Phishing attacks emerge as the top threat to Web3 security, costing over $1B in 2024.A cryptocurrency investor has lost $3.05 million in USDT to a phishing scam after unknowingly signing a malicious blockchain transaction, highlighting the growing threat posed by social engineering tactics in the crypto industry.
According to an August 6 post from blockchain analytics platform Lookonchain, the attacker exploited the victim’s failure to verify the full contract address before approving the transaction. This type of scam, known as wallet poisoning, relies on users matching only the first and last few characters of a wallet address ignoring discrepancies in the middle.
“Stay alert, stay safe. One wrong click can drain your wallet. Never sign a transaction you don’t fully understand,” Lookonchain warned.
A single malicious transaction wiped out a $3M USDT portfolio in less than 48 hours.
This chart shows how fast phishing attacks can drain entire wallets one wrong click, and it’s gone.
The incident underscores a dangerous shift in attacker strategies, as hackers increasingly target human vulnerabilities rather than exploiting technical flaws in code.
Human error now at the center of Web3 scams
Crypto phishing attacks are typically delivered via fake websites, malicious smart contracts, or fraudulent DApps that trick users into approving token transfers or granting permissions to external wallets. In this case, the victim’s assets were drained in one transaction after signing a disguised approval request.
Phishing top crypto threat in 2024
According to CertiK’s 2024 Web3 Security Report, phishing was the most financially damaging attack vector of the year, accounting for over $1 billion in losses across 296 incidents. At least three of those scams led to losses exceeding $100 million each.
The report also highlights the growing sophistication of attacks like pig butchering a social manipulation scheme where victims are lured into long-term trust scams before being drained of funds.
In 2024 alone, Web3 witnessed hundreds of phishing, wallet-draining, and smart contract exploits peaking at 224 attacks in Q1 and $700M in losses during Q2.
This chart tracks the monthly breakdown of both incident count and total dollar losses, reinforcing that social engineering and protocol-level vulnerabilities remain major risks for the industry.
To counter this trend, exchanges like Binance have ramped up efforts. In May 2024, Binance launched a proprietary anti-address poisoning algorithm, which has so far flagged over 15 million compromised addresses, aiming to stop users from sending funds to near-identical lookalike wallets.