The Phishing Attack That Bypassed Everything: DeFi's Real Security Problem
ra****@gmail.com2025-12-17
Phishing approvals, not smart contract bugs, are now DeFi’s biggest threat. Sophisticated wallet drainers exploit user behavior and muscle memory, draining funds without breaking protocol code.
Web3 Antivirus has reported its largest loss to date, with hundreds of thousands of dollars stolen from a DeFi user who thought they were doing a standard withdrawal of funds from Aave and Compound. The individual was experienced in crypto, having spent many years in the industry and held several positions across several prominent crypto protocols. They were well aware of how to use gas effectively and make money but failed to take all of this experience into consideration at the time of approving the transaction request that appeared to be legitimate.
As the world of Decentralised Finance (DeFi) continues to mature, the ugly truth about the security of these networks in 2025 is that the greatest risk isn't associated with the technology, but rather with how people behave and the decisions they make regarding which transactions they approve. While protocol developers concentrate on conducting audits of their smart contracts and developing protocols designed to keep these protocols secure, it is increasingly apparent that would-be attackers have instead targeted the basis of any transaction, the approval signature, the weakest link in every blockchain transaction.
According to various third-party providers, phishing and social engineering schemes accounted for more than $600 million in losses during the first half of 2025, which exceeded the amount lost due to smart contract exploits. Access control breaches represented 55.6% of all access-related events reported during 2024. It's evident from this data that hackers realised breaking code is far more complex and time-consuming than deceiving people into authorizing transactions.
How the Attack Actually Works
Individuals that put money into lending protocols like Aave or Compound in order to receive interest or yield, were victims of phishing. Phishing attacks are enabled by phishing approve requests posing as legitimate withdrawal transactions. Phishing approve requests have the appearance of being normal protocol interactions and are usually processed with other withdrawal transactions by users.
Phishing Approvals are particularly dangerous because they do not exploit any weakness in a smart contract or exchange. Attackers do not need access to an exchange or create a backdoor in order to access the funds they simply trick individuals into signing approvals that allow them to transfer funds. Phishing approvals can lie dormant until the time of the transfer to the attacker, which could occur immediately after signing or at a later time long after the victim has forgotten about the phishing transaction request.
Wallet drainers have progressed significantly from their original inception. Now, "modern" wallet drainers emulate actual protocols, implement standard user interface designs that are already familiar to users, and implement themselves within main DeFi workflows. In September 2024, a wallet drainer attack worth $6.5 million was discovered by Web3 Antivirus; this incident was an illustration of just how sophisticated wallet drainers have become over time.
The technical aspect of this is relatively simple but incredibly problematic. In order for anyone to use ERC-20 tokens on behalf of other users, approval must be granted first by the user of the tokens. This is the manner in which Decentralised Financial Services are designed to work; however, there is no limitation on the value of tokens a contract can withdraw through an authorisation transaction or specify a limit on how long the contract can make withdrawals from the user's account upon approval. As a result, an invalid approval allows a malicious actor to withdraw an entire user's worth of tokens at their whim.
The transaction evidence for this incident including the wallet-draining transfers was publicly disclosed by Web3 Antivirus on X.
Why Experience Doesn't Matter
The victim's level of experience is concerning. This person did not simply click on random links on Discord or try DeFi out for the first time; instead, this was an active user with open positions on many protocols trying to manage yield rates and gas prices. They would have been familiar with the interface and would often use complex transaction approval strategies.
Phishing attacks exploit your experience or knowledge of the system rather than what you don't know. Most experienced Defi users will have made many transaction approvals and swaps and will have seen the same or similar patterns multiple times over. As a result, they know how to proceed through an interface they have done many times before; as a result of the speed and the familiarity, they become a target for phishing attacks. When a fraudulent approval is presented within a series of legitimate transactions, the user's muscle memory overrides their suspicion and leads to an immediate approval without further investigation or contemplation.
Psychological exploitation of users is a deliberate tactic. Cyber criminals who want to exploit users like this target them for "bad" approvals during peak activity times (when a user is engaged in multiple transactions in rapid succession). When withdrawing funds from Aave and Compound, a user typically has to sign three separate approvals each time they withdraw funds. The addition of another approval request at the time of withdrawal gives the user the impression that they are receiving multiple legitimate requests from the various DeFi platforms in which they interact.
