From Blocking to Detecting: Securing the New Internet Frontier

What is Web3? A Quick Guide to the New Decentralized Internet

If Web1 was about reading, and Web2 was about reading and writing on centralized platforms, Web3 is the ultimate evolution: read, write, and own. Built on decentralization, Web3 uses blockchain, smart contracts, and cryptocurrencies to shift control from large tech companies directly to the users, fostering true digital ownership and transparency.

What is Web3 Used For?

Web3's "ownership" aspect unlocks innovative uses:

• Decentralized Finance (DeFi): Financial services without traditional banks.
• NFTs (Non-Fungible Tokens): Unique digital ownership for art, music, etc.
• Decentralized Social Media: User-controlled content and data platforms.
• Play-to-Earn (P2E) Gaming): Earn real-world value through game assets and crypto.
• Decentralized Autonomous Organizations (DAOs): Member-controlled organizations based on smart contract rules.

Bridging the Gap: How Web2 Giants are Adopting Web3

Beyond startups, major companies integrate Web3 for innovation:

• Meta invested billions in the metaverse, with NFTs as a core component.
• Alphabet (Google) positions Google Cloud as a foundational pillar for Web3 developers.
• J.P. Morgan developed Kinexys (blockchain network) and JPM Coin for institutional payments.
• Spotify pilots NFT collections on artist profiles.
• BBVA, American Express, and Starbucks are also exploring Web3 products.

This enthusiastic adoption by major brands shows the immense potential of Web3. However, the very features that enable this innovation—specifically decentralization and censorship resistance—also open the door for malicious actors, creating a darker side to this new frontier.

For attackers, Web3 isn’t just a novelty, it’s an infrastructure advantage. Decentralized storage, blockchain-based naming, and gateway-driven delivery fundamentally break the assumptions that traditional phishing defenses rely on: stable hosting, attributable ownership, and blockable domains. As a result, Web3 phishing is not just harder to take down — it is harder to define, attribute, and contain.

How Attackers Use Web3 to Create Indestructible Phishing Sites

Web3 promises a future with a more open, transparent, and censorship-resistant internet. Its technologies, like decentralized storage and blockchain domains, are designed to be resilient and independent of any single entity. But what happens when these same features are exploited for malicious purposes?

Cybercriminals are beginning to see the benefits of Web3 not for building, but for breaking things. Specifically, they are using it to host phishing pages that are extremely difficult, if not impossible, to take down, and then using them to attack everyday Web2 users.

Why Would an Attacker Use Web3 for Phishing?

In Web2, if an attacker creates a site to impersonate a bank on a traditional hosting service (like GoDaddy or AWS), the bank's security team can contact the provider, which will typically remove the site within hours. In Web3, it’s not that simple.

The advantages for an attacker are clear:

• Censorship and Takedown Resistance: There is no central company to send a takedown notice to. The content doesn't reside on a single server but is distributed across a global network of nodes. If a malicious link is blocked, the attacker can simply re-upload the content to generate a new link, making censorship nearly impossible.
• Opaque ownership and accountability: Web3 phishing infrastructure has no registrar records, no hosting provider, and no abuse contact. Ownership is reduced to wallet addresses that can be disposable, anonymized, and reused across campaigns, eliminating traditional investigative paths such as WHOIS lookups or hosting-provider enforcement.
• Immutability of content with mutable access paths: While the underlying content is immutable and identified by a cryptographic hash, the ways in which that content is accessed are highly mutable. Attackers can continuously rotate gateways, domains, and URLs while serving the exact same phishing payload. This one-to-many distribution model fundamentally undermines URL-based detection and reputation systems.
• Anonymized payments and infrastructure: Attackers can pay for domains, storage, and naming services using cryptocurrencies and anonymous wallets, further complicating attribution and financial tracing.

This combination breaks a core assumption of traditional phishing defense: that malicious content is tightly coupled to a specific domain or hosting provider. In Web3, that coupling no longer exists.

The "How": The Protocols and Techniques of the Attack

An attack of this nature doesn't rely on a single protocol but on the combination of several Web3 technologies to create a robust, malicious link.

Step 1: Storing the Site on a Decentralized Network

First, the attacker creates the phishing site (the clone of a bank, social media platform, etc.) using HTML/CSS, just like in a traditional attack. The key difference is where it's hosted. Instead of an AWS server, they use a decentralized storage protocol.

• IPFS (InterPlanetary File System): This is like a global, distributed hard drive. When an attacker uploads their site to IPFS, the content is not identified by a server location (like Web2), but by its unique digital fingerprint—a cryptographic hash called a Content Identifier (CID). This CID acts as the unique "license plate" for the content, ensuring it can be found anywhere on the network.
  

• Arweave: This network offers permanent storage for a one-time fee. Content stored here is identified by a unique Transaction ID (TxID), which serves as its permanent reference on the blockchain.
  

• Ethereum Swarm: As a native part of the Ethereum vision, this storage network uses its own incentive system to ensure content remains available. Here, content is identified by a unique Swarm Hash.

Step 2: Creating a User-Friendly and Deceptive Link

An IPFS link (e.g., ipfs://bafybeig...) is suspicious and hard to remember. For the attack to be effective, the attacker needs a domain name that looks legitimate.

