$264K Wrapped Bitcoin Theft Puts Phantom Chat Feature in Hot Seat

Security experts question Phantom Chat's safety following a phishing incident that resulted in $264,000 in Wrapped Bitcoin losses, sparking fresh debates about wallet design and address poisoning vulnerabilities.

Security researchers are raising red flags about a messaging capability integrated into the Phantom cryptocurrency wallet following an incident where an investor suffered losses totaling approximately $264,000 in Wrapped Bitcoin through what experts have identified as a phishing scheme facilitated by address poisoning tactics.

Blockchain security investigator ZachXBT published on-chain evidence indicating a victim suffered losses of 3.5 Wrapped Bitcoin (wBTC) through what appears to be a phishing operation connected to Phantom Chat functionality.

The published data reveals a transfer involving 3.5 WBTC moving from wallet address "0x85c" to wallet address "0x4b7" on Wednesday, with the destination identified as containing a "high balance" according to Nansen, a blockchain intelligence service. The movement pattern aligns with characteristics of address poisoning, a phishing methodology that manipulates users' transaction records instead of stealing private keys directly.

Fraudsters deceive targets into transmitting cryptocurrency to malicious wallets by initially dispatching minimal transactions to them, anticipating that unsuspecting individuals will duplicate and insert the attacker's address from their transaction records.

ZachXBT appealed to Phantom to enhance its user interface design, characterizing the messaging capability as a "new method for people to get drained," and cautioning that the application's interface failed to eliminate spam transactions that could prevent users from becoming victims of address poisoning schemes.

Wallet 0x85c transactions — Transaction history for wallet "0x85c." Source: Nansen

An X platform user identified as Kill4h additionally disclosed becoming a victim of two separate address poisoning incidents via the messenger capability, providing evidence through screenshots of two blockchain transfers valued at $136 and $101 in USDC, correspondingly.

This unfortunate occurrence serves as yet another illustration highlighting how critical crypto wallet user experience design is for protecting investors' assets.

Prominent cryptocurrency industry leaders, including Binance co-founder Changpeng Zhao, have previously advocated for enhanced wallet security implementations to prevent phishing schemes, following an incident where an investor suffered $50 million in losses through an address poisoning scam during December 2025.

"All wallets should simply check if a receiving address is a 'poison address,' and block the user. This is a blockchain query," Zhao stated in a blog post published in December, adding:

"Lastly, wallets should not even display these spam transactions anywhere. If the value of the tx is small, just filter it out."

For avoiding prevalent crypto scams, Phantom advises that users treat any unrequested tokens or NFTs delivered to their wallet as components of a scam and encourages users to refrain from clicking on links appearing in paid Google search results or social media platforms offering free airdrops.

Cointelegraph has contacted Phantom requesting commentary on the incident and information regarding future user interface enhancements.

Scammer copycat tokens — Fraudsters are distributing copycat tokens to unwitting investors. Source: Phantom

Phantom revealed the rollout of its live chat capability spanning tokens, perpetual futures and predictions pages on Dec. 23.

Crypto investors need better onchain security practices: cybersecurity experts

Although spam filtering mechanisms from crypto applications may diminish the threat of address poisoning incidents, users must cease duplicating wallet addresses from their transaction records, emphasized the Extractor team from security firm Hacken.

"Web3 users have to maintain a single source of truth for recipient addresses (Address Book / List)."

Hacken additionally referenced a 12.3 million Ether (ETH) address poisoning incident affecting a wallet associated with Galaxy Digital on Jan. 30, demonstrating that even institutional market participants can become victims of these fraudulent schemes.

While enhanced transaction methodologies can assist in avoiding these scams, the cryptocurrency industry requires preemptive security notifications to eliminate poisoning attacks entirely, Deddy Lavid, the CEO of blockchain cybersecurity company Cyvers, informed Cointelegraph:

"Real protection requires pre-transaction risk checks, address similarity detection, and clear warnings before users sign."

Users may alternatively choose wallets that deliver real-time "firewall-style security simulation" that demonstrates how a transaction would execute before it is finalized, the CEO elaborated.

Wallets offering preemptive mechanisms to screen for malicious transactions prior to approval include the Rabby Wallet, Zengo Wallet and Phantom Wallet.