss and more harm. Remember, the worst user experience is when people lose all their money.

Talk To Us & Share Your Thoughts


The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store