Key Protocol: ENS (Ethereum Name Service): ENS allows users to register domain names ending in .eth (like secure-bank.eth). An attacker can register a deceptive name and link it directly to the decentralized content they uploaded. While ENS domains can also be used to redirect to traditional Web2 websites, for the purposes of this analysis, we will focus exclusively on domains pointing to Web3 content to accurately measure the scope of decentralized phishing sites.

Step 3: The Bridge to Web2 to Attack Victims

Most users cannot access a .eth domain directly in their browser. This is the final and most crucial step for attacking Web2 users: the use of gateways.

A gateway is a server that acts as a bridge between the traditional internet (Web2) and a decentralized network (Web3). It allows a normal browser to access content hosted on these networks by taking the unique identifiers we saw in Step 1 and translating them into a functional, clickable URL.

The typical URL formats created by these gateways are:

• IPFS: https://<gateway-domain>/ipfs/<CID>
• Arweave: https://arweave.net/<TxID>
• Ethereum Swarm: https://<gateway-domain>/bzz/<SwarmHash>/

The attack flow would then be as follows:

1. The attacker uploads their phishing site to a network like IPFS.
2. They register a deceptive domain like secure-bank.eth on ENS and point it to the IPFS content's CID.
3. They send a phishing email to the victim with a link that uses a public gateway, such as: https://secure-bank.eth.link or a direct gateway link like https://ipfs.io/ipfs/<The_Site_CID>.
4. The victim clicks the link. The .eth.link URL is a normal Web2 domain that translates the .eth address, finds the associated CID, and serves the user the malicious content from the IPFS network.
5. The page looks identical to the real bank's site. The victim enters their credentials, which are then sent to the attacker.

Uncovering the Reality: A Data-Driven Look at Web3 Phishing

To begin our statistical analysis, Figure 1 illustrates the distribution of decentralized storage protocols leveraged by the phishing campaigns we've detected in 2025. It clearly shows IPFS as the overwhelmingly dominant protocol.

Our domain analysis uncovers that a significant portion of phishing attacks are being routed through a few well-known, legitimate public gateways. As the accompanying graph (Figure 2) illustrates, ipfs.io stands out as the most utilized gateway, followed by other major providers. It is important to note that this is an official public gateway operated by the IPFS Foundation itself, not a rogue server.

Figure 2: Domain Distribution

This finding presents a unique dilemma for cybersecurity defenders. We cannot simply block  ipfs.io  without disrupting legitimate access to vast amounts of content on the decentralized web. Attackers deliberately exploit this asymmetry by distributing phishing sites through reputable gateways that defenders are unwilling or unable to block.

Furthermore, the decentralized nature of these attacks requires this content-based focus for a second, even more critical reason: the phenomenon of a single malicious site being distributed across multiple domains.

As we've highlighted, the URL in Web3 doesn't depend on the resource's physical location but on its content hash. This means an attacker can host their phishing payload once and then serve it through numerous different domain gateways simultaneously, making it incredibly resilient against traditional domain-based takedown efforts. By inspecting the content itself, our solution remains immune to this multi-domain distribution strategy. The following graphic (Figure 3) visually represents this intricate relationship between a malicious site's unique identifier (hash) and the various domains used to distribute it:

Figure 3: Hashes and their associated domains

While the network graph effectively illustrates the intricate connections, we have extracted the Top 10 site identifiers (hashes) to provide a clearer, quantitative view of this phenomenon.

The following bar chart (Figure 4) ranks the most prolific instances of multi-domain distribution, highlighting how a single malicious hash can be propagated through dozens of distinct entry points simultaneously.

Figure 4: Top 10 Hashes distribution by pattern and domain count

To illustrate this multi-domain distribution strategy with a concrete example, consider the malicious site identified by Qmbn4KgKj1h… . This single phishing site was simultaneously served through a vast number of domains, showcasing the attacker's resilience and reach. The distribution network included (but were not limited to):

URL: https://ipfs.io/ipfs/Qmbn4KgKj1h8EtzFxPV9NL6G5DXfStyBino1J2kaTs1sfF

Other examples found include:

Brand: Microsoft

URL: https://ipfs.io/ipfs/bafybeigiufgkus6rfxviolgoecxvc73yxqw2nqb34yvwk5m7opgpijlnr4/updates3.html/

Conclusion

Web3 is no longer a futuristic concept; it's already here, coexisting with the web we use daily. With major companies investing in this technology, and its inherent benefits, we can only expect its use to increase.

However, we have seen that a single phishing site can be distributed across multiple domains and served through legitimate gateways, which makes traditional, infrastructure-based blocking methods entirely inefficient.

Effectively defending against this new class of threats requires shifting the focus away from where a site is hosted and toward what the site actually does. By analyzing the content and behavior of a page rather than relying solely on URLs or domains, Zimperium is able to detect phishing sites even when they are delivered through decentralized infrastructure and trusted gateways. Zimperium’s Mobile Threat Defense (MTD) delivers this protection across different delivery vectors, including SMS, QR codes, PDF files and general web traffic, ensuring users are protected regardless of how phishing or mishing attempts reach the device.