Covered Events

Fairside covers wallet draining. There are various forms of "delivery methods" that are used to steal user's funds, generally a form of Phishing or Social Engineering trick a user into giving up sensitive information or taking an action that results in a loss. The 3 most common forms of wallet draining are:

1. Malicious transactions and/or signatures

2. Address Poisoning

3. Private key or seed phrase compromise (malware)

Malware coverage only applies to memberships of 15 ETH and above

These scams may vary in how they appear to users — this section breaks down the methods associated with these types of theft to help our users determine if their loss will be covered.

These covered events focus primarily on scams that target the Ethereum and EVM based chains that Fairside covers, but can also take place on the other platforms we support.

Malicious Transactions and Signatures

Fairside will cover most instances where a user is tricked into signing malicious transactions or signatures that leads to theft. These scams can take several forms and typically leverage unique smart contracts that focus on specific types of assets.

Some of the various malicious transaction and signature requests include:

1. Malicious approvals, custom smart contract interactions, or DeFi interactions

2. Permit and gasless signatures related to marketplaces, DEXs, or token approvals

3. DeFi positions (e.g., AAVE, Uniswap liquidity, etc.)

4. Arbitrary ETH_SIGN hashes

Delivery Methods and Social Engineering Approaches

Malicious transactions and signatures manifest through websites that impersonate legitimate crypto protocols and projects or even websites that represent entirely fake crypto projects. Scammers typically deliver these websites to users in the following ways:

General Impersonation on Social Media

Scammers create accounts on social media platforms like X, Discord, Reddit, Instagram, and Facebook to impersonate legitimate high profile crypto companies and individuals. These accounts often reply directly to legitimate accounts to give the appearance of a social media “thread” where accounts post replies to themselves. The casual observer may not realize these are two separate accounts.

Fake Airdrop, Token Claim, and NFT Mint Announcements

Scammers frequently leverage fake airdrop announcements and token claims to drive users into interacting with malicious transaction requests. Fake announcements are typically posted on compromised social media accounts, impersonation social media accounts, or distributed via phishing emails and paid advertisements.

Phishing Emails

Data breach victims are particularly vulnerable to phishing email scams. Several major crypto platforms have experienced user data breaches, which scammers use to target crypto users with phishing emails and distribute links to malicious websites.

Compromised Social Media Accounts

Legitimate social media accounts can be abused to deliver malicious websites to crypto users. Particularly on X and Discord, where hackers break into social media accounts to post fake announcements, airdrop claims to drive users

Front End Compromises

Scammers target legitimate crypto websites to inject malicious content and send malicious transaction requests to users. Wallet Connection kits are a particular target and have been exploited on crypto websites over multiple instances

Paid Advertisements

Scammers use paid advertisements including ads on Google Search, X, Reddit, Telegram, and Discord bots to distribute malicious websites.

Direct Messages

Scammers use direct message (DM) features on social media platforms like X, Discord, Reddit, and Telegram to disseminate links to malicious websites. DMs are most commonly used to distribute malicious websites during over-the-counter (OTC) trading where two individuals negotiate a set price for a crypto asset, such as an NFT.

Address Poisoning

Fairside covers malicious transfer scams where users are tricked into sending crypto to a malicious address. This occurs primarily through a scam referred to as “Address Poisoning.”

Address Poisoning occurs when scammers spoof transactions that appear to come from your wallet. Their goal is to trick you into copying and pasting the wrong address from blockchain analysis tools like Etherscan and sending funds to that malicious address.

Private Key Compromise

Fairside covers some instances of private key or seed phrase compromise. Private key compromise typically occurs when users download malware or viruses that search computers for sensitive information, including the private keys associated with hot wallets or seed phrases for other wallets stored in the computer’s documents or photos.

This coverage is contingent on forensic analysis to verify that the user downloaded malware prior to the loss event. Members who believe they have experienced a malware related loss should move all valuable assets to fresh wallets on separate seed phrases and completely separate devices.

Scammers create phishing websites designed to steal seed phrases or private keys by asking the user to provide this information. Fairside does NOT cover instances where a user sends their seed phrase or private key to a scammer, or enters it on a website.

Legitimate wallets and protocols will NEVER ask users to provide their seed phrase on a website. Users only need to enter their seed phrase on a wallet when restoring that wallet, typically on a new device.

Malware Delivery Methods

Direct Messages

Scammers leverage DM features on social media platforms like X, Discord, Reddit, and Telegram to disseminate links to download malware, socially engineer victims and convince them to proceed with downloading the malware or virus. Best practice is to never download any file or document that someone sends you or directs you to in a DM.

Scammers frequently use the following social engineering tactics that start in DMs to convince victims to download malware:

• Contracts, Pitch Decks, Misc Files: Scammers will leverage a variety of other documents including contracts/NDAs, pitch decks, or other miscellaneous documents to convince you to download malware disguised as these files.

• Fake Journalist Outreach: Scammers will impersonate journalists and interview victims via direct message or video calls. The scammers then will share a document with a “draft” article based on your interview that is actually malware.

• Fake Meeting Software: Scammers impersonating hiring, collaboration, or business development managers use DMs to suggest individuals download malware disguised as virtual meeting software.

• Fake Job Offers: Scammers frequently use the excuse of hiring Discord or Game Moderators and Beta Testers to onboard Particularly Discord or Game Moderators.

Malicious Websites + Fake Blogs

Scammers create websites that impersonate genuine crypto projects and protocols to distribute malware in the form of applications. These can take the form of entire domains dedicated to impersonating a crypto brand, or could be blog posts that appear to provide helpful information on a protocol, but lead users to download a malware loaded file impersonating a desktop app.

Software Downloads (Apps, Games, Game Modifications, Android Package Kits)

Scammers disguise malware as a variety of other softwares including crypto apps, games, game “mods” and mobile software including Android Package Kits. It is critical to be cautious while downloading software and applications on devices that you also use for crypto.

---

Remember, we're constantly monitoring the crypto landscape to ensure our coverage remains up-to-date with the latest threats, so you can feel secure in your crypto journey.

Don't see a specific type of theft or scam that concerns you? We value your input! Join our community channels to share your thoughts. Your insights help us evolve and provide the most comprehensive protection possible for our community.