
Security Special Issue 01 | OKX Web3 & SlowMist: Sharing Experiences from Surviving "Hundreds of Scams"
TechFlow Selected TechFlow Selected

Security Special Issue 01 | OKX Web3 & SlowMist: Sharing Experiences from Surviving "Hundreds of Scams"
Would you immediately transfer the funds if someone suddenly gave you the private key to a wallet address worth $1 million?
Introduction
OKX Web3 has specially launched the "Security Special" series to address various types of on-chain security issues with dedicated episodes. By analyzing real-life cases experienced by users and collaborating with experts or institutions in the security field, this series offers dual perspectives and in-depth insights to gradually clarify and summarize secure transaction rules. The goal is to strengthen user security education and help users learn how to protect their private keys and wallet assets from the ground up.
One day, someone suddenly sends you the private key of a wallet address worth $1 million—would you immediately transfer the funds?
If your answer is yes, then this article is tailor-made for you.
This is Episode 01 of OKX Web3’s "Security Special," featuring the renowned blockchain security firm SlowMist—a team well-versed in battling scams across the crypto industry—alongside the OKX Web3 Security Team. Together, they share practical insights drawn from real user incidents, packed with valuable knowledge!

SlowMist Security Team: Thank you very much for inviting us, OKX Web3. As a leading blockchain security company, SlowMist primarily serves clients through security audits and anti-money laundering tracking services, while building a robust threat intelligence network. In 2023 alone, SlowMist assisted customers, partners, and public investigations in freezing over $12.5 million in compromised funds. We hope to continue contributing meaningful value to the industry with our respect for security and blockchain safety.
OKX Web3 Security Team: Hello everyone, we’re excited to participate in this discussion. The OKX Web3 Security Team is responsible for enhancing the security capabilities of the OKX Web3 Wallet, providing multi-layered protection including product security, user security, and transaction security. We safeguard users’ wallet assets 24/7 and contribute to maintaining the overall security ecosystem of blockchain.
Q1: Could you share some real-world theft cases?
SlowMist Security Team: First, most incidents occur because users store their private keys or seed phrases online. For example, many use cloud storage services like Google Docs, Tencent Docs, Baidu Cloud, WeChat Favorites, or device memo apps to save sensitive information. Once hackers gain access to these accounts via credential stuffing ("credential cracking"), private keys can be easily stolen.
Second, downloading fake apps leads to private key leaks. Multi-signature scams are typical examples where fraudsters trick users into installing counterfeit wallets and stealing their seed phrases. They then modify the wallet's account permissions—changing it from sole ownership by the user to shared control between the user and the attacker—thereby seizing control. These attackers often wait patiently until sufficient digital assets accumulate before draining the wallet entirely.
OKX Web3 Security Team: SlowMist has outlined two major causes of private key theft. The second scenario—where fake apps steal private keys—is essentially a Trojan attack. Such malware gains access to input methods, photos, and other permissions to extract private keys. Compared to iOS users, Android users face more frequent Trojan attacks. Here are two brief case studies:
Case One: A user reported asset loss. After investigation and communication, we found that the user had previously downloaded and installed a spoofed data platform app via Google search. Although the link appeared within the top five Google results, it was not the official software. Many users do not verify URLs provided by search engines, making them vulnerable to such Trojan attacks. We recommend using firewalls, antivirus software, and Hosts file configurations for daily protection.
Case Two: A user reported losing funds while investing in a DeFi project. However, our analysis revealed that the DeFi project itself was legitimate. The theft occurred when the user commented about the project on Twitter and was targeted by an impersonator posing as the project’s official customer service. Following instructions from the fake agent, the user clicked a malicious link and entered their seed phrase, resulting in total asset loss.
Clearly, scammers don’t always use sophisticated techniques—users simply need stronger awareness. Under no circumstances should private keys ever be disclosed. Additionally, our wallet now includes risk warnings for such malicious domains.

Q2: Is there an optimal way to manage private keys? Are there alternative solutions reducing reliance on private keys?
