Executive Summary

A widespread phishing campaign has targeting cryptocurrency users has been identified. The campaign uses fake WalletConnect modal windows to trick users into revealing their wallet seed phrases. Multiple victims have reported losses totaling over $500,000.

Attack Overview

The attackers have created sophisticated fake WalletConnect sites that closely mimic legitimate DeFi protocol websites. The phishing sites use:

1. Domain Spoofing: Similar-looking domains (e.g., "uniswap.exchange" instead of "uniswap.org")
2. Visual Cloning: Exact copies of legitimate site designs
3. Malicious JavaScript: Modified WalletConnect code to capture seed phrases

Indicators of Compromise

• Unusual domain names with subtle misspellings
• Recently registered domains (less than 30 days old)
• Missing or invalid SSL certificates
• Requests for excessive wallet permissions

Defense Recommendations

1. Verify URLs Carefully: Always check the exact URL spelling
2. Bookmark Legitimate Sites: Use bookmarks for frequently visited DeFi sites
3. Hardware Wallets: Use hardware wallets for large holdings
4. Browser Extensions: Use security extensions to detect phishing sites
5. Revocation Checks: Verify domain reputation before connecting wallets

Known Malicious Domains

• uniswap.exchange (legitimate: uniswap.org)
• sushiswap.io (legitimate: sushiswap.com)
• pancakeswap.net (legitimate: pancakeswap.finance)

Reporting Channels

• Report phishing attempts to: security@legitimate-protocol.com