Ohm Shah
Co-Founder at Wallet Guard

🚩 Common Trends with Phishing in Web3 In this article we will go over some of the things the Wallet Guard team has observed as commonalties amongst phishing attempts in web3!

  • DNS Records
  • Fuzzy Malicious URLs
  • Using Homoglyphs in URLs

1/ DNS Records:


🔎 DNS Records for scams tend to be created with in 3 weeks of it being spread.

🔎 When a DNS is Hijacked like with polygon-rpc the ‘Updated’ field in the record is changed.

Wallet Guard automatically checks DNS Record Info and alerts you!

2/ How to preform a manual whois check:

[To Manually Analyze DNS Records]


  1. Goto Terminal
  2. Type the following ⬇️ and press enter
  • “whois | grep “Creation\|Updated\|Modified”

Example Output ⤵️

3/ Fuzzy Malicous URLs:


🔎 Many common phishing campaigns tend to use URLs similar to the official sites

Example: Openssea[.]com vs. Opensea[.]io

4/ Homoglyphs:


🔎 Recently we’ve noticed an increase in the usage of Homoglyphs ← Characters that look like each other

For example: PREMłNT[.]XYZ vs PREMINT[.]XYZ

When resolving such domains you get punycode ← converts words that cant be written in ASCII

5/ Punycode:


🔎 Say you’re resolving the domain: Openséa[.]app ← This is what the omnibar (search bar on your browser) will say the domain is.

🔎 However, when resolved the way your browser interprets it, the URL looks very different: xn — opensa-fva[.]app

6/ Key Takeaways:

◼️ Links are not always as they seem

◼️ Recently created/modified DNS Records should signal something as risky

◼️ Be alert for Homoglyphs in URLs

◼️ Check out for more educational content

7/ Wallet Guard:

If this is your first time coming across Wallet Guard we offer a chrome extension designed to combat scams/phishing in Web3. Our extension acts as a security companion to your crypto wallet of choice. Check us out at

Wallet Guard logo

Published on
March 31, 2023

Related Articles

All articles