There’s no sugarcoating this – web3 has a big user security challenge on its hands. With new scams and copycat domains popping up overnight, it’s an issue that many of us have likely experienced or, at the very least, come across.

Anecdotally, phishing seems to be widespread. But, what does the data say? We teamed up with Blowfish, a leader in web3 security, on The State of Web3 User Security study, to better understand the scale of this issue and provide a path forward for wallets and apps to improve security for their end users. 

Copycats and clicks: Diving into the data 

Our findings back up what our gut has been telling us: scammers act fast, and their methods are increasingly sophisticated. 

Research from Blowfish shows that large web3 projects can experience upwards of 100 new copycat websites launched every month. If they happen to have an event or a campaign taking place (say, an airdrop), then that number can spike to as much as 500 in just one month. These aren’t low-production scams, either; as the Optimism example below illustrates, these are polished copycats that can easily snag newcomers and even fairly seasoned crypto users.

According to proprietary Blowfish data, 45% of all web3 project domains created in 2023 were malicious – a startling statistic. While analysis by Blowfish and WalletConnect found that less than 5% of web3 users actually engaged in an action on these malicious sites, this number is far too high. It’s a situation that’s akin to playing a metaversal version of Minesweeper, and the consequences are far-reaching. 

How wallets and dapps can improve user security

While we may never be able to prevent bad actors from spinning up a phishing website, what we can do is detect fraud and alert users before they engage in an action. 

In the last year, significant progress has been made in fraud detection and transaction simulation. These security solutions leverage transaction analysis and machine learning to identify fraud and provide automated warnings if any danger is detected. For example, a user attempting to connect their wallet on www.giveaways-artrbitum.com would receive a pop-up notifying them of potential risk. 

This approach was put into action during the Ledger Connect Kit attack in mid-December, where Blowfish alerts helped one user save over $70,000. In December 2023 alone, Blowfish blocked over 80,000 scam transactions. 

As a developer tooling provider, the topic of user security is extremely important to us. That’s why we’ve been working closely with partners like Blowfish to integrate more security capabilities into our SDKs. Today, over 10 wallets offer scam protection features, including Bitget Wallet and Loopring. And that number is only growing – a very welcome trend.  

For more on our research and findings, check out The State of Web3 User Security study.

For more on how you can protect end users, explore our Verify API feature for wallets and apps and get in touch with the WalletConnect team today.