SlowMist Security Team: Private keys or seed phrases represent a single point of failure—if lost or stolen, recovery is extremely difficult. Emerging technologies such as Multi-Party Computation (MPC), social recovery authentication, Seedless/Keyless systems, pre-execution checks, and zero-knowledge proofs are helping reduce dependency on traditional private keys.
Take MPC as an example: MPC enables multiple parties to jointly perform complex computations without exposing their individual private data. In practice, MPC wallets securely split a private key into fragments managed separately by different parties—or generate a virtual key collectively so that no one ever sees the full private key. This approach distributes control and mitigates risks associated with single points of failure.
Note: MPC involves the concept of “Keyless,” meaning “no seed phrase” or “no private key.” But this “absence” doesn’t mean no cryptographic key exists—it means users neither back up nor perceive the existence of seed phrases or private keys. To understand Keyless wallets, keep these three points in mind:
1. During creation, the private key is never generated or stored at any time or location.
2. When signing transactions, no private key is involved, and it is never reconstructed.
3. At no stage does a Keyless wallet generate or store a complete private key or seed phrase.
OKX Web3 Security Team: There is currently no perfect method for storing private keys. However, our security team recommends hardware wallets, manually writing down private keys, setting up multi-signature schemes, and splitting seed phrase storage. Splitting seed phrases, for instance, means dividing them into two or more parts stored separately, reducing the risk of full exposure. Multi-signature setups allow trusted individuals to co-sign transactions, adding another layer of security.
To ensure maximum private key security, OKX Web3 Wallet operates offline at its core—the user’s seed phrase and private key details are encrypted and stored solely on the user’s local device. Our SDKs are also open-source and have undergone extensive review by the technical community, ensuring transparency. Moreover, OKX Web3 Wallet has undergone rigorous security audits in collaboration with reputable firms like SlowMist.
Beyond current measures, the OKX Web3 Security Team is actively developing and planning even stronger protections for private key management. Here’s a sneak peek at what’s coming:
1. Two-factor encryption: Most wallets today encrypt seed phrases with a password, storing the encrypted version locally. However, if a user’s device is infected with malware, the Trojan may scan the encrypted file and monitor password inputs. If intercepted, attackers could decrypt and retrieve the seed phrase. In the future, OKX Web3 Wallet will implement two-factor encryption—so even if a hacker obtains the password via malware, they still cannot decrypt the content.
2. Secure clipboard handling: Many Trojans steal private keys by monitoring clipboard data when users copy them. We plan to enhance clipboard security—for example, allowing partial copying of private keys or automatically clearing clipboard contents—to minimize leakage risks.
Q3: Starting from private key theft, what are the common phishing tactics today?
SlowMist Security Team: According to our observations, phishing activities are steadily increasing month by month.
First, Wallet Drainers pose the primary threat in current phishing campaigns, continuously targeting regular users in various forms.
Wallet Drainers are types of cryptocurrency-related malware deployed on phishing websites that trick users into signing malicious transactions to drain wallet assets. Some active Wallet Drainers include:
1. Pink Drainer: Uses social engineering (e.g., manipulating users into revealing private info) to obtain Discord tokens for phishing.
2. Angel Drainer: Conducts social engineering attacks against domain service providers. After gaining account access, it modifies DNS records to redirect users to fake websites.
Second, blind signing remains the most common form of phishing. Blind signing occurs when users interact with a project and unknowingly approve a transaction whose true intent they don’t understand—leading to asset theft. Let’s look at several examples:
Example 1: eth_sign. This open-ended signature method allows signing arbitrary hashes, which can authorize transactions or data. Non-technical users often struggle to interpret what they’re signing, creating phishing opportunities. Fortunately, more wallets now issue warnings for such signatures, helping reduce losses.
Example 2: Permit signature phishing. In ERC20 token transfers, users typically call the approve function to grant allowances. However, the permit function allows off-chain generation of signatures authorizing specific token amounts. Attackers exploit this by luring victims to sign a permit authorization on a phishing site. Once signed, attackers collect the signature data and invoke the token contract’s permit function to claim allowance and drain tokens.
