SEAL, a nonprofit security organization that has been disrupting crypto exfiltration efforts since late 2023, launched a real-time phishing prevention network in partnership with MetaMask, WalletConnect, Backpack, and Phantom on October 22.
The coalition is introducing Verifiable Phishing Reports technology. This allows users to submit cryptographically proven evidence of malicious sites, thereby avoiding manual review bottlenecks that allow drainers to rotate infrastructure faster than defenders can respond.
Approximately $538 million was stolen through phishing attacks as of September 30, according to CertiK reports published throughout the year. This estimate does not include the $1.4 billion exploit against Bybit in February.
This collaboration addresses escalation cycles in which emissions officials adapt to their respective mitigation measures.
When the SEALs accelerated updates to eth-phishing-detect, drainer operators rotated their landing pages more frequently.
Once infrastructure providers blocked fraudulent hosting, drainage companies moved to offshore bulletproof services. As SEALs implemented automated scanning through phishing bots, leakers deployed cloaking and fingerprinting measures to avoid detection.
The result was an arms race focused on the attackers, who held the initiative while defenders struggled to verify large-scale attacks.
Verifiable Phishing Reporter changes the engagement model. The user submits a report containing the exact content provided by the suspected phishing site, along with a TLS certificate proving that the content is not forged.
SEAL bypasses cloaking techniques that hide malicious payloads from automated scanners and processes these submissions in real-time without manual triage.
The federation pipes verified reports to an end-to-end detection system to block the exchange of phishing domains and risky contracts between participating wallets, turning localized intelligence into network-wide protection.
Ohm Shah, security researcher at MetaMask said:
“Like most security, Drainer is always a cat-and-mouse game. Working with SEALs and their independent researchers allows wallet teams like MetaMask to become more nimble and practice applying SEAL research to effectively throw a wrench into Drainer’s infrastructure.”
Derek Rein, CTO of WalletConnect, added that this partnership expands the protection of WalletConnect Certified wallets, which already warn users about known fraudulent sites.
Armani Ferrante, CEO of Backpack, positioned this integration as part of the wallet’s mission to make ownership of digital assets more secure, and Kim Persson, senior engineer at Phantom, emphasized that domain security and user safety remain core priorities.
measuring success
Network effectiveness can be based on three pillars: fewer users losing money, faster neutralization of threats, and high-quality detections measured against controls that match a pre-launch baseline.
The main metric is the loss rate per active user. For example, the dollar loss rate due to phishing per 1,000 monthly active wallets. This can be estimated from on-chain drainer clusters, victim self-reports, and wallet telemetry.
Velocity defines the second measurement layer. Time to protection tracks the median and 95th percentile of time from first verifiable phishing report to in-wallet alert or block.
Time-to-neutralization is measured separately for web vectors, reports that report propagation to a site removal to a blocklist, and on-chain vectors where reports cause the interception of compromised contracts or addresses.
A continued decrease in these intervals should correlate with a decrease in realized losses.
Coverage and quality form the third pillar. Recall captures the share of known phishing domains and addresses that were flagged before the first victim transaction and validates them against independent sources and post-incident investigations.
Accuracy is measured as 1 minus the false positive rate and then confirmed by clean TLS certificates and user disputes.
Additional quality checks include the percentage of network actions backed by valid TLS authentication, deduplication rate across reporters, and median domain age after initial authentication.
Behavioral metrics indicate whether protection changes user behavior. The deviation rate is the number of warnings that lead to abandonment of risky behavior divided by the total number of warnings displayed, and the signature block rate counts transactions that are hard stopped.
The organization invites additional wallets to join the network and encourages security researchers and users to contribute through the Verifiable Phishing Reporter client available on its site.