New Web3 attack exploits transaction simulations to steal crypto
Threat actors are employing a new tactic called "transaction simulation spoofing" to steal crypto, with one attack successfully stealing 143.45 Ethereum, worth approximately $460,000.
The attack, spotted by ScamSniffer, highlights a flaw in transaction simulation mechanisms used in modern Web3 wallets, meant to safeguard users from fraudulent and malicious transactions.
How the attack works
Transaction simulation is a feature that allows users to preview the expected outcome of a blockchain transaction before signing and executing it.
It is designed to enhance security and transparency by helping users verify what the transaction will do, like the amount of transferred cryptocurrency, gas fees and other transaction costs, and other on-chain data changes.
The attackers lure victims to a malicious website that mimics a legitimate platform, which initiates what is made to appear as a "Claim" function. The transaction simulation shows that the user will receive a small amount in ETH.
However, a time delay between the simulation and the execution allows the attackers to alter the on-chain contract state to change what the transaction will actually do if approved.
The victim, trusting the wallet's transaction simulation result, signs the transaction, allowing the site to drain their wallet of all crypto and send it to the attacker's wallet.

ScamSniffer highlights an actual case where the victim signed the deceptive transaction 30 seconds after the state change, losing all their assets (143.35 ETH) as a result.
"This new attack vector represents a significant evolution in phishing techniques." warns ScamSniffer
"Rather than relying on simple deception, attackers are now exploiting trusted wallet features that users rely on for security. This sophisticated approach makes detection particularly challenging."

The blockchain monitoring platform suggests that Web3 wallets reduce the simulation refresh rates to match blockchain block times, force refresh simulation results before critical operations, and add expiration warnings to warn users about the risk.
From the user's perspective, this new attack shows why wallet simulation shouldn't be trusted.
Cryptocurrency holders should treat "free claim" offers on obscure websites with caution and only trust verified dApps.
US charges operators of cryptomixers linked to ransomware gangs
Telefónica confirms internal ticketing system breach after data leak
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner