What angler phishing actually is

Angler phishing is named after the deep-sea anglerfish that dangles a glowing lure to attract prey. Attackers monitor social media in real time for users complaining about a brand. The moment you post "hey @phantom my wallet is stuck" or "@coinbase support never replies," they DM you within minutes pretending to be official support and steer you to a "secure" link that captures your seed phrase, drains a wallet approval, or harvests a login. The attack works because the victim raised their hand first. You started the conversation.

The 5-step playbook

Different brands, same five steps.

  1. Monitor brand mentions. TweetDeck columns, Hootsuite streams, or X API scrapers watch mentions of @MetaMask, @Coinbase, @phantom, @binance, @Chase, @AmericanAir, @AmazonHelp, and others. Every complaint with "help," "stuck," or "support" is a fresh lead.
  2. Reply or DM within minutes. The earlier the response, the more it feels like real support. Operators run 24/7 because a panicked user at 3am is the most cooperative.
  3. Use a near-identical handle. @Coinbase_Support (real is @CoinbaseSupport). @MetaMask_Help (real is @MetaMaskSupport). @phantom_wallets with an added "s". The eye skims and misses the extra character.
  4. Send a "secure link" to resolve. The DM links to a "support portal" or "wallet validator." Domains are lookalikes (coinbase-support.help, metamask-validate.io) or free hosting subdomains (something.netlify.app, something.web.app).
  5. Drain credentials or wallet. The page asks for your seed phrase as "wallet verification," prompts a Web3 signature that is an unlimited token approval, or captures login plus the one-time code. Wallet empty in minutes.

Where it hits hardest

Angler phishing works against any brand with social support, but four categories produce the highest yield.

Crypto support accounts

Top targets: Coinbase, MetaMask, Binance, Phantom, Trust Wallet, Ledger. High value, irreversible transactions, slow tickets that push users to complain publicly. Phantom's security team has published direct warnings about X and Telegram DM impersonators, and @phantom pins a notice that real support never DMs first and never asks for a seed phrase.

Banks on X

Chase, Wells Fargo, Bank of America, Capital One, and Citi all run support handles. A tweet about a frozen card pulls fake @ChaseSupport_ and