Example 3: Stealthy create2 technique. Create2 lets developers predict a contract’s address before deployment. Attackers use this to generate temporary addresses per malicious signature. After tricking users into granting permission, attackers deploy contracts on those blank addresses to transfer assets. Because these addresses are new and clean, they bypass many phishing plugins and security alerts—making this method highly stealthy and effective.
In summary, users should always verify a project’s official website before interacting, pay attention to suspicious signature requests during interaction, and remain vigilant against any request to submit seed phrases or private keys. Never disclose them anywhere.
OKX Web3 Security Team: We’ve studied common phishing methods and implemented multi-dimensional defenses in our product. Below are the main types users encounter:
Type 1: Fake Airdrops. Hackers generate addresses similar in prefix/suffix to the victim’s and send small transfers, zero-value transactions, or fake tokens. These appear in the user’s transaction history. Accidentally copying the wrong address may lead to fund loss. OKX Web3 Wallet identifies such historical transactions as risky and warns users when attempting to send funds to these addresses.

Type 2: Signature Inducement. Hackers post fake DeFi project links or airdrop redemption URLs in public forums like Twitter, Discord, or Telegram, tricking users into clicking and losing assets. Beyond eth_sign, permit, and create2 mentioned by SlowMist, other variants include:
Method 1: Direct transfer theft of native tokens. Malicious contract functions are named deceptively (e.g., Claim, SecurityUpdate), appearing legitimate but actually transferring only the user’s native tokens. OKX Web3 Wallet now features pre-execution simulation, showing post-transaction asset and allowance changes with clear risk warnings.
Method 2: On-chain authorization. Users are tricked into signing approve / increaseAllowance / decreaseAllowance / setApprovalForAll transactions, granting attackers rights to transfer their tokens. Attackers monitor the account in real-time and drain funds as soon as assets arrive. Defending against such threats is an ongoing arms race requiring continuous upgrades.
Although most wallets detect known malicious addresses, attackers constantly evolve. Using create2, they pre-calculate new addresses not yet blacklisted, easily bypassing detection. Only after a victim signs do they deploy the contract and steal funds. Recently, we’ve seen attackers trick users into authorizing Uniswap’s multicall contract—an actual legitimate contract—thus evading standard security tools.
Method 3: Permission Changes: Including TRON and Solana permission modifications. (i) On TRON, multisig is a feature. Phishers disguise account-permission-change transactions as simple transfers. If signed, the user’s account becomes multi-signature, losing sole control. (ii) On Solana, attackers use SetAuthority to change the owner of the user’s ATA (Associated Token Account). Once signed, ownership shifts to the attacker, enabling full asset theft.
Other Methods: Protocol design flaws can also be exploited. For instance, EigenLayer’s queueWithdrawal function on Ethereum allows specifying another address as withdrawer. Victims who sign such transactions lose staked assets seven days later when the designated address calls completeQueuedWithdrawal.
Type 3: Seed Phrase Upload Scams. Attackers offer fake airdrop projects or fraudulent launchpad tools that prompt users to upload private keys or seed phrases. See earlier examples. Sometimes, they mimic wallet extension popups to deceive users into entering seed phrases.
Q4: Differences in attack methods between hot and cold wallets
OKX Web3 Security Team: The difference between hot and cold wallets lies in how private keys are stored. Cold wallets keep keys offline, whereas hot wallets store them in network-connected environments. Thus, their security risks differ. Hot wallet risks have been thoroughly covered above and won't be repeated here.
Cold wallet risks mainly include:
First, social engineering and physical attacks. Since cold wallets are offline, attackers might use social engineering—impersonating family or friends—to gain access.
Second, as physical devices, they can be damaged or lost. Transaction process risks refer to scenarios during usage where cold wallets may still fall victim to airdrop scams or induced signature attacks discussed earlier.
Q5: Like the opening example of “gifting high-value wallet private keys,” what other unconventional phishing traps exist?
