What is an Ice Phishing Attack and How To Protect Yourself

Fake identity, email link, website form. While this scam still catches some people off guard, most of the crypto community is way too familiar with it. You know you’re safe as long as you don’t share your private keys, or are you?

Microsoft has discovered a “one-click” phishing variant on this Web3 security article. It seems scammers don’t need your keys anymore to steal your coins. They only need you to click the “Approve” button.

Here’s how it’s possible and how to protect your crypto from ice phishing.

Quick Takes:

• Ice phishing is a keyless crypto scam that capitalizes on carelessness and confusion. The victim signs a contract that allows the infinite spending of one token for nearly-unlimited time. 
• The difference with other variants is that ice phishing tries to disguise the smart contract, not only a website or identity. 
• Crypto phishing is especially dangerous because it’s not possible to change private keys in case someone discovers them. But you can still cancel contracts, deactivate apps, and view all permissions on Etherscan.

What Is Ice Phishing?

Simply put, ice phishing allows someone to spend your coins without access to your wallet. It’s a deceptive smart contract that, once signed, authorizes sending an unlimited amount of one token to the attacker-managed address. 

Note that access without private keys isn’t always bad. Decentralized applications (dApps) do this all the time to exchange your tokens. The difference is that those smart contracts have a short expiration time and rarely request more than the set amount to spend.

Suppose you own 10,000 USDC and want to convert only 1,000 USDC to ETH. When the wallet signature window pops up, the permission requested should be up to the specified 1,000 USDC on the previous window (or exchange). If the transaction needs more, it may not go through.

If instead, the contract asks for all your 10,000 USDC (or limit of, say, 986732948), it’s either a scam or a misdesigned contract that can spend more than you intended. 

Regardless of how of you found that contract, you can recognize ice fishing with three signs:

• The authorized wallet doesn’t match your address or the protocols’. You can verify if a wallet belongs to the platform if you paste the address on Etherscan and have a quick look at past transactions. Attacker wallets usually have only a few dozen transactions or they’re all made on the same 2-3 dates. 
• The authorized amount is higher than set in the exchange. It might be a million tokens or as many nines as digits allowed.
• The contract expiration has high arbitrary values like 9584729 or a date that’s months or years away. The time should be long enough in case the transaction delays (hours to a few days), not longer.

This is why it’s called ice phishing. Since you fall into the trap until you add more funds, months might pass. But there’s an attacker ready to steal them, or maybe the contract instantly transfers coins as soon as you deposit. The name also comes from the lack of keys needed to spend.

The biggest difference between traditional and ice phishing is that you don’t have to enter your keys/password/username. You just click the Approve button. And reading smart contracts isn’t as easy as detecting fake emails or domain typos.

How Ice Phishing Works

Before getting into how ice phishing is possible, here’s what it looks like from the user’s perspective:

1. You’re on a decentralized platform and about to make a transaction.
2. The dApp redirects you to the usual crypto wallet confirmation, except the details don’t match your settings. There might be a different max quantity, address, or permission request. Sometimes, almost unreadable.
3. Unless it’s a new platform, you would assume it’s supposed to look that way. So you leave all options as default and confirm regardless. But you didn’t know it’s linking another wallet to spend unlimited tokens.
4. If you hold a lot of the authorized token, one day you may find that someone sent it somewhere else from your wallet.

You might worry that someone stole your private keys, so you create a new wallet and send all other coins there as soon as possible. This would work until you interact again with the same contract that compromised the first one. To clarify, opening fraudulent contracts is safe as long as you don’t sign them.

Luckily, smart contracts don’t typically allow more than one token to authorize. That’s the only one they can steal, and everything else is safe (hypothetically, however, multi-token contracts should eventually be possible and common). Also, hackers can keep stealing the same token for years after the attack, unless you revoke the contract.

So how is ice phishing even possible?

Why Ice Phishing Works

The first and simplest method is a phishing website. As the attacker, you create a convincing copy of another website, send users there, and hope that they don’t notice the domain misspelling. Then, you create your own smart contract for this website, so you don’t have to actually hack the official one.

Another advanced variant is DNS poisoning. The attacker employs tactics like DDoS (Distributed Denial-of-Service) to overwhelm the platform’s servers and redirect users to another website with the exact same domain. This means that a fake Uniswap website could actually have the “app.uniswap.org” domain while the real Uniswap is being attacked. Temporarily.

Of course, within the fake website, attackers can create malicious contracts without hacking real ones.

Some attackers might try spear-phishing to access admin rights for the website or smart contracts, manipulate them, and profit until someone notices and undoes changes. But it’s unlikely.

More realistic is that developers place those traps themselves as a rug pull opportunity. For context, that’s when founders abandon their new dApp without warning users and taking all funds with them. Usually using admin keys for a protocol wallet that was supposedly inaccessible.

How To Prevent Ice Phishing

Ice phishing is unlikely to affect you if you already know the usual phishing traps. One obvious solution is to choose reputable dapps and stay away from little-known ones. Another is to directly search for those platforms rather than clicking links.

But assuming you didn’t see it coming, what else? 

There are two common ways scammers accidentally reveal. Either they promise something valuable for free (airdrop websites) or they pose as companies to warn you about security issues. There’s a sense of urgency in that by signing the contract, everything resolves instantly.

If you still decide to use new dApps, check the expiration, amount, and address. Some scammers might use tools to make their wallets have the same first and last letters to look like yours (AKA address poisoning. E.g, You might confuse a contact’s phone number if another calls you with the same number except one different digit in the middle).

Review the full address.

If worst comes to worst, you can limit your losses by keeping most coins on another cryptocurrency or network. It’s good practice to review your permissions before you add more funds to your non-custodial wallet. To revoke Metamask permissions, you will need an approval checker (e.g. Etherscan) and revoking dApp (RevokeCash, Unrekt, approved.zone…) It costs gas, but not as much as losing your tokens.