SEAL, the nonprofit security organization that has disrupted crypto drainer operations since late 2023, launched a real-time phishing defense network on Oct. 22 in partnership with MetaMask, WalletConnect, Backpack, and Phantom.
The coalition deploys Verifiable Phishing Reports technology, which enables users to submit cryptographically attested evidence of malicious sites, thereby bypassing the manual review bottleneck that allows drainers to rotate infrastructure faster than defenders can respond.
According to CertiK reports published throughout the year, roughly $538 million was stolen by phishing attacks as of Sept. 30. This estimate excludes the $1.4 billion exploit against Bybit in February.
The collaboration addresses an escalation cycle in which drainers adapted to each mitigation.
When SEAL accelerated updates to eth-phishing-detect, drainer operators rotated landing pages more frequently.
When infrastructure providers blocked abusive hosting, drainers migrated to offshore bulletproof services. When SEAL implemented automated scanning via its Phishing Bot, drainers deployed cloaking and anti-fingerprinting measures to evade detection.
The result was an arms race weighted toward attackers, who retained the initiative while defenders struggled to validate submissions at scale.
Verifiable Phishing Reporter changes the engagement model. Users submit reports containing the exact content served by a suspected phishing site, accompanied by a TLS attestation that proves the content was not forged.
SEAL processes these submissions in real time without manual triage, circumventing cloaking techniques that hide malicious payloads from automated scanners.
The coalition pipes validated reports into an end-to-end detection system that blocks phishing domains and risky contract interactions across participating wallets, turning localized intelligence into network-wide protection.
Ohm Shah, security researcher at MetaMask, stated:
“Drainers are a constant cat and mouse game like most of security, working alongside SEAL and their independent researchers it allows wallet teams like MetaMask to be more agile and apply SEAL’s research to practice effectively throwing a wrench at the drainer’s infra.”
Derek Rein, CTO of WalletConnect, added that the partnership expands protections for WalletConnect Certified wallets, which already warn users about known scam sites.
Armani Ferrante, CEO of Backpack, framed the integration as part of the wallet’s mission to make digital asset ownership more secure, while Kim Persson, senior engineer at Phantom, emphasized that domain security and user safety remain core priorities.
Measuring success
The network’s effectiveness might rest on three pillars: fewer users losing funds, faster threat neutralization, and high-quality detections measured against a pre-launch baseline and a matched control.
The primary metric is loss rate per active user, such as dollar-denominated losses to phishing per 1,000 monthly active wallets, which can be estimated from on-chain drainer clusters, victim self-reports, and wallet telemetry.
Speed defines the second measurement tier. Time-to-protect tracks the median and 95th-percentile duration from the first Verifiable Phishing Report to an in-wallet warning or block.
Time-to-neutralize separately measures web vectors, reports to blocklist propagation to site takedown, and on-chain vectors, where reports trigger interception of risky contracts or addresses.
Sustained reductions in these intervals should correlate with lower realized losses.
Coverage and quality form the third pillar. Recall captures the share of known phishing domains and addresses flagged before the first victimized transaction, validated against independent sources and post-incident investigations.
Precision is measured as one minus the false-positive rate, confirmed through subsequent clean TLS attestations and user appeals.
Additional quality checks include the fraction of network actions backed by valid TLS attestations, deduplication rates across reporters, and median domain lifetime after the first attestation.
Behavioral metrics would show whether protections alter user actions. The deflection rate divides the number of warnings that lead to the abandonment of risky actions by the total number of warnings shown, while the blocked-sign rate counts hard-stopped transactions.
The organization invites additional wallets to join the network and encourages security researchers and users to contribute via the Verifiable Phishing Reporter client available on its site.
