Phishers Refine Tactics Targeting Phantom Wallet Users

Malefactors are attempting to acquire the private keys of Phantom wallet users through a phishing scheme involving fake updates, reports Scam Sniffer.

? UPDATE: Sophisticated Seed Phrase Phishing Tactic!

Scammers now connect to REAL Phantom wallets first, then trick users with a fake “update extension” signature request. After approval, a FAKE modal appears demanding seed phrases.

⚠️ REMEMBER: NEVER enter seed phrases… https://t.co/Nvq3qxySa0 pic.twitter.com/aYwJgGNsqB

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) February 6, 2025

According to experts, the fraudsters employ a fake pop-up window designed to mimic the real Phantom app interface. Upon connecting the wallet, they propose an “update” that requires entering the seed phrase. If the user complies, the malefactors gain access to the victim’s assets.

The fake interface can be identified by several indicators. In a genuine Phantom window, the link begins with “chrome-extension://”, a detail phishers have yet to replicate. Phishing pages also disable right-click actions and can only exist within a browser tab, whereas a legitimate pop-up functions as a full-fledged system window. 

At the end of January, Scam Sniffer experts reported the use of malicious pop-ups on phishing sites targeting Phantom users within the Solana ecosystem. The scammers attempted to obtain seed phrases from potential victims under the guise of confirming a request to restore network connection. 

In February, Chainalysis specialists calculated that in 2024, ransomware operators’ revenue amounted to $813 million—35% less than the previous year’s figure of $1.25 billion.