Avoid Scams

Why Signature Phishing Spiked In January 2026: The Whale Hunting Playbook And How To Survive It

2026-05-30 · 链上迷雾

The number that stopped me in early 2026 came out of CertiK and SlowMist’s signature-phishing loss tracker: monthly losses rose 207% year over year in January, with a single victim losing over sixty-nine million USD and nearly a dozen events crossing the seven-figure mark. The curve did not creep upward; it jumped vertically in the first week of the year. After tracking every English and Chinese-language case for two months I see one pattern repeated everywhere: the attacker objective changed. They are not running spray-and-pray with a one-percent signature rate anymore. They are running whale hunting: a 0.1% signature rate, but each successful hit is a six-to-eight figure capture.

Whale hunting signature phishing concept illustration

A quick refresher on signature phishing

Signature phishing is when an attacker uses a phishing site, social engineering, or a malicious dApp to trick you into signing a pre-crafted on-chain message. Unlike a seed phrase theft, the user usually feels they “just signed something” rather than approved an asset transfer. The dangerous signature types are documented in my wallet drainer defense piece. This article focuses on what shifted in 2026.

Why January 2026 broke vertical

Three forces lined up at once.

  1. EIP-2612 / permit2 adoption crossed a tipping point. Most major stablecoins, LSTs, and LRTs now accept signed-off allowances. One signature lets the attacker invoke a contract and pull funds.
  2. Whale wallets reappeared in late 2025 thanks to the bull cycle. Active whale address counts returned to 2021 highs, and average balance per address rose.
  3. AI-driven phishing front-end production scaled up. Bitdefender’s early-2026 report flagged GPT-class tools generating 5,000+ high-fidelity phishing pages per day, targeted at specific whale wallets.
Dimension Spray-and-pray Whale hunting
Targets Any connected wallet Pre-profiled whale addresses
Channel Public phishing sites, mass DMs Personalized DMs, fake VC outreach, paid ads
Signature design Generic permit Custom permit2 sized to victim holdings
Expected loss per hit Four to five figures USD Six to eight figures USD
Attacker ops cost Low Medium-high but still tiny vs return

How attackers find whales

On-chain transparency is a double-edged sword. Attackers profile targets through:

  • Monitoring stablecoin, wstETH, wBTC holdings;
  • Scraping X, Telegram and Farcaster accounts that publicly post portfolio screenshots;
  • Reverse-resolving ENS / SNS to social handles, then OSINT-linking emails and Discord IDs;
  • Feeding the profile to a targeted phishing factory that auto-generates a permit page sized to the holdings.

This is why public bragging about gains in 2026 is more than bad social etiquette. It is a free admission ticket you are handing the attacker. See also why you should not flex PnL in Telegram.

The five-stage whale hunt

Almost every public case I tracked follows this shape.

  • Stage 1 — initial contact through X DMs or LinkedIn from a fake project BD or VC partner.
  • Stage 2 — two to three weeks of trust building, real research notes, paid alpha reports, sometimes a small “investment” sent your way.
  • Stage 3 — a “partnership agreement signature link” or “allocation claim page” arrives when the deal feels imminent.
  • Stage 4 — wallet connects, a tailored permit2 request appears with a very high allowance.
  • Stage 5 — at the instant of signature, the attacker contract sweeps every stable, LRT, and high-liquidity asset.

The whole flow feels like normal business to the victim. The lethal part is the patient trust building, not the signature itself.

Five-stage whale hunting storyboard

Defense checklist by user tier

Casual users (under 10,000 USD on chain)

Active DeFi users (10,000 to 100,000 USD)

  • Operate at least two independent wallets: one interactive, one custodial. The interactive wallet only holds what you will spend in a week.
  • Park large stablecoin balances in versions or strategies without permit2 exposure (e.g., sDAI, blue-chip Morpho markets).
  • Decouple your main email from your public ENS profile.
  • Before any large signature, verify the contract on a separate device against the project’s published address.

Institutional or whale holders (over 100,000 USD)

  • Main assets must live in a multisig Safe, at least 2-of-3, signers physically separated.
  • Every signature flows through a dedicated, offline, isolated hardware wallet. The daily browser wallet never signs large value.
  • Maintain a strict split between business comms and signing devices. BD emails, LinkedIn DMs, and X messages never open on the signing device.
  • Install on-chain risk rules (Defender, Forta wallet alerts) so any signature above threshold requires team approval.

Reading a “custom permit2” signature

When the prompt appears, look at these fields:

  • spender — does it match the contract address published in the project’s official channel?
  • value — is it 2^256-1, i.e., unlimited?
  • deadline — is it years out or effectively infinite?
  • Plain-language preview — does Rabby or Pocket Universe display “you are giving permission to spend up to …” in red?

Any single red flag means leave the page, do not sign. This is a non-negotiable rule.

Treat whale hunting as a job, not an incident

After a decade in this space the clearest pattern is this: every attack targeting large balances increases the time invested in trust building. Attackers will spend two weeks chatting, writing reports, and shipping demos, because one success pays for thirty failures. You will never win a focus contest against an attacker who has prepared for fourteen days. Your only durable defense is physically isolating signing devices, signing authority, and business communications.

Treat whale hunting as a job role inside your security model. Give it permanent space alongside cold storage and seed backups. The next time a “partnership agreement” lands in your DMs, you will drop it into a process that handles it correctly without depending on you happening to be alert that minute.

This article is for education only and is not financial advice. Crypto is volatile and risky — only ever risk what you can afford to lose.

Latest

Industry Events

BTC ETFs Bled for 10 Straight Days, $2.97B Out — What It Means for Ordinary Users

Through June 4, US spot Bitcoin ETFs posted ten consecutive sessions of net outflows totaling about $2.97B — one of the longest negative streaks since launch. This piece breaks down what the number says and, just as important, what it does not.

Mindset & FOMO

AI Is Siphoning Crypto Money — Should You Chase the Rotation?

Early June showed a clear flow: money rotating from crypto into AI. Nvidia at a new high, BTC and ETH softer. "Is crypto past its prime" surfaced again. This piece does not pick a winner. It answers how mindset should behave during sector siphon.

Mindset & FOMO

ETH Slipped Below 2,000 — How Should the Believers Recalibrate?

ETH crossed below the 2,000 psychological line in early June while on-chain activity softened. For self-described "ETH believers," this is a subtler mindset test than the 2022 bear: not one obvious red candle but a slow grind lower.

Mindset & FOMO

BTC Broke Below 67k — Should You Buy the Dip? A June Mindset Check

BTC sliced through 67k in early June and briefly tested 61k intraday. The dip-buying itch is back. This piece does not call the next candle. It asks one question: at this level, what rules should your mindset follow before you click buy.

Mindset & FOMO

US–Iran Tension Escalating — How Should a Crypto Portfolio React?

Early June saw a fresh US–Iran flare-up — oil spiked, risk assets weakened, BTC and ETH dropped together. Headlines change every half day; positions cannot. Here is how a crypto portfolio should behave under geopolitical shocks.

Asset Security

After a Drainer Empties Your Wallet, Is There Any Path to Recovery?

Once you discover a drainer has emptied your wallet, what you can do in the next hour is limited, but the order matters. This post lays out the recovery paths along a timeline: on-chain tracing, platform freeze requests, formal reporting, mixer realities, and longer-term recovery.