Written by: imToken

As the Lunar New Year approaches, it's a time to bid farewell to the old year and welcome the new, and also a time for reflection:

In the past year, have you fallen into the trap of Rug Pull projects that have run away with your money? Have you bought in and been stuck with losses because of the hype from KOLs? Or have you suffered losses due to the increasingly rampant phishing attacks caused by accidentally clicking on links or signing contracts?

Objectively speaking, the Spring Festival does not create risks, but it is likely to amplify them. When the frequency of capital flow increases, when attention is diverted by holiday arrangements, and when the pace of trading accelerates, any small mistake is more likely to be magnified into a loss.

Therefore, if you are planning to adjust your positions and organize your funds before the holiday, you might as well give your wallet a "pre-holiday security check". This article will also start from several real and high-frequency risk scenarios and systematically sort out the specific operations that ordinary users can do.

1. Beware of scams involving "AI face-swapping" and voice simulation.

The SeeDance 2.0 that has recently swept the internet has once again made everyone realize that in the era of accelerated AGI penetration, "seeing is believing" is no longer valid.

It can be said that since 2025, AI-based video and voice fraud technologies have become significantly more mature, including voice cloning, video face swapping, real-time facial expression imitation, and tone simulation, all of which have entered a "low-threshold, scalable replicable industrialization stage".

In fact, based on AI, it is now possible to accurately reproduce a person's voice, speech rate, pause habits, and even micro-expressions, which means that this risk is particularly easily amplified during the Spring Festival.

For example, while you are on your way home or during a gathering with relatives and friends, a message pops up on your phone. It is a voice or video message from a "friend" in your contacts via Telegram or WeChat. The message is urgent and says that the account is restricted, the red envelope needs to be transferred, and a small amount of tokens needs to be temporarily advanced. The message asks you to transfer money immediately.

The voice sounds perfectly natural, and there are even "real people appearing on screen" in the video. So how would you judge it if your attention was diverted by holiday plans?

In previous years, video verification was almost the most reliable way to verify identity, but today, even if the other party is talking to you with their camera on, it is no longer 100% trustworthy.

In this context, simply watching a video or listening to a voice message is no longer sufficient for verification. A more reliable approach is to establish a verification mechanism with your core circle (family, partners, long-term collaborators) that is independent of online communication. This could involve offline codes known only to each other, or detailed questions that cannot be inferred from publicly available information.

Furthermore, we must re-examine a common path risk: links forwarded by acquaintances. After all, as is customary, during the Spring Festival, "on-chain red envelopes" and "airdrop benefits" can easily become entry points for viral spread in the Web3 community. Many people are not deceived by strangers, but rather click on carefully disguised authorization pages because they trust acquaintances who forward them.

Therefore, everyone needs to keep in mind a simple yet extremely important principle: do not click on any links from unknown sources directly through social media platforms, and never authorize them, even if they come from "acquaintances".

Ideally, all on-chain operations should be performed through official channels, bookmarked URLs, or trusted portals, rather than in chat windows.

Second, give your wallet a "year-end cleaning".

If the first type of risk comes from trust being forged by technology, then the second type of risk comes from our own long-term accumulated hidden risk exposures.

As we all know, delegation is the most fundamental and easily overlooked mechanism in the DeFi world. When you operate in a DApp, you are essentially giving the contract the right to control a token. This may be a one-time grant, or it may be unlimited; it may be effective in the short term, or it may still be effective even after you have long forgotten about its existence.

Ultimately, it may not be an immediately effective risk, but it is a persistent exposure to risk. Many users mistakenly believe that as long as their assets are not stored in a contract, there are no security issues. However, during bull market cycles, people often frequently try various new protocols, participate in airdrops, staking, mining, and on-chain interactions, accumulating authorization records. When the hype dies down, many protocols are no longer used, but the permissions are still retained.

Over time, these excess historical licenses become like a pile of keys left unattended. If a contractual loophole appears in an agreement you've long forgotten, it can easily lead to losses.

The Spring Festival is a natural time for review and organization. It's well worth taking advantage of the relatively stable period before the holiday to systematically check your authorization records.