SlowMist Security Team: Yes, the “deliberate giveaway of high-value wallet private keys” is a classic scam that emerged years ago and still fools people today. In this scheme, scammers intentionally leak private keys or seed phrases. Once imported into a wallet, attackers monitor it closely. As soon as ETH is deposited, they instantly drain it. This exploits users’ greed—the more people import the key, the higher the gas fees, and the greater the cumulative loss.
Additionally, some users believe “I’m not worth attacking,” lowering their guard. Yet, personal information (emails, passwords, bank details) holds value for attackers. Some think avoiding spam email links keeps them safe, but phishing emails can deliver malware via images or attachments.
Finally, we must recognize objectively: absolute security doesn’t exist. Phishing tactics evolve rapidly; continuous learning and heightened awareness remain the best defense.
OKX Web3 Security Team: Preventing third-party phishing traps is complex because attackers exploit psychological weaknesses and common oversights. Even cautious users may let their guard down when faced with sudden “golden opportunities,” amplifying their greed and falling prey. In such moments, human nature outweighs technology—even advanced safeguards fail if users ignore them temporarily. Only afterward do they realize they’ve been duped. Remember: there’s no such thing as a free lunch. Stay alert, mindful of risks—especially in blockchain’s dark forest.
Q6: Recommendations for improving private key security
SlowMist Security Team: Before answering, let’s outline how attackers typically steal user assets. They generally use two methods:
Method 1: Tricking users into signing malicious transaction data—such as approving asset transfers to attackers.
Method 2: Luring users into entering seed phrases on fake websites or apps—like submitting seeds on counterfeit wallet login pages.
Now that we know how attackers operate, here are preventive measures:
Prevention 1: Sign only what you see. Your wallet is your key to Web3—never sign blindly. Always inspect the data being signed and understand the transaction’s purpose; otherwise, cancel the action.
Prevention 2: Don’t put all eggs in one basket. Implement tiered wallet management based on asset type and usage frequency to keep risks manageable. Use low-value wallets for high-frequency activities like airdrops. Store large holdings in cold wallets, ensuring secure network and physical conditions when accessing them. If possible, use hardware wallets—they prevent direct export of seeds or private keys, raising the bar for theft.
Prevention 3: With endless new phishing tactics emerging, users must learn to identify scams, raise awareness, educate themselves, and develop self-rescue capabilities.
Prevention 4: Stay calm, avoid greed, and verify through multiple channels. For comprehensive asset management strategies, refer to SlowMist’s *Cryptocurrency Asset Security Solution*. For deeper security awareness and self-education, read *The Self-Rescue Manual for Blockchain’s Dark Forest*.
OKX Web3 Security Team: As the sole credential for accessing and controlling encrypted assets, protecting your private key is paramount.
Prevention 1: Know your DApp. When investing in DeFi, fully research any DApp you interact with to avoid fake versions that cause losses. While OKX Web3 Wallet employs multiple risk-detection strategies and warnings for DApps, attackers constantly refine their methods to bypass protections. Always stay vigilant.
Prevention 2: Know your signature. Always confirm transaction details before signing. Be cautious with unfamiliar transactions—never sign blindly. OKX Web3 Wallet parses both on-chain and offline signatures, simulates execution, and displays expected asset and allowance changes. Review these carefully before proceeding.
Prevention 3: Know your downloads. When installing trading or investment tools, ensure they come from official sources. Scan files with antivirus software after download. Malicious software can capture seed phrases or private keys via screenshots, clipboard monitoring, memory scanning, or uploading cached files.
Prevention 4: Strengthen awareness and safeguard private keys. Avoid copying seed phrases or private keys. Never take screenshots or store such information on third-party cloud platforms.
Prevention 5: Strong passwords & multi-sig. Use complex passwords to resist brute-force attacks if encrypted files are obtained. Whenever available, enable multi-signature transactions—so even if one party’s seed or key is compromised, overall security remains intact.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










