phishing

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.

According to Cointelegraph, Robinhood users have recently encountered a phishing attack. The attackers exploited the Gmail feature that ignores the "." in email usernames, along with a vulnerability in the Robinhood account creation process, to register accounts that are very similar to the target email addresses. This allowed them to send fake reminder emails with phishing links to the victims' inboxes from the Robinhood official mail server.Cybersecurity researcher Alex Eckelberry stated that the email could pass SPF, DKIM, and DMARC verification, appearing to come from an official address. Robinhood stated that this incident did not involve a system or customer account breach, and that user funds and personal information were not affected, but advised users to delete the related emails and not to click on suspicious links.

According to CertiK senior blockchain investigator Natalie Newson, real-time deepfakes, phishing, supply chain attacks, and cross-chain vulnerabilities will be the main sources of crypto hacking attacks.To date, the industry has lost over $600 million due to hacking attacks, including the $293 million vulnerability incident at Kelp DAO and the $280 million theft incident at Drift Protocol, both of which are related to North Korean hacker groups. Newson warned that the accelerated development of AI will make attack methods more complex, including more realistic deepfakes, autonomous attack agents, and "agent AI" that can automatically scan for vulnerabilities in smart contracts, but AI can also serve as a defense tool. CertiK advises investors to verify the authenticity of URLs and use cold wallets to store assets to reduce risk.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

Binance announced its participation in the international law enforcement operation "Operation Atlantic," led by the UK's National Crime Agency (NCA), in collaboration with multiple countries' law enforcement agencies to combat cryptocurrency and investment fraud, focusing on "approval phishing" scams.The operation was jointly initiated by the NCA, the U.S. Secret Service, and relevant law enforcement and regulatory agencies in Ontario, Canada, aiming to identify victims who have been compromised or are at risk. Approval phishing typically disguises itself as an investment opportunity, luring users into granting wallet access permissions, thereby transferring assets. During the operation, Binance's special investigation team provided on-site support in London, including fraud identification processes, risk screening, and intelligence analysis, and assisted in identifying potential victims and related malicious websites.At the same time, Binance also provided law enforcement agencies with addresses and suspect intelligence related to the case, supporting asset tracking and enforcement actions. The NCA stated that this operation has successfully protected thousands of potential victims in the UK and overseas. Binance emphasized that it will continue to cooperate with global law enforcement agencies to strengthen the fight against cryptocurrency fraud.

According to CoinDesk, the Financial Services Commission of South Korea and the Financial Supervisory Service jointly issued new regulations requiring all domestic cryptocurrency exchanges to adopt a unified withdrawal delay review standard to curb voice phishing scams.The new regulations eliminate the authority of each exchange to set its own withdrawal exemption conditions, and reviews will be conducted uniformly based on standards such as account history, trading patterns, and behavioral anomalies. It is expected that less than 1% of users will qualify for instant withdrawals. Platforms must also enhance identity verification and fund flow monitoring.Previously, scam groups exploited the exemption rules of various platforms to guide victims to convert cash into cryptocurrency and complete withdrawals within minutes. This new regulation marks a shift in South Korea's cryptocurrency risk control system from industry self-regulation to a national unified standard.

According to Decrypt, the U.S. Attorney's Office for the District of Connecticut announced that it has recovered and seized over $600,000 in cryptocurrency after a Ledger hardware wallet user fell victim to a phishing scam, being lured into performing a so-called security check by a letter impersonating "Ledger Security and Compliance," resulting in approximately $234,000 in crypto assets being stolen.The FBI and state police tracked the flow of funds, successfully seizing about $600,000 in USDT and filing a civil forfeiture lawsuit, alleging that the source of the funds involved wire fraud and money laundering. It is reported that this is one of a series of phishing incidents targeting hardware wallet users, where scammers used physical mail letters featuring company logos, holograms, and QR codes to enhance the credibility of the fraud. Similar incidents have affected companies like Ledger and Trezor, accompanied by data breaches and vulnerabilities in third-party services, leading to ongoing phishing attacks.

According to a warning from on-chain detective ZachXBT, the Discord link for Trust Wallet (discord[.]gg/trustwallet) has been hijacked by hackers and currently points to a phishing server.ZachXBT reminds users not to join through the Discord link in official channels such as the official website, Telegram, or blog to avoid asset loss.

According to GoPlus security monitoring, an address starting with 0x9709 signed malicious Permit and Approve transactions, resulting in approximately $200,000 worth of USDC and wmtUSDT being stolen by phishing attackers.GoPlus states that users should carefully verify transaction details and contract addresses when signing any on-chain authorizations (Approve) or offline signatures (Permit) to avoid signing unknown malicious requests and prevent asset theft.

According to market news, the security platform OX Security has disclosed that the developers of the AI agent project OpenClaw are becoming targets of cryptocurrency phishing activities.Attackers create fake GitHub accounts, initiate topics in repositories controlled by them, and @ dozens of developers, claiming they have won a $5000 CLAW token reward, leading them to a clone website that is almost identical to openclaw.ai. This phishing site includes a "Connect Wallet" button, aimed at stealing the assets of connected wallets. Malicious code is hidden in deeply obfuscated JavaScript files, featuring a "nuke" function that clears browser local storage data to hinder forensic analysis, and encodes information such as wallet addresses and transaction values to send back to the C2 server. Researchers identified a suspected cryptocurrency wallet address used to receive stolen funds. The related accounts were created last week and deleted within hours, with no confirmed victims at this time. OpenClaw has become a target for scammers due to its high visibility, and its Discord community has previously encountered a large amount of cryptocurrency spam. Earlier reports indicated that OpenClaw's founder warned to be cautious of cryptocurrency scam emails sent in the name of OpenClaw.

