Logo Phantom
Logo PhantomLogo Phantom

Security at Phantom

Learn about how Phantom keeps you safe

Will Thompson
security at Phantom

    Key Takeaways

    • Web3 empowers users to take back control and fully own their digital assets and identity.
    • The increase in users that self-custody has also brought an increasing number of bad actors attempting to steal users funds in the form of phishing.
    • Phantom offers a suite of industry-leading security features and dedicated support team to help keep users safe.

    The security risks facing crypto users today

    Security has never been more important in crypto. The recent failures of centralized exchanges have brought to light the risks of putting your crypto in the hands of others and the importance of self-custody.

    The true power of web3 is in its ability to empower users to take back control and fully own their digital assets and identity. When you control your private keys, you control your crypto, and you are unsusceptible to the decisions of others. But while self-custody gives direct access to the entire decentralized web3 ecosystem (without having to trust middlemen), it also means that users are in full control of their funds, transactions, and security.

    Thankfully, many have started to see that self-custody is the way forward, and have started to adopt self-custodial wallets such as Phantom. But the increase in self-custody has also brought an increase in bad actors attempting to steal users funds in the form of phishing. The number of phishing attempts only continues to grow year over year.

    This is why we have made security a top priority. At Phantom, we’ve had the ability to see what adoption and interaction with the crypto ecosystem looks like at scale. And in order for the entire ecosystem (NFT projects, dapps, and tokens) to flourish, protecting users from scams is a problem we all have to solve.

    Today we’re proud to share some of the ways we’re protecting our users with industry-leading technology and organizational security practices. But before we talk about the methods we use to our users, let’s first take a step back and talk about the main risks facing crypto users today.

    Phishing & Malicious Transactions

    Phishing is a popular method of social engineering used to trick people into giving up sensitive information which can then be used in a malicious way – like stealing one’s money or identity. It’s been around since the dawn of the internet and has become increasingly popular in the crypto space.

    In web3 specifically, Phishing is the practice of tricking crypto users (through the use of airdropped tokens and NFTs, deceptive Discord/Telegram messages, or websites) into revealing their private key phrase or approving malicious transactions.

    For those familiar with the space, stories of crypto users (even experienced ones) losing all of their NFTs and tokens is an all too familiar occurrence. Let’s take a closer look at some examples of the popular phishing methods that are the cause of many of the stories we read about today.

    Deceptive Messages

    Deceptive Messages on Discord, Telegram, and Twitter

    Scammers will often disguise themselves as members of an NFT community or crypto company and direct message users saying that they can offer help, guidance, or opportunities in exchange for the user’s seed phrase. Users then divulge their seed phrase directly via a message, or visit a fake site where they sign a malicious transaction that drains the wallet of their funds.

    Remember: Phantom will never ask you for your seed phrase or to sign any transaction. If you are ever asked to do this, it is a scam!

    airdropped spam tokens and nfts

    Airdropped Spam Tokens and NFTs

    Sometimes after interacting with a marketplace like Magic Eden or other legitimate dapps, users are airdropped scam NFTs. Bad actors will monitor blockchain activity and send spam NFTs to wallets that have purchased an NFT project or interacted with a popular dapp.

    Often these NFTs have instructions on how to win a prize or claim a free airdrop either in the image or the metadata itself. The instructions usually include a link to a malicious website that attempts to get users to give up their seed phrase or approve a transaction the drains the wallet of all of their funds.

    Remember: Phantom will never ask you for your seed phrase or to sign any transaction. If you are ever asked to do this, it is a scam!

    Additional Attack Methods for scammers include:

    • Rotten (compromised) seed phrases
    • Copy & paste malware
    • Devnet SOL Scams

    As you can see, outside of having your private keys compromised, transactions are where users are the most vulnerable to attacks. Scammers are using more and more sophisticated methods to get users to approve a transaction that might appear legitimate on the surface, but ends up draining the wallet of all its assets.

    This point is worth repeating. When you self-custody your assets, you are in full-control of the transactions you approve. That means your security hinges on knowing exactly what transactions you are signing, who you are signing them with, and what those transactions will do.

    We know this can sound intimidating at first, but we always have your back. Our mission is to make accessing the digital economy safe and easy for everyone, which is why our team at Phantom has invested heavily in both technical and operational solutions to protect users at the point of transaction, so that you can understand what you are signing and explore web3 with confidence. Let’s dive in!

    How Phantom protects users

    Transaction Previews

    You can think of Transaction Previews as a firewall that identifies malicious transactions and warns you before you approve them. All Phantom wallets utilize transaction previews, which are powered by Blowfish, a company we incubated right here at Phantom.

    Transaction Previews protects users against all kinds of attacks (phishing, dApp-level DNS hijacking, software supply chain attacks, and more) and empowers users with real-time warnings and human-readable transaction context.

    How it works:

    • When you take an action in your Phantom wallet, like minting an NFT, we scan your transaction and pro-actively find anything that looks fishy.
    • If the transaction is interacting with a blacklisted program, or calling setAuthority when it shouldn't, or trying to detect (and evade) our simulation, or results in a dangling approval, or is just trying to simply drain your wallet, you get a big warning.
    • If something looks fishy with the domain or website you're visiting, such as looking similar to a popular NFT project, or trying to obfuscate code, you get a big warning. Interacting with suspicious tokens? You get a warning.
    • Instead of using a hard-coded list of blocked domains, we conduct rule-based checks on the domain, website, transaction, and tokens being interacted with – proactively, without anyone having to report anything.
    Transaction Previews

    Any warning is always delivered in simple and easy to understand language to take the guess work out of whats going on. We do the heavy lifting so you don’t have to and you stay protected.

    Phantom’s Transaction Previews work across Ethereum, Solana, and Polygon. And thanks to machine learning technology built into the product, it's constantly improving by learning new ways scammers are attempting to steal user’s funds.

    Transactions scanned

    Our Transaction Preview feature has been hard at work actively protecting our users with each and every transaction. We’re proud to say that to date Phantom’s Transaction Preview has:

    • Scanned over 85 million transactions
    • Prevented over 18 thousand wallet draining transactions
    • Protected over 3 thousand users in the last month alone

    We’ve couldn’t be more excited about a feature we hope you never need to use.

    Phantom’s Open Source Blocklist

    Phantom open source blocklist

    In addition to transaction previews, we’ve created an open source and community-maintained block list of malicious domains that we block Phantom users from mistakenly connecting to.

    If we find out about a malicious token or NFT, we add the contract address and domain to the block list, which hides the NFT from the wallet and creates a warning if the user tries to connect to the malicious site.

    Phantom blocklist stats

    The block list is updated daily and currently stands at over 2,000 malicious domains that Phantom users are safe from. We also work closely with PhishFort to have phishing sites taken down completely, and have over 1,000 site takedowns to date.

    Report NFT as Spam and Hide

    Report NFT as spam and hide

    You can help us fight NFT spam and keep the community safe by reporting spam NFTs right inside of Phantom. Simply select the ellipsis icon on any unwanted NFT and click on “Report as Spam and Hide”.

    Just like email, any NFTs you mark as spam will automatically be moved to the Hidden folder. Our spam filters learn from the NFTs reported by you, our users, so we can get better at identifying and preventing unwanted NFTs from reaching wallets in the first place.

    It’s an effortless way to clean up your Collectibles tab while helping to protect the entire Phantom community.

    Burn NFT

    Burn NFT

    Sometimes you want that unwanted spam NFT gone for good – thats where our Burn NFT feature comes in. This feature, available across all devices, allows for the manual removal of any unwanted spam NFTs.

    To remove unwanted wallet spam, simply select the NFT you want to burn in the Collectibles Tab, and select the Burn Token function located in the top-right ellipsis menu. Once an NFT is burned, the token is permanently removed from the wallet and you receive a small deposit of SOL that served as the "rent" used to pay for storage. And while spam NFTs clutter wallets, they are never dangerous to burn.

    When you burn an NFT using Phantom:

    1. It results in the permanent removal of the NFT from the wallet
    2. You earn SOL in return for burning your NFT (This is because when you burn an NFT, you are reclaiming some of the SOL that a scammer spent on sending you an NFT in the first place.)
    3. You declutter your wallet

    Plus, it feels good to burn 🔥

    Not only does Burn NFT arm our users with another tool to protect themselves, it’s an awesome way to get back at scammers. We launched our Burn NFT feature on 8/17/2022 and over 600k NFTs have been burned to date.

    To learn more about the feature, read our Burn NFT announcement.

    Phantom 24/7 Support Team

    24/7 support team

    Phantom users can have peace of mind knowing that we have a full-time globally distributed support team that is dedicated to:

    1. Answering any product related questions
    2. Educating you to safely navigate web3
    3. Helping you get back on track if you get confused or lose your way
    4. Protecting you from known Phishing scams
    5. Identifying bugs, feedback, and opportunities to improve your experience

    We take support seriously. To date, our support team has:

    • 7 full-time support agents
    • Manage a support site with over 1 Million views to date
    • Resolved over 30,000 tickets
    • Resolve issues with a median response time of 14.8 hours

    If you have any questions, comments, concerns, or just want to say hello, please contact our Support Team. They’re awesome.💜

    Final Takeaways

    • Fighting phishing and scamming is a continuous cat and mouse game, and one that often occurs at the point of transaction.
    • Phishing and scams are not only a technical challenge, but an immense operational challenge as well
    • Phishing is one of the most important challenge to solve for the mainstream adoption of crypto, and one Phantom is committed to winning.

    We’re proud of the security features we have implemented, but this is only the beginning. We will continue to work tirelessly to protect our users with best-in-class security features, education, and support to make everyone’s journey through web3 safe, easy, and fun.

    Learn More

    To learn more about security at Phantom visit phantom.app/security

    Dive deeper into the current state of Phishing and what Phantom is doing to protect its users by watching CEO Brandon Millman’s talk at Solana Breakpoint 2022: