
Anti-Phishing: Understanding OKX Web3 Wallet's Four Key Transaction Risk Interception Features
TechFlow Selected TechFlow Selected

Anti-Phishing: Understanding OKX Web3 Wallet's Four Key Transaction Risk Interception Features
This article aims to clearly explain the scenarios applicable to the four major risk transaction interception features of the latest OKX Web3 Wallet upgrade, while also providing an overview of the operating principles behind certain theft cases.
Scam Sniffer's 2024 mid-year phishing report reveals that in the first half of 2024 alone, 260,000 victims lost $314 million on EVM chains, with 20 individuals each losing over $1 million. Notably, one victim lost $11 million, making it the second-largest theft in history.
According to the report, most ERC20 token thefts currently stem from signing phishing signatures such as Permit, IncreaseAllowance, and Uniswap Permit2. The majority of large-scale thefts involve Staking, Restaking, Aave collateral, and Pendle tokens. Victims are often lured to phishing websites via fake comments on Twitter accounts.
Phishing attacks remain a major hotspot for on-chain security issues.
As a gateway product meeting users' fundamental transaction needs, OKX Web3 Wallet remains committed to strengthening security measures and user education. On the product side, the team has recently upgraded its risk transaction interception feature focusing on high-frequency phishing scenarios and plans to continuously expand detection capabilities for more risk scenarios to alert users accordingly.
This article aims to clearly explain the four newly upgraded risk transaction interception features in OKX Web3 Wallet and provide insights into how some theft cases operate, hoping to offer useful guidance.
1. Malicious Authorization to an EOA Account
On June 26, a user lost $217,000 by signing multiple phishing signatures on a fake Blast website; on July 3, ZachXBT reported that address 0xD7b2 became a victim of the Fake_Phishing 187019 phishing campaign, resulting in the loss of 6 BAYC NFTs and 40 Beans (worth over $1 million); on July 24, a Pendle user had approximately $4.69 million worth of PENDLEPT restaking tokens stolen within an hour due to multiple Permit phishing signatures.
Over the past two months, losses caused by various signature phishing incidents—both in frequency and amount—have been significant, marking this as a key recurring security issue. Most cases involve tricking users into authorizing hackers’ EOA addresses.
Malicious authorization to an EOA account generally refers to hackers inducing users to sign approvals that grant access from their address to a hacker-controlled EOA address, often under the guise of giveaways or other incentives.
EOA stands for Externally Owned Account, sometimes translated as "external account." It is one type of account on Ethereum-based blockchain networks, distinct from Contract Accounts (CAs). EOAs are controlled directly by users and not governed by smart contracts. When users interact on-chain, they typically authorize project smart contracts—not individual-owned EOA addresses.
Currently, there are three common authorization methods: Approve is a standard method defined in the ERC-20 token specification. It allows third parties (e.g., smart contracts) to spend a specified amount of tokens on behalf of the token holder. Users must pre-authorize a certain quantity of tokens to a specific smart contract, after which the contract can invoke transferFrom at any time to move those tokens. If users accidentally authorize a malicious contract, the approved tokens may be immediately drained. Notably, traces of Approve authorizations can be seen in the victim’s wallet address.
Permit is an extended authorization mechanism based on ERC-20, using message signing instead of direct smart contract calls to authorize third-party spending of tokens. In simple terms, users can approve others to transfer their tokens through a signature. Hackers exploit this method—for example, by creating phishing sites where the “Connect Wallet” button is replaced with a Permit prompt, easily capturing user signatures.
Permit2 is not part of the ERC-20 standard but a feature introduced by Uniswap for user convenience, allowing users to pay gas only once during interactions. However, if you've used Uniswap and granted infinite allowances to its contract, you could become a target of Permit2 phishing attacks.
Both Permit and Permit2 use offline signing mechanisms. Victims do not pay gas fees; instead, the attacker’s address covers the cost of submitting the authorization on-chain. Therefore, traces of these signature-based authorizations appear only in the attacker’s wallet, not the victim’s. Today, Permit and Permit2 signature phishing have become major threats in Web3 asset security.
How does the OKX Web3 Wallet interception function work in this scenario?
OKX Web3 Wallet performs pre-signing analysis of pending transactions. If the system detects an authorization action directed to an EOA address, it triggers a warning to prevent users from falling victim to phishing and suffering asset loss.