Specifically, authorizations that are no longer in use can be revoked, especially unlimited authorizations; limited authorizations can be used for large assets held daily, rather than allowing full balance access indefinitely; and long-term stored assets can be managed separately from daily operational assets, forming a layered structure of hot wallets and cold wallets.

In the past, many users needed to use external tools (such as websites like revoke.cash) to complete these kinds of checks. Now, mainstream Web3 wallets like imToken have built-in authorization detection and revocation capabilities, allowing users to view and manage historical authorizations directly within the wallet.

Ultimately, wallet security is not about never granting permissions, but about the principle of least privilege—granting only the necessary permissions at the moment and revoking them promptly when no longer needed.

Third, do not slack off in travel, social interactions, and daily operations.

If the first two types of risks come from technological upgrades and the accumulation of permissions, respectively, then the third type of risk comes from environmental changes.

Traveling during the Spring Festival (returning to one's hometown, traveling, visiting relatives and friends) often means frequent device switching, complex network environments, and dense social scenarios. In such an environment, the vulnerabilities of private key management and daily operations will be significantly amplified.

Mnemonic phrase management is a prime example. Saving screenshots of mnemonic phrases to phone albums, cloud storage, or forwarding them to oneself via instant messaging tools is often driven by convenience, but in mobile scenarios, this convenience itself becomes the biggest hidden danger.

Therefore, remember that mnemonic phrases must be physically isolated and stored online in any way. The bottom line for private key security is to be offline.

Social interactions also require awareness of boundaries. Displaying large asset pages or discussing specific portfolio sizes at holiday gatherings, often unintentionally, can sow the seeds of future risks. Even more alarming are actions that use the guise of "exchanging experiences" or "teaching guidance" to lead to the download of fake wallet apps or plugins.

All wallet downloads and updates should be completed through official channels, not by redirecting through social chat windows.

In addition, always verify three things before transferring money: the network, the address, and the amount. There have been too many cases of whales losing large sums of money due to phishing attacks using addresses with similar first and last digits, and such phishing attacks have become industrialized in the last six months.

Hackers often generate a large number of on-chain addresses with different first and last digits as a seed pool. Once a certain address makes a fund transfer with the outside world, they will immediately find addresses with the same first and last digits in the seed pool, and then call the contract to make a related transfer, casting a wide net and waiting for the harvest.

Because some users sometimes directly copy the target address from the transaction record and only check the first and last few digits, thus falling victim to the attack, according to Yu Xian, the founder of SlowMist, regarding phishing attacks targeting the first and last few digits, "hackers are playing a game of casting a wide net, hoping those who are willing will take the bait, it's a game of probability."

Because gas costs are extremely low, attackers can poison hundreds or even thousands of addresses in bulk, waiting for a few users to make mistakes while copying and pasting. A single successful attack yields benefits far exceeding the cost.

These problems don't stem from the complexity of the technology, but rather from people's daily operating habits:

Verify the entire address characters, not just the beginning and end;
Do not copy transfer addresses directly from your history without checking them;
When making your first transfer to a new address, test it with a small amount first;
Prioritize using the address whitelist function to manage frequently used addresses in a fixed manner;

In the current decentralized system dominated by EOA accounts, users are always the primary responsible party and the last line of defense for themselves (further reading: " The $3.35 billion 'account tax': When EOA becomes a systemic cost, what can AA bring to Web3? ").

In conclusion

Many people feel that the on-chain world is too dangerous and not user-friendly for ordinary users.

To be honest, Web3 can hardly provide a zero-risk world, but it can become a risk-manageable environment.

For example, the Spring Festival is a time of slow pace and the best window of opportunity to organize risk structures. Rather than rushing to do things during the holiday, it is better to complete security checks in advance; rather than trying to fix things afterward, it is better to optimize permissions and habits in advance.

Wishing everyone a safe and prosperous Chinese New Year, and may everyone's on-chain assets remain stable and worry-free in the new year.

SlowMist has warned of a critical vulnerability in HitBTC, but has not yet received a response.

Popular Articles