After Slow Mist founder Yu Xian disclosed that the Coinbase Commerce asset recovery page directly requires users to enter plaintext mnemonic phrases, Slow Mist's Chief Information Security Officer 23pds added that the sitemap of that page also has flaws, allowing malicious attackers to easily use tools like ResourcesSaver to download the frontend code and deploy similar websites.If combined with similar domain names like Coinbase for phishing attacks, users can easily fall victim.

According to Decrypt, cybersecurity company Malwarebytes Labs has warned that a fake website impersonating the newly released game Pudgy World from Pudgy Penguins is attempting to steal cryptocurrency wallet passwords.The phishing site pudgypengu-gamegifts[.]live uses a highly realistic replica of a cryptocurrency wallet interface to deceive users. When visitors select a wallet on this fake site, a seemingly authentic wallet unlock interface is displayed, leading users to mistakenly believe it is a trustworthy cryptocurrency wallet software.Malwarebytes points out that the timing of this phishing campaign appears to be carefully planned, coinciding with the game's launch and a surge of new users, and the attack almost covers all mainstream wallets, indicating that it may be backed by well-resourced threat actors or using commercial phishing toolkits. Users are advised to access the official website only through trusted bookmarks, avoid clicking on social media links, and be cautious of wallet password prompts that appear on web pages.

According to CoinDesk, law enforcement agencies from the United States, the United Kingdom, and Canada have jointly launched a multinational operation called "Operation Atlantic," focusing on combating "approval-phishing" scams targeting cryptocurrency users.The Ontario Securities Commission stated that these scams typically use pop-ups and prompts disguised as trustworthy applications or services to guide users into authorizing malicious wallet permissions. Once authorized, attackers can control the wallet and transfer assets. Data shows that cryptocurrency scams are expected to generate at least approximately $14 billion in on-chain illegal revenue by 2025, with the total scale potentially approaching $17 billion as more involved wallets are identified.Law enforcement agencies pointed out that current scam activities increasingly rely on social engineering, AI-generated content, and "Phishing-as-a-Service" platforms. The operation is being coordinated by multiple national law enforcement agencies, and regulators stated that the new initiative will help identify victim wallets, timely warn potential victims, and attempt to track and freeze stolen cryptocurrency assets to reduce the space for criminals to profit further.

According to Scam Sniffer monitoring, an address lost 720,108 valBUSD + valTUSD after signing the phishing email increase Allowance.

The Chief Information Security Officer of Slow Fog Technology, 23pds, issued a reminder stating that ClawHub developers should be aware of phishing and credential leakage risks. Currently, ClawHub relies on developers' GitHub one-click login. Previously, the Sha1-Hulud worm stole a large number of developers' GitHub credentials, and attackers may take the opportunity to attack Skills.The attack path is: credential theft → attacker gains GitHub permissions → logs into ClawHub as a developer → publishes malicious Skills to implant backdoors → users download and install, executing malicious code leading to system intrusion.

According to market news, Coinbase, in collaboration with Microsoft, Europol, and more than ten other organizations, successfully shut down the phishing-as-a-service platform Tycoon 2FA and seized 330 related domains.Since its launch in August 2023, Tycoon has had approximately 2,000 users, operating over 24,000 domains, and sending tens of millions of fraudulent emails each month to over 500,000 businesses worldwide. It bypassed multi-factor authentication by stealing session cookies and tokens, primarily targeting email and online service accounts such as Microsoft 365, Outlook, and Gmail.In this operation, Coinbase assisted in tracking the cryptocurrency payments funding Tycoon’s operations and supported the civil lawsuit to seize the domains. The main developer has been identified as Saad Fridi, a Pakistani national.

According to Scam Sniffer monitoring, an Ethereum user lost $388,051 after signing a phishing token authorization transaction.

Blockchain security company CertiK data shows that in January 2026, the crypto industry suffered about 40 security incidents, resulting in losses exceeding $400 million. The largest single loss came from a phishing attack on January 16: an investor fell victim to a scammer posing as official Trezor customer support, leaking the hardware wallet's recovery seed phrase under the scammer's inducement, leading to the theft of 1,459 bitcoins and 2.05 million litecoins, totaling $284 million, accounting for 71% of the month's total losses.The stolen assets were quickly converted into the privacy coin Monero (XMR) to obscure transaction trails, causing XMR prices to soar and highlighting the challenges regulators face in combating money laundering involving privacy coins. Other significant vulnerabilities include: $30 million stolen from the Solana platform Step Finance (January 31), Truebit losing $26.6 million due to an overflow vulnerability, Swapnet losing $13 million, and Saga and Makina Finance losing $6.2 million and $4.2 million, respectively.

The community has announced that the official Solar X account (https://x.com/Solana_zh) is suspected to have been hacked, and the account is currently unable to log in. They are urgently contacting the platform for resolution.Solar has also issued a risk warning to the community, stating that during this period, any requests for information, funds, or sensitive operations made in the name of Solar on the X platform are fraudulent. Community users are reminded not to be deceived.

According to Cointelegraph, the Gwangju District Prosecutor's Office in South Korea has launched an investigation into the theft of approximately 70 billion won (47.7 million USD) worth of seized Bitcoin.Reports indicate that the prosecutors discovered the missing Bitcoin during a routine asset seizure check. These crypto assets were stolen through a phishing attack after a staff member visited a fraudulent website. The prosecutors declined to disclose the specific amount of loss and the timing of the Bitcoin seizure, only stating that they are tracking the status and whereabouts of the seized items. This incident occurred after South Korean customs authorities dismantled a large cryptocurrency money laundering network earlier this week.