Web3 Security Alert — Common Asset Theft Scenarios
Overview
● Common situations that can lead to asset loss
● Bitget's protective measures to safeguard user funds
Web3 opens the door to financial freedom and groundbreaking innovation, but it also introduces new security risks. This article breaks down the most common ways users fall victim to asset theft, from private key leaks and malicious signature approvals to transfer fraud and other attacks. Here, we share real-world case studies and provide an overview of Bitget's protective measures, aiming to equip users with the knowledge they need to better safeguard their digital assets in the blockchain ecosystem.
Seed phrase or private key leaks
Stolen by fake wallets
Attackers often pose as official team members or admins on platforms like Telegram or Discord. They send phishing emails or share fake wallet download links, often disguised as "security updates" from trusted names like MetaMask or Trust Wallet. Some even run ads on search engines to direct users to phishing sites. Once victims install these fake apps and enter their seed phrases or private keys, the information is immediately sent to servers controlled by the attackers.
Stolen from clipboard by malware
These malicious apps often appear as harmless tools, such as QR code scanners, file managers, cracked games, crypto price trackers, or airdrop checkers. Once installed, the apps request clipboard access and continuously monitor its contents. If users copy sensitive data like seed phrases or private keys (typically during backup or transfer), these apps instantly capture the information and send it to the attackers' servers.
Signature or authorization frauds
eth_sign scams
eth_sign is a basic Ethereum signing method that allows users to sign arbitrary data. The problem is, users only see an unreadable string of hexadecimal code, so they often have no idea what they're actually signing. Attackers exploit this by tricking users into signing malicious approvals — sometimes even granting full access to their assets.
Permit2 signature phishing
Permit2, a token approval protocol developed by Uniswap Labs, is secure by design but has been exploited in phishing attacks. Attackers trick users into signing Permit2 authorizations under the guise of wallet verification or airdrop claims. Once signed, the attacker can move the user's tokens without needing any further permissions.
Token authorization scams
Some malicious websites convince users to grant unlimited authorization for valuable tokens to a smart contract, allowing the site to manipulate their holdings. These sites often pose as legitimate DeFi or NFT platforms, and require user authorization for participation. Attackers create urgency through fake limited-time offers or promotions to lower user defenses. Once authorized, they can withdraw the victim's tokens without further confirmation.
NFT authorization scams
Some malicious sites prompt users to grant setApprovalForAll permissions on their NFTs. If approved, the attacker gains full control of the user's NFT collection and can transfer assets at any time without further action.
Transfer fraud
Wallet address hijacking in messaging apps
Some attackers distribute tampered versions of messaging apps such as Telegram through unofficial sources. These modified apps contain malicious code that monitors chats and replaces any crypto wallet addresses shared. When users copy a wallet address from a chat to send funds, they may unknowingly send the funds to the attacker's wallet instead. In 2023, over 500 users lost around $8 million in crypto by unknowingly transferring funds via a tampered version of Telegram.
Empty transfer phishing
Attackers exploit a behavior in the USDT transferFrom function that allows zero-value transfers without requiring the sender's approval. This enables them to initiate TransferFrom operations on active user accounts and flood their transaction history. As some users often copy wallet addresses from their own transaction history, they may accidentally reuse an attacker’s address and send funds to the wrong recipient. According to SlowMist, over $20 million was stolen through this method in the first half of 2022 alone.
Bitget's security measures
Most assets are stored in cold wallets
Most digital assets on Bitget are stored in offline, multi-signature cold wallets. This cautious approach of keeping wallets disconnected from the internet significantly reduces the risk of cyberattacks.
Protection fund
Bitget maintains a $700 million Protection Fund. If your Bitget account is compromised, or your assets are stolen or lost (excluding losses due to personal actions or transactions), you can apply for a claim through the Bitget Protection Fund.
Official verification channel
To help users avoid phishing and scams, Bitget offers an official verification channel. You can use it to confirm whether an email, webpage, or social media account is genuinely from Bitget.
Security education
Bitget regularly shares educational content to raise awareness and help users strengthen their security knowledge and practices.
Best practices for users
Protecting your seed phrases and private keys
● Never upload your seed phrase or private key to cloud storage without encryption.
● Avoid copying your seed phrase or private key in full to the clipboard, as malware may capture it.
● Only download wallet apps from official sources, and always verify the publisher and software signature.
Signature and authorization management
● Never sign anything that you don't fully understand and always review the contents carefully before signing.
● Set a minimum necessary authorization limit for unfamiliar projects instead of granting unlimited access.
● Use authorization management tools (e.g., Revoke.cash) to regularly check and revoke unnecessary authorizations.
Safe transfer practices
● Before making any large or important transfers, always test with a small amount.
● Save frequently used wallet addresses in the address book.
Final thoughts
Protecting digital assets requires joint efforts. While exchanges like Bitget build comprehensive security frameworks, users must also stay vigilant and informed. Traditional finance took centuries to develop secure practices. Similarly, Web3 is still evolving. Each security incident offers valuable lessons. Bitget remains committed to investing in platform security and expanding educational content to help users strengthen their defenses. We believe that the platform and users must work together to create a truly secure and trustworthy Web3 ecosystem, where blockchain innovation can flourish while minimizing risks.
Related articles:
Web3 Security Alert - SMS Spoofing
Web3 Security Alert - High-risk Tokens
Web3 Security Alert - Fake Apps
Web3 Security Alert - Malicious Approvals
