Phantom Wallet Users Beware: Fake Update Pop-Ups Are Stealing Crypto

These fraudulent messages look like official update requests, which trick users into handing over sensitive information.

In a February 6 post on X, Scam Sniffer, a Web3 scam detection platform, warned that attackers were connecting to real Phantom wallets and displaying fake “update extension” requests.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is AVAX? (Avalanche Network Explained With Animations)

SUBSCRIBE

ON YOUTUBE

If a user approved the request, another prompt appeared, asking for their recovery phrase. Entering this phrase would give scammers full control of the wallet, which allows them to drain its funds.

To help users spot scams, Scam Sniffer suggested right-clicking on links before clicking. Fraudulent websites often disable right-clicking, while real Phantom pop-ups do not. Another key tip is checking the URL—legitimate Phantom pop-ups include “chrome-extension” in the address.

There are also differences in how the pop-ups behave. “Phantom’s pop-ups act like system windows: you can minimize, maximize, and resize them,” Scam Sniffer explained. Fake ones, however, remain fixed inside the browser tab, which makes them easy to recognize.

This was not the first warning. On January 31, Scam Sniffer reported that some malicious websites had been displaying pop-ups designed to mimic Phantom’s interface. These fake prompts asked users to enter their seed phrase, pretending it was needed for a connection request.

Meanwhile, Kaspersky Labs recently discovered malware hidden inside app development kits, targeting both Android and iOS users. What is it? Read the full story.