May 25, 2022

Investigation of Common Phishing Attacks in Web 3.0: Discord, Google Ads, Fake Domains and Others

Key takeaways

Web 3 phishing activities are on the rise, some of the main phishing techniques include:

  1. Using compromised Discord bots to release phishing links on some official Discord servers;

2.Sending phishing links in direct messages;

3.Using ads on search engines to promote fake sites;

4.Direct messaging via fake Discord bots;

5.Domain names and content with high-similarity to the official one;

6.Using NFT trading platform such as Opensea to promote fake projects;

7.Using fake contract address with a slight change in its address.

General advice by Beosin:

  1. Always check information from multiple channels, do not trust the “bot” or “official link” easily;

2.Be alert for direct messages: official bots do not ask for verification in the DM;

3.Check the domain name or the contract address carefully;

4.Try to reduce the number of bots using in Discord;

5.Do not add bookmarks to your browser for some sensitive sites.

Definition of phishing

Phishing, as defined by Wikipedia, is a criminal scam that attempts to obtain sensitive personal information, such as usernames, passwords, and credit card details, from electronic communications through media disguised as reputable legal entities. These communications claim to be from popular social networking sites (YouTube, Facebook, MySpace), auction sites (eBay), Online banks, electronic payment sites (PayPal), or webmasters (Yahoo, Internet service providers, corporate bodies) in order to lure the victim’s gullibility. Phishing is usually done through e-mail or instant messaging. It often leads the user to a fake website with a URL and interface that look almost identical to the real website to enter personal information. Even with strong encryption and SSL server authentication, it is still very difficult to detect whether a site is fake or not. Phishing is an example of using social engineering techniques to fool users. It relies on the low affinity of current web security technologies.

In the web3 world, phishing is mainly achieved through a range of means such as twitter, discord, and website forgery, usually accompanied in the process by social engineering attacks such as fake staff, online chats, baiting, equivalence of swaps, and sympathy (see Wikipedia: Social Engineering for more details), making it hard to defend against.

Web3 typical phishing cases

This article will reveal several common fishing methods in the web3 world:

1. Be aware of Discord bots

On May 23, 2022, the MEE6 bot of Discord was compromised, resulting in the release of phishing site information about minting in some official Discord servers.

On May 6, 2022, Opensea’s official Discord was compromised, with hackers using bot accounts to post fake links on the channel, claiming that “OpenSea has partnered with YouTube, click on the link to mint a limited edition of 100 mint pass NFTs”.

Recently, there have been more and more cases of attacks on the official Discord servers, and the reasons may be as follows:

  1. Phishing attacks on the staff of the project owner, resulting in account theft;

2.The project owner downloaded malicious software, resulting in the theft of the account;

3.The project owner did not set up two-factor authentication and used weak passwords, resulting in account theft;

4.The project owner suffered from phishing attacks, adding malicious bookmarks to bypass the browser homologation rules, resulting in the theft of the Discord token.


1) Project parties should adopt the officially-recommended security operations such as two-factor authentication and setting strong passwords to protect your account; be alert to various traditional cyberattacks and social engineering attacks, avoid downloading malware, or visiting phishing websites.

2) Web3 users should have the awareness that Discord official releases may also be phishing information, and that official does not guarantee absolute security. In addition, you need to be cautious in any place that requires your own authorization or transaction, and try to cross-check information from multiple channels.

2. Jay Chou’s bored ape NFT got stolen by a Discord phishing attack

On April 1, 2022, the pop star Jay Chou revealed on Instagram that his Bored Ape NFT been stolen by phishing website.

After a look by the Beosin’s technical team, we found that Jay Chou signed the wallet address starting with 0x71de2 to approve the transaction at around 11:00, granting the NFT approval to the attacker’s wallet starting with 0xe34f0. At this time Jay Chou was not aware of his NFT and was already at risk.

In just the past few minutes, the attackers transferred the Bored Ape BAYC #3738 NFT to their own wallet address at 11:07 and then sold the stolen NFT on LooksRare and OpenSea for about 169.6 ETH.


1) Do not trust direct messages easily. The attacker will generally lure you through private messages or emails to click on phishing website links. All information should be checked with the official website first, with multiple channels to verify its authenticity.

2) The case of Jay Chou’s being phished is after minting a new project, and he may not be that vigilant of phishing attacks at that time. So the user must stay vigilant all the time to ensure that every step is safe.

3. Phishing sites on Google Ads

On May 10, 2022, @Serpent tweeted that the first search result on the Google search page for NFT trading platform X2Y2 was a fraudulent website that exploited a vulnerability in Google Ads to make the real website and the fraudulent URL look identical, and about 100 ETH had already been stolen.


1) Search engines are convenient, but not necessarily true. Search engine advertising system is easy to be exploited by malicious websites. Try to enter through the official twitter or Google certified official website entrance, and cross-check when confirming official information.

2) Pay attention to details. Results from search engines, if are advertising, will have the word Ad. Avoid clicking on links with the “Ad” word.

4. Direct messaging via fake bots

Recently, a user joined an official Discord community, and after joining the server, a bot sent a direct message asking for verification.

However, when clicking the link, it automatically popped out the Metamask wallet and asked for a password, and that’s when the user was almost sure that there was something wrong with the website. Later, after debugging and analysis, it was found that the site was not a real Metamask pop-up, but a fake Metamask wallet interface. If someone enters the password, it will ask for helper verification, and finally both the password and the helper will be sent to the attacker’s backend server, and the wallet will have been stolen.


1) Be alert for Discord direct messages: official bots do not ask for verification in DM.

2) The process of identity verification will not require a wallet connection.

3) Be sure to keep an eye out for operations that you find strange or abnormal, and cross-verify more information.

5. Domain names and content with high-similarity

At present, there are a variety of fake websites in the market, most of them imitate the official website with a high degree of similarity domain name and content. This is the most common way of phishing, and its main forms are as follows.

  1. Change the top-level domain name with the main name remaining the same. For example, the official website top-level domain in the picture below is .com and the phishing website top-level domain is .fun:

2. Add words to main domain for confusion, such as openesa-office, xxxmint, etc.

3. Add a second-level domain for obfuscation and phishing:


1) When entering a website, first find the official twitter or discord and compare the links one by one to see if they are correct.

2) Always be vigilant: Although these types of phishing sites are the easiest to identify, the volume is extremely large and users can easily be scammed if not careful.

3) Add anti-phishing extensions to effectively assist in identifying some of the malicious websites. Beosin Alert extension could identify whether the Web3 site that users are currently browsing is a phishing, scam and other types of malicious website, currently supports Google Chrome and Chromium browsers.

6. Phishing projects on Opensea

Some time ago, we found a project on Opensea that has not been officially opened for sale, but the project already listed 10k items, with 5.4k owners. After carefully analyzing, we found a new way of phishing. This project first used the above tactic to forge a similar official website and similar domain name, then listed a similar project on the Opensea, with “free mint” and other words to attract attention.

In addition, there are also phishing sites together with phishing twitter to promote scams:


1) Carefully identify twitter accounts. Sometimes phishing accounts also have a large number of followers, but most of the comments are fake. Or the creation date of the account is early, but only recently active, etc.

2) The projects on Opensea are not always real projects on the official website. There are still a lot of fake and phishing projects on it, so users need to screen them carefully.

3) Always get the information from multiple channels. Cross-check the information from the official website, opensea project, twitter, discord, etc. You can also contact with the official directly to verify the authenticity.

7. Fake contract address

A new scam emerged in March this year that is also an eye opener. The attacker forged a contract with the same number of bits in the front and back, and promote scams with phishing links.

The real APEcoin contract address is: 0x4d224452801ACEd8B2F0aebE155379bb5D594381.

The fake contract is: 0x4D221B9c0EE56604186a33F4f2433A3961C94381

This type of attack is uncommon, but confusing. Usually people will check the front and back of the contract address to see if it is normal, but few people will check the full address.


1) For direct transfer transactions, it is best to check the correctness of the full contract address.

2) Make sure the address is obtained from the official channel to avoid modification by attackers-in-the-middle.


The above only lists the common tactics used in the phishing scams, and yet with the continued popularity of web3, there are numerous ways of phishing scams. Users need to keep the above tips in mind. However, in the unlikely event that you have been scammed, you can take the following steps to remedy the situation as best you can:

- Immediately segregate assets and move remaining assets to a safe place as soon as possible to avoid a greater loss.

- Proactively issue a statement informing others about the scam account to avoid endangering friends and communities.

- Preserve evidence as much as possible and seek for follow-up help from the project owner or institution.

- Seek professional security company for fund tracing, such as BEOSIN.

Finally, if you are unfortunately scammed or phished, it is recommended to record and share the experience of with others on social media.


1.What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

2. How to Ensure the Security of NFT Under the Web 3.0 Boom?

3. DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

4. Beosin Has Completed Security Audit Service of Crypto LEGO ALG

5. 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

Related Project

Related Project Secure Score

Guess you like
Learn More
  • BEOSIN | Public Blockchain Security Audit Solution Fully Upgraded

    June 01, 2022

  • Analysis of Attack on Feminist Metaverse

    May 19, 2022

  • Beosin Has Completed Security Audit Service of Clip Protocol

    July 25, 2022

  • Beosin’s Detailed Analysis of FEGtoken Flashloan Attack

    May 16, 2022

Join the community to discuss.