How do I safeguard my Web3 wallet from fraudsters?

Published on 13 Dec 2023Updated on 21 Oct 20245 min read170

A Web3 wallet serves as the bridge for our participation in the decentralized world. However, fraudsters often use mining, airdrops, and high-profit activities to bait users into clicking on unfamiliar links.

This can lead to unauthorized access to wallets, or users may be deceived into providing mnemonic phrases or private keys, resulting in the loss of assets. As such, stolen funds are often challenging to recover due to the anonymity and decentralization of digital assets.

What should I do to protect myself from scams?

We strongly recommend you to stay vigilant and follow these key actions to prevent falling victim to scams:

  • Avoid clicking on unfamiliar links

  • Refrain from authorizing unfamiliar projects

  • Verify addresses for accuracy

  • Protect private keys/mnemonic phrases

What more can I do to prevent or guard against potential risks?

  • Understand the project background: ensure you have a clear understanding of the project background and contact official customer support for confirmation if encountering unfamiliar activities.

  • Adopt safer Web3 practices: avoid unfamiliar links and refrain from authorizing Web3 wallets to unknown third-party applications.

  • Conduct cautionary measures: exercise caution with unfamiliar links or airdrops in your Web3 wallet. Regularly check and promptly revoke authorizations for unfamiliar sites.

  • Safeguard your private key: minimize internet-connected device usage for storing/transmitting private keys on hardware. Avoid taking screenshots or photos of private keys/Mnemonic phrases.

  • Be wary of unknown sources: avoid importing private keys into unknown websites or using wallets from unfamiliar sources. Promptly check for malware or viruses if abnormalities are detected.

  • Store your data offline: keep sensitive information like private keys, passwords, and mnemonic phrases confidential. Use physical media as your backup, such as writing on paper and storing it offline.

  • Verify the on-chain addresses: avoid blindly copying unknown on-chain addresses; thoroughly verify their correctness from start to finish before proceeding with any operations. Stop the transaction immediately if anomalies are detected.

  • Use legitimate services only: avoid clicking on falsely advertised links for gift cards, fuel cards, recharge cards, etc., especially those offering redirection services. For legitimate recharge services, please use the recipient's provided address to prevent financial losses.

What should I do if my wallet is compromised?

  1. Transfer the remaining assets to a secure address as soon as possible

  2. Delete the compromised wallet and create a new one if necessary

    • To delete a wallet, go to Web3 Wallet's main page > Wallet Management > Edit Wallet > Delete.

  3. Securely back up your wallet's mnemonic phrase and private key. Avoid taking screenshots as internet-connected devices may pose a risk of data leakage

  4. We recommend that you manually transcribe the mnemonic phrase and store it in a secured location. Refrain from authorizing unknown third-party project software to prevent information leakage and potential asset loss

Fraud case study

Review of fraudulent tactics:

  • Tactic 1: Luring users with high-yield activities to open unfamiliar links and authorize their wallets.

  • Tactic 2: Posing as official entities and guiding users to authorize wallets.

  • Tactic 3: Pushing unfamiliar links/activities to wallet addresses, directing users to authorize Web3 wallets.

Web3 Wallet Fraud Case Study

The fraudster convinced that the user that they could earn a profit from the site if the user connected their wallet

Fraud case study 2: Malicious permission alteration

This fraud tactic often occurs during TRC chain recharging. Fraudsters exploit the "greedy for a bargain" mentality and entice users to buy fuel or gift cards at low prices. They may also use captcha platforms for recharging. When users click the provided link, fraudsters can invoke code to maliciously alter permissions, obtain user password signatures, and thus gain control over the wallet address.

Review of fraudulent tactics:

  • Step 1: Fraudsters utilize enticement methods to prompt users to click on third-party links, redirect from the recharge entry to the wallet, and use malicious code to fill in the contract address for the token.

  • Step 2: During the transfer operation, there will be warnings about the effect and risk of altering permissions. If the user proceeds, it leads to malicious alteration of permissions. Subsequent transfer attempts will show incorrect error messages, indicating a loss of control over the address in reality.

Fraud case study 3: Exploiting similar addresses

Review of fraudulent tactics:

  • Utilizing an address generator to create addresses resembling the user's and misleading users into copying the incorrect address, resulting in the loss of assets.

Fraud case study 4: Mnemonic/PrivateKey disclosure

Review of fraudulent tactics:

  • Fraudsters guide users to share their screens under the pretext of assistance with investments, low-cost transactions, or private cryptocurrency dealings.

  • They instruct users to create wallets, leading to mnemonic phrases/private key disclosure, wallet theft, and asset loss.

Fraud case study 5: Blockchain wallet multisignature scams

The multisignature mechanism is a security measure gaining attention and usage among users. In this system, a wallet like TRON can be controlled by multiple users, requiring several signatures to complete a transaction. This can be compared to a safe that needs multiple keys to open—only when all keyholders cooperate can it be accessed.

Review of Fraudulent Tactics:

  • Tactic 1: Fraudsters share private keys or seed phrases of wallets with assets, claiming they don't have enough TRX for transaction fees and need assistance. Users send TRX as transactions fees into the wallet but discover they can't transfer the wallet assets.

  • Tactic 2: Fraudsters obtain users' private keys or seed phrases and change the signing mechanism without consent. When users attempt to transfer assets, they find the wallet requires multiple signatures, and fraudsters can transfer the assets.


Learn more about the TRON wallet multi-signature scams here.