2. Malicious Changing of Account Owner
Incidents involving malicious changes to account ownership typically occur on public blockchains like TRON or Solana, which have built-in account owner designs. Once users sign such transactions, they lose control of their accounts.
Taking TRON wallets as an example, TRON’s multi-signature permission system defines three types of permissions: Owner, Witness, and Active, each serving specific functions.
Owner Permission holds the highest authority to execute all contracts and operations. Only the Owner can modify other permissions, including adding or removing signers. By default, the account itself holds this permission upon creation.
Witness Permission is primarily associated with Super Representatives (SRs), enabling the account to participate in SR elections and votes and manage related operations.
Active Permission is used for daily operations such as transfers and smart contract interactions. This permission can be set or modified by the Owner and is often assigned to accounts needing to perform routine tasks—it represents a collection of authorized actions (e.g., TRX transfers, staking).
One scenario involves hackers obtaining a user’s private key or seed phrase. If the user hasn’t implemented multi-signature protection (i.e., sole control), the hacker can assign or transfer Owner/Active permissions to their own address—a practice commonly known as malicious multisig manipulation.
Alternatively, even if the user still retains Owner/Active permissions, the hacker may use the multisig mechanism to co-control the account. In this case, although the user still holds the private key/seed phrase and permissions, they cannot transfer assets independently. Any withdrawal request requires signatures from both the user and the hacker’s address to proceed.
Another possibility is that the hacker exploits TRON’s permission management design to directly transfer the user’s Owner/Active permissions to their own address, thereby stripping the user of control.
In both cases, the outcome is identical: regardless of whether the user still technically holds permissions, they lose actual control of the account. With full control, the hacker can alter permissions and drain assets at will.
How does the OKX Web3 Wallet interception function work in this scenario?
OKX Web3 Wallet analyzes pending transactions before signing. If it detects any attempt to change account permissions, it automatically blocks the transaction, preventing further user interaction and potential asset loss.
Due to the extreme severity of this risk, OKX Web3 Wallet currently blocks such transactions outright, disallowing any further execution.

3. Malicious Modification of Transfer Address
The risk of maliciously changing transfer addresses mainly arises when DApp contracts are poorly designed.
On March 5, @CyversAlerts detected that an address starting with 0xae7ab received 4 stETH from EigenLayer, valued at $14,199.57, and suspected phishing involvement. They noted that several victims on the mainnet had signed fraudulent "queueWithdrawal" transactions.
Angel Drainer exploits the nature of Ethereum staking. Unlike regular ERC20 "Approve" methods, it specifically targets the queueWithdrawal (0xf123991e) function of the EigenLayer Strategy Manager contract. The core of the attack lies in the fact that users who sign the "queueWithdrawal" transaction effectively approve a malicious "withdrawer" to extract their staking rewards from EigenLayer to an address chosen by the attacker. Simply put, once you approve such a transaction on a phishing site, your staking rewards belong to the attacker.
To make detection harder, attackers use the "CREATE2" mechanism to route withdrawals to empty addresses. As this is a novel approval method, most security providers or internal tools fail to parse or validate it, often flagging such transactions as benign.
Beyond this case, throughout this year, flaws in poorly designed contracts across major public chain ecosystems have led to instances where users’ transfer addresses were maliciously altered, resulting in financial losses.
How does the OKX Web3 Wallet interception function work in this scenario?
For phishing attacks targeting EigenLayer, OKX Web3 Wallet parses relevant "queueWithdrawal" transactions. If a user initiates such a transaction off the official website and attempts to withdraw to a non-self address, the wallet issues a warning and forces additional confirmation to prevent phishing exploitation.

4. Transfers to Similar Addresses
Similar-address phishing tricks victims into sending funds to fake addresses that closely resemble legitimate ones, directing assets to the attacker’s wallet. These attacks often employ complex obfuscation and concealment techniques, using multiple wallets and cross-chain movements to complicate tracking efforts.
On May 3, a whale fell victim to a same-first-and-last-digits address scam, losing 1,155 WBTC—valued at around $70 million.
The attack works by having hackers pre-generate numerous phishing addresses and deploy automated scripts that launch same-first-and-last-digit attacks based on real-time on-chain activity. In this incident, the hacker used an address matching the first 4 digits and last 6 digits (after removing the “0x” prefix) of the intended recipient. After the victim made a large transfer, the hacker quickly sent a follow-up transaction (approximately three minutes later) from the spoofed address back to the victim’s address with 0 ETH, causing the phishing address to appear in the user’s transaction history.
Since users often copy recent transaction details from their wallet history, seeing this follow-up transaction without careful verification led them to mistakenly paste the phishing address, ultimately transferring 1,155 WBTC to the attacker.
How does the OKX Web3 Wallet interception function work in this scenario?
OKX Web3 Wallet continuously monitors on-chain transactions. If shortly after a large transaction, a suspicious, non-user-initiated transaction occurs involving an address highly similar to the original counterparty, the system identifies it as a similar address.
If the user subsequently interacts with such a similar address, OKX Web3 Wallet will intercept and warn them. Additionally, on the transaction history page, transactions involving similar addresses are flagged to prevent accidental pasting and asset loss. (Currently supported on 8 chains)

Conclusion
Overall, in the first half of 2024, phishing emails mimicking airdrops and compromised official project accounts continue to occur frequently. While users enjoy benefits from these campaigns, they also face unprecedented security risks. Hackers deceive users into revealing private keys or conducting malicious transfers by impersonating official communications or addresses. Moreover, breaches of official project accounts have also resulted in user fund losses. For ordinary users, the most critical defense in such an environment is raising awareness and deepening knowledge of security practices. At the same time, choosing platforms with reliable risk controls is strongly recommended.
Risk Warning and Disclaimer
This article is for informational purposes only. It reflects the author’s views and not necessarily those of OKX. This article does not constitute (i) investment advice or recommendations; (ii) an offer or solicitation to buy, sell, or hold digital assets; or (iii) financial, accounting, legal, or tax advice. We do not guarantee the accuracy, completeness, or usefulness of the information provided. Holding digital assets—including stablecoins and NFTs—involves high risk and may experience significant volatility. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. For personalized advice, please consult your legal/tax/investment professionals. You are solely responsible for understanding and complying with applicable local laws and regulations.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














