SEAL, the non-profit security organization that has been disrupting crypto drainer operations since late 2023, has launched a real-time phishing defense network on October 22 in collaboration with MetaMask, WalletConnect, Backpack and Phantom.
The coalition uses Verifiable Phishing Reports technology, which allows users to submit cryptographic evidence from malicious sites, bypassing the manual review bottleneck and allowing infrastructure to be rotated faster than defenders can respond.
According to CertiK reports published throughout the year, as of September 30, approximately $538 million was stolen through phishing attacks. This estimate excludes the $1.4 billion exploit against Bybit in February.
The collaboration focuses on an escalation cycle in which drainers adapted to each mitigation.
As SEAL accelerated updates to eth-phishing detection, operators switched landing pages more frequently.
As infrastructure providers blocked hosting abuses, drainers migrated to offshore bulletproof services. When SEAL implemented automated scanning through its Phishing Bot, drainers used cloaking and anti-fingerprinting measures to evade detection.
The result was an arms race focused on the attackers, who retained the initiative while the defenders struggled to validate their entries on a large scale.
Verifiable Phishing Reporter changes the engagement model. Users submit reports showing the exact content served by a suspected phishing site, accompanied by a TLS attestation proving the content is not spoofed.
SEAL processes these submissions in real time without manual triage, bypassing cloaking techniques that hide malicious payloads from automated scanners.
The coalition validated reports in an end-to-end detection system that blocks phishing domains and high-risk contract interactions between participating wallets, turning localized intelligence into network-wide protection.
Ohm Shah, security researcher at MetaMask, stated:
“Drainers are a constant game of cat and mouse, just like most security companies. Together with SEAL and their independent researchers, wallet teams like MetaMask can be more nimble and apply SEAL’s research to effectively practice throwing wrenches at drainer infrastructure.”
Derek Rein, CTO of WalletConnect, added that the partnership expands protection for WalletConnect Certified wallets, which already warn users about known scam sites.
Armani Ferrante, CEO of Backpack, described the integration as part of the wallet’s mission to make digital asset ownership more secure, while Kim Persson, senior engineer at Phantom, emphasized that domain security and user safety remain core priorities.
Measuring success
The network’s effectiveness could rest on three pillars: fewer users losing money, faster threat neutralization, and high-quality detections, measured against a pre-launch baseline and matching audit.
The primary metric is loss rate per active user, such as dollar-denominated phishing losses per 1,000 monthly active wallets, which can be estimated from on-chain drainer clusters, victim self-reports, and wallet telemetry.
Speed defines the second level of measurement. Time-to-protect tracks the median and duration of the 95th percentile from the first verifiable phishing report to a wallet warning or block.
Time-to-neutralize separately measures web vectors, reports on the spread of block lists to site deletions, and on-chain vectors, where reports lead to interception of high-risk contracts or addresses.
Sustained reductions within these intervals should correlate with lower realized losses.
Coverage and quality form the third pillar. Recall records the proportion of known phishing domains and addresses flagged before the first victimized transaction, validated against independent sources and post-incident investigations.
Accuracy is measured as one minus the false positive rate, confirmed by subsequent clean TLS attestations and user calls.
Additional quality controls include the proportion of network actions supported by valid TLS attestations, reporter deduplication rates, and average domain lifetime after initial attestation.
Behavioral metrics would show whether protections change users’ actions. The deflection rate divides the number of warnings that lead to the halt of risky actions by the total number of warnings shown, while the blocked signature percentage also counts the definitively stopped transactions.
The organization invites additional wallets to join the network and encourages security researchers and users to contribute via the Verifiable Phishing Reporter client available on its site.