The Broader Security Crisis
It appears that this trend of decreasing funds seems to have been established as more than just an initial spike. The first half of 2025 has already resulted in losses from Web3 being $3.1B, which is greater than the year 2024. The vast majority of the $3.1B of Web3's thefts (i.e., 80.5%) were attributable to what is called 'off-chain' thefts; with the greatest percentage of those thefts occurring from compromised accounts. The situation continues to deteriorate; with phishing attacks continuing to increase in both quantity and sophistication of methods of operation.
The economic climate helps to explain this phenomenon. The exploits that can potentially be found related to smart contracts typically require a significant amount of time and technical expertise(s) to find; yet they may have a very brief window of opportunity before they get fixed after only one successful execution. In contrast, a phishing attack can be executed simultaneously against an infinite number of victims; for instance, one source site can be designed to aggressively target thousands of victims simultaneously.
The scale of this issue has been demonstrated in some of the most recent events where the Angel Drainer project drained $403 million from 320,000 accounts before being taken offline in March 2024. The Pink Drainer project drained $85 million from 21,000 users. Each of these services were structured as business models that allowed users who are not particularly tech-savvy to work with and steal funds from Internet users via "drainer-as-a-service" business solutions as well as customer service and profit-sharing. Phishing attacks have become more sophisticated and organized. As a result, individual users will now have to face entire groups of hackers working together rather than just one hacker individually.
What Actually Protects Users
Though there are technical solutions, getting users to adopt them has proven difficult. Web3 Antivirus and similar products scan transactions as they happen, so they can catch fraudulent approvals before the transaction takes place. However, users have to install additional software, give another service the user's transaction history and information, and deal with issues with false positives where legitimate transactions are flagged.
In addition, wallets like MetaMask have made improvements towards this issue. Wallets can provide information about each approval, such as which token contracts are allowed access to the user's tokens. However, the warnings show up on every valid transaction, so it teaches users to not take the time to read the warning, which is exactly what attackers want to happen.
In addition to using hardware wallets as a user's safe and secure means to store their private keys, it does not prevent an attacker's ability to use the hardware wallet to get the user's approval. Signing an approval from Ledger has the same security as a valid approval. The hardware wallet simply checks to see if the user approved the transaction or not, it does not verify if the transaction is legitimate or fraudulent.
To shield you from harm, the best protective solution is behavior modification. For example, any approval requested, regardless of who gives it, should not be treated as an automatic approval; limit approvals to only certain amounts rather than allowing unlimited access to everyone; regularly deny any approval from contracts you are no longer using or no longer require; use separate wallets for large quantities of coins rather than leaving your coins in the same wallet as your active trade; and, lastly, take your time during transaction sequences so that you can properly verify each request individually.
Many of these suggested questions, recommendations, actions and behaviors seem tedious and problematic, but that's what is deceptive under the web3 umbrella. Friction, as defined by web3, is the only thing between you and your safety. Conversely, this smooth, quick user experience has enabled exploiters to prey upon unsuspecting individuals. Users have traditionally faced a dilemma as to whether to prioritize safety or ease of use. Users are frequently faced with the same dilemma as they continue to rely on ease of use until they ultimately tire of the convenience.
The Uncomfortable Reality
Recent updates to DeFi's user-experience have rendered security vulnerabilities more likely as the user experience becomes simpler (less clicks to make a transaction), quicker (transaction speed), and more user-friendly (easier to navigate interface). Unfortunately, while simplifying the overall process for the consumer, it becomes that much more difficult for a non-technical user to discern between legitimate transactions and fraudulent ones. DeFi will never gain mass market adoption from multiple consumers while forcing them to learn how to utilize ERC-20 protocol approvals, cross-check contract addresses with the blockchain, and manually cross-verify transaction approvals.
The logical remedy to this issue is to transition security from the end-user level to the protocol and wallet levels. Examples of such mechanisms can include (but are not limited to) automated transaction scanning, artificial intelligence that assesses approval requests, and the establishment of a reputation system, which flags suspicious contracts before consumers initiate transactions with them. Some view this centralization as contrary to traditional DeFi values and as creating an alternate method of creating trust between individuals.
Currently, users that are on the most experienced level are suffering from drain during normal operations due to a drastic lag in security's responsiveness to the advanced method(s) of attack. Web3 Antivirus claims to identify these problems after they occur, which goes to illustrate another issue: while attacks may be identified, stopping them necessitates a change in behavior by affected individuals, which, as has been shown, rarely happens until they themselves become victims. The amount of financial loss the industry is experiencing due to these circumstances is without dinner. Tired of being victims, users have reached saturation; therefore the "security crisis" continues to exist, without anyone or any solution in place to close the gap between the two realities.
