Phishing in the crypto context is the practice of impersonating a trusted party — an exchange's support team, a wallet vendor, a familiar KOL, even a friend — to trick the target into an action they would not otherwise take. Pre-2017, phishing meant "steal your password." Post-2020, phishing means "get you to sign one bad transaction" — and signed transactions, unlike passwords, cannot be reset.
The major categories in 2026
Approval phishing. A fake "claim airdrop" or "verify wallet" page prompts a setApprovalForAll signature, transferring custody of every NFT or token at that address to the attacker. The attacker drains assets at their leisure, sometimes weeks later when they think the user has forgotten. Inferno Drainer and Pink Drainer turned this into commercial drainer-as-a-service kits, available on dark forums for $50/month plus a percentage of stolen funds.
Permit / Permit2 phishing. EIP-2612 and Uniswap's Permit2 allow off-chain signature-based approvals. The user signs a typed message; the attacker uses the signature to drain the wallet. The signature looks like a meaningless string in the wallet UI; the consequences are equivalent to handing over the private key for that token.
Support-impersonation phishing. Telegram or Discord DMs from "Coinbase Support," "Kraken Security," "Trust Wallet team." The pitch is plausible: there's an issue with your account, click here to verify. The link leads to a clone of the real exchange that captures credentials and 2FA codes simultaneously.
SIM-swap-enabled account takeover. Combined with the phishing taxonomy because the post-takeover step always involves social engineering: once the attacker has the phone number, they reset exchange passwords and bypass SMS-based 2FA.
What's actually catching people in 2026
The single most common attack vector by dollar volume is permit-style signature phishing. The user doesn't see a malicious-looking transaction; they see a structured signature request that, if accepted, gives an attacker permanent transfer rights over USDC, USDT, WETH, or stETH at that address. The drainer typically waits 24-72 hours before pulling the trigger, so the user doesn't connect the signature to the loss.
Defense: read every off-chain signature with the same rigor you would read an on-chain transaction. The EIP-712 signature display in Rabby and modern hardware-wallet firmwares makes this readable; the older "raw hash" display does not.
The hardware-wallet difference
Hardware wallets do not prevent phishing — they sign whatever you tell them to sign — but they slow it down enough that attentive users catch it. The Ledger Stax or Trezor Safe 5 displays the destination address and amount on a screen the host computer cannot tamper with. If the displayed address doesn't match what the dApp claims, you cancel.
The discipline: never approve a transaction without reading the device screen. The transaction-confirmation step on a hardware wallet exists for exactly this purpose.
The 2026 ecosystem stats
Chainalysis estimated crypto phishing losses at $4.6 billion in 2024. Roughly 80% of that came from approval and permit-style attacks; the remainder from credential phishing and direct asset transfers. The number is rising annually, not falling — the attack surface scales with the asset class.
Further reading: Phishing scam atlas 2026, setApprovalForAll, EIP-2612 Permit, revoke.cash.