Phishing losses surge by 207%! Cryptocurrency wallet thefts soar to $6.03 million

In January 2026, cryptocurrency wallet network phishing losses surged to $6.3 million, a 207% increase from December. Scam Sniffer data shows that attackers have shifted toward “whale” strategies, with just two victims accounting for 65% of total losses, and the largest single loss reaching $3.02 million. Another “address poisoning” incident resulted in a single victim losing $12.25 million.

Signature-based phishing losses jump 207%, while the number of victims decreases

According to Scam Sniffer reports, in the first month of this year, signature-based phishing attacks stole approximately $6.3 million from user crypto wallets. This attack method involves tricking users into signing malicious “Permit” or “IncreaseAllowance” functions, granting third parties unlimited access, allowing attackers to steal funds without further user approval.

What’s most shocking is the divergence between loss amounts and the number of victims. While the number of victims decreased by 11% compared to December, the total stolen amount skyrocketed by 207%. This highlights a fundamental shift in cybercriminal tactics—they are moving from a broad “scattershot” approach to precise “whale” attacks targeting high-net-worth individuals holding large assets, rather than attacking many small retail accounts as before.

This strategic shift presents new challenges for crypto wallet security. Traditional phishing defenses often focus on detecting attack volume and victim count, but when attackers target fewer high-value targets, these indicators may no longer serve as early warnings. Even with fewer victims, the explosive growth in total losses indicates the threat is escalating.

Signature-based phishing is particularly dangerous because it exploits the technical features of blockchain interactions. Many decentralized applications (DApps) require users to grant smart contracts permission to access tokens—this is standard procedure. However, attackers disguise malicious contracts as legitimate apps, trick users into signing authorizations. Once signed, attackers can transfer assets from victims’ wallets indefinitely without further user confirmation.

Whale strategy accounts for 65% of losses from two victims, with a single loss of $3.02 million

Scam Sniffer’s report reveals a startling fact: just two victims account for nearly 65% of all signature-based phishing losses in January. In one of the largest cases, a user lost $3.02 million after signing a malicious permission function. This highly concentrated loss distribution clearly illustrates a new attacker tactic—precise targeting of crypto wallets holding large assets.

The whale strategy differs from traditional phishing in its intelligence gathering before the attack. Attackers no longer send random phishing links but analyze on-chain data to identify high-value targets, study their transaction patterns and habits, then craft tailored attack plans. This approach requires more preparation time and technical skill but offers exponentially higher returns.

For users holding large assets, this threat is especially severe. High-net-worth investors might believe they are better at protecting their assets, but in reality, their high value makes them prime targets. Attackers are willing to invest more resources into designing targeted social engineering attacks, including creating more convincing fake websites, impersonating well-known project teams, and even establishing long-term trust through social media.

This trend is also reflected in the sophistication of attack methods. Past phishing often relied on crude scam emails and obvious fake websites, but modern whale attacks may involve perfectly replicated user interfaces, forged domains (using similar characters like i and l to confuse), and carefully crafted emergency scenarios to pressure users into making quick decisions.

Address poisoning causes a $12.25 million loss in a single incident—copy-paste becomes a deadly trap

Besides signature-based phishing, another equally destructive threat—“address poisoning”—is also troubling wallet users. In a typical case in January, an investor lost $12.25 million after transferring funds to a scam address, the largest single loss of the month.

Address poisoning exploits user habits and the technical characteristics of blockchain addresses. Crypto wallet addresses are usually 42-character hexadecimal strings, and verifying these addresses fully is tedious. Many users develop the habit of only checking the first and last few characters, which attackers exploit. They generate “fake” or “cloned” addresses that precisely mimic the start and end of legitimate wallet addresses in the victim’s transaction history.

Address poisoning attack process

Monitoring targets: Attackers track high-value wallet transaction histories

Generating fake addresses: Use algorithms to create fake addresses with matching start and end characters

Sending bait: Send small amounts of tokens (often dust attacks) to the fake address

Polluting history: Fake addresses appear in the victim’s transaction history

Waiting for mistakes: Victims copy and paste addresses from history, unknowingly using the fake address

Attackers hope users will copy and paste addresses from their transaction history for subsequent transfers, rather than verifying the full string. Because the fake address’s start and end match the real one, unless users carefully check the middle part, they cannot distinguish the difference. Once funds are sent to the fake address, the transaction is irreversible on the blockchain, and assets are immediately and permanently transferred to the attacker.

The $12.25 million single loss underscores the destructive potential of this attack. For investors or institutions managing large sums, a single mistake can be catastrophic. More concerning is that this attack relies solely on human psychology and operational habits, not on technical vulnerabilities, making prevention more difficult.

Safe Labs warns of 5,000 malicious addresses launching coordinated attacks

The increase in these incidents prompted Safe Labs (formerly Gnosis Safe, a popular multi-signature wallet developer) to issue an urgent security warning. The company discovered that organized cybercriminal groups are using about 5,000 malicious addresses to launch large-scale coordinated social engineering attacks against its users.

Safe Labs stated: “We have identified malicious actors working together to create thousands of addresses that look very similar to Safe addresses, aiming to trick users into sending funds to the wrong destination. This combines social engineering with address poisoning.” This scale of attack shows that phishing has evolved from individual crimes into an organized industry chain.

Deploying 5,000 malicious addresses simultaneously indicates that attackers possess robust technical infrastructure and automation tools. Generating such a large number of precisely targeted fake addresses requires significant computational resources and algorithm optimization. This industrial-grade attack capability suggests involvement by professional cybercrime organizations rather than lone hackers.

For crypto wallet providers, this large-scale attack presents new security challenges. Traditional security measures like two-factor authentication (2FA) and cold storage are nearly ineffective against address poisoning and signature phishing because these attacks exploit legitimate transaction mechanisms and user behavior. Prevention must involve improvements in user interface design, transaction confirmation processes, and user education across multiple levels.

Key measures to prevent phishing and address poisoning

In response to the growing threat of phishing, Safe Labs and security experts recommend several preventive steps. The most critical is to verify the complete address string before making large transfers, rather than just checking the start and end.

Best practices for crypto wallet security

Full address verification: Compare the entire 42-character address carefully, especially the middle section

Use address book: Save frequently used addresses as contacts to avoid copying from transaction history

Small test transfers: Send a small amount first to confirm the address before transferring large sums

Check permissions: Regularly review and revoke unnecessary token allowances

Enable transaction preview: Use wallets that support transaction review before signing

Multi-signature protection: Use multi-signature wallets for high-value accounts to increase attack difficulty

Additionally, users should stay vigilant against phishing sites, input URLs directly into the browser instead of clicking links, and carefully read permission requests before signing any transaction. For managing large assets, hardware wallets and multi-signature schemes can significantly enhance security.