By Chain Retrieval | Crypto Recovery & Education
In a disturbing new case that highlights the increasing danger of phishing in the Web3 space, a crypto user has lost $20,000 to a scam involving Punycode URLs — domain names that look legitimate but are designed to deceive.
Chain Retrieval, a crypto-focused cybersecurity firm, shared the warning after investigating the incident. The scam cleverly impersonated a trusted DeFi platform using a slightly altered web address, tricking the victim into connecting their wallet and approving a transaction that drained their funds in seconds.
This latest attack reflects a growing trend where scammers abuse Punycode, a method that allows non-Latin characters to be displayed in URLs. By replacing familiar letters with similar-looking characters from other languages, attackers can create links that appear genuine at first glance.
For example, replacing the English letter “a” with the Cyrillic “а” is visually undetectable to most users — yet it redirects to a malicious clone site.
Chain Retrieval Sounds Alarm on Increasing Web3 Phishing
The case emerged after a user reached out to Chain Retrieval, reporting a loss of $20,000 after interacting with what they believed to be the interface of a well-known DeFi protocol. Upon close inspection, the domain used by the scammer was nearly identical to the original — the only difference being the use of Punycode characters in the web address.
“These Punycode attacks are extremely dangerous because they bypass the average user’s eye,” said a Chain Retrieval analyst. “They don’t require advanced hacking — just clever deception.”
The victim, in this case, was lured through a sponsored link that appeared in a search engine result. The malicious site prompted them to connect their wallet, and once permissions were granted, their funds were quickly stolen.
Chain Retrieval noted that while phishing has always been a risk in crypto, the use of visually deceptive URLs marks a new level of sophistication. The security firm also shared examples of domains that had been weaponized recently using Punycode tricks, such as:
-
xn--uniswap-vgb.cominstead ofuniswap.org -
xn--aave-5rb.cominstead ofaave.com
These links, when displayed in a browser, often appear indistinguishable from the real ones, unless users inspect the domain source code or check for SSL certificate mismatches.
Web3 Community Urged to Boost Awareness and Security
This incident is a wake-up call for the broader Web3 community. With billions of dollars locked in decentralized applications, scammers are constantly evolving their tactics to exploit unsuspecting users.
Chain Retrieval recommends users take the following precautions:
-
Always type URLs manually or bookmark official sites
-
Inspect domains carefully, especially for unusual characters
-
Use browser extensions that highlight Punycode domains
-
Enable wallet transaction previews to detect malicious prompts
-
Verify links from trusted sources only, especially in ads and search results
In addition, Web3 platforms are being encouraged to take stronger action against domain impersonation. Some suggestions include:
-
Applying for verified domain badges
-
Warning users of copycat domains via in-app alerts
-
Collaborating with browsers and security providers to flag phishing URLs
The Web3 world has opened up new frontiers of ownership and innovation — but it has also created new risks. As scams grow more advanced, user education and smart security tools are essential in staying protected.
While this particular user’s $20,000 loss cannot be reversed, it offers a powerful reminder: in Web3, vigilance isn’t optional — it’s survival.