What Is Wallet Connect Phishing?
Wallet Connect phishing is a type of scam where attackers trick users into signing malicious permit signatures that drain their wallets. Unlike traditional phishing that steals private keys, this attack gets you to authorize token transfers directly. Your keys never leave your wallet, but your funds still disappear.
The attack exploits how token approvals work. When you interact with a DeFi protocol, you often sign a “permit” message that grants permission to spend tokens on your behalf. Scammers create fake websites that look like legitimate platforms and prompt you to sign similar messages. Once signed, they can drain approved tokens from your wallet.
How Permit Signature Scams Work
The Setup
Attackers clone legitimate websites like Uniswap, OpenSea, or popular DeFi protocols. These fake sites often rank in Google search results through paid ads or SEO manipulation. A user searching for “Uniswap” might click the first result and land on a convincing replica.
The Hook
The fake site prompts you to “connect wallet” using Wallet Connect or similar protocols. Everything looks normal. The interface shows your balance. The buttons respond correctly. It feels like any other DeFi interaction.
The Trap
When you try to swap tokens or make a purchase, the site presents a signature request. This isn’t a transaction that costs gas. It’s a permit signature, also called an EIP-2612 permit. These signatures are free to create but allow the recipient to spend your tokens later.
The signature request looks legitimate. It might say “Approve USDC” or show a token amount that matches what you’re trying to swap. But buried in the data is permission for the scammer’s address to spend your entire balance of that token.
The Drain
After you sign, the attacker submits a transaction using your permit signature. They don’t need your private key. They don’t need another signature from you. The authorization you signed is enough to transfer your tokens to their wallet.
Real Examples of Wallet Connect Phishing
Uniswap Phishing Campaign
In 2022 and 2023, attackers ran Google ads for “Uniswap” that led to fake clones. Users who connected wallets and attempted swaps unknowingly signed permits that drained their USDC, ETH, and other tokens. One victim lost over $100,000 in a single transaction.
NFT Mint Scams
Scammers create fake NFT mint pages for hyped collections. When users try to mint, they sign permit messages that drain their wallets instead. The NFT never exists. The mint button was just a trap.
Airdrop Claim Phishing
After legitimate airdrops are announced, scammers create fake claim sites. Users connect wallets expecting to receive free tokens. Instead, they sign permits that drain their existing holdings.
Why These Scams Are Dangerous
Permit signature scams bypass the most common security advice. Hardware wallets don’t protect you. Your Ledger or Trezor will show you a message to sign, but the device can’t know the message is malicious. It displays exactly what the dApp sends.
Revoking permissions after the fact doesn’t help either. The drain happens immediately after you sign. By the time you check your approvals, your tokens are already gone.
These attacks also exploit user habits. We’ve trained users to click “approve” when swapping tokens. The signature request looks similar enough that experienced DeFi users fall for it.
How to Identify Wallet Connect Phishing
Check the URL Carefully
Scammers use domains that look correct at first glance. Uniswap becomes “uniswap.exchange” instead of “app.uniswap.org”. OpenSea might be “opensea-nft.io” instead of “opensea.io”. Always verify the exact domain.
Be Suspicious of Google Ads
Never click sponsored search results for DeFi protocols. Scammers pay for top placement. Type the URL directly or use a trusted bookmark.
Inspect Signature Requests
When your wallet shows a signature request, read the details. Legitimate permits show the specific amount being approved. Malicious permits often approve unlimited spending or reference unfamiliar contract addresses.
Use Transaction Simulators
Tools like Tenderly or Pocket Universe simulate what will happen if you sign. They can warn you about suspicious approvals before you confirm anything.
Steps to Protect Yourself
1. Bookmark Legitimate Sites
Create bookmarks for every DeFi protocol you use. Never search for them. Never click links from emails, Discord, or Telegram without verifying the sender.
2. Use a Dedicated Wallet for New Protocols
Keep a “burner” wallet with minimal funds for trying new platforms. If it gets drained, you lose a small amount. Your main holdings stay safe in a separate wallet.
3. Verify Contract Addresses
Before interacting with any protocol, check that the contract address matches the official source. Scammers clone interfaces but use different contracts.
4. Install Security Extensions
Browser extensions like Wallet Guard and Pocket Universe analyze signature requests and warn about potential scams. They’re not perfect but catch many common attacks.
5. Check Token Allowances Regularly
Use tools like Revoke.cash or Etherscan’s token approval checker to see which contracts can spend your tokens. Revoke any permissions you don’t recognize or no longer need.
What to Do If You’ve Been Scammed
If you signed a suspicious permit, immediately revoke all token allowances using Revoke.cash. Even if your tokens are already gone, the attacker might have permissions for other tokens in your wallet.
Report the scam address to blockchain analytics platforms like Etherscan. This helps flag the address and might protect others.
Unfortunately, recovering stolen crypto is nearly impossible. The transactions are irreversible by design. Focus on securing your remaining assets and preventing future attacks.
The Future of Wallet Security
Wallet developers are building better protections against permit signature scams. MetaMask and other wallets now show more detailed breakdowns of what you’re signing. Some display warnings for suspicious approvals.
Account abstraction and smart contract wallets offer additional layers of protection. They can enforce spending limits and require multiple approvals for large transactions.
But technical solutions only go so far. Attackers constantly adapt their methods. The best defense remains user awareness and careful verification of every interaction.
Conclusion
Wallet Connect phishing and permit signature scams represent an evolution in crypto theft. They don’t steal your keys. They get you to sign away your funds willingly, often through interfaces that look identical to legitimate platforms.
The attack works because it exploits trust in familiar processes. We click “approve” dozens of times when using DeFi. One malicious approval is all it takes.
Protect yourself by bookmarking official sites, avoiding sponsored search results, using burner wallets for new protocols, and carefully inspecting every signature request. Install security extensions that can warn you about suspicious approvals. And regularly check and revoke token allowances.
Your private keys staying safe doesn’t mean your funds are safe. In the world of permit signatures, the signature is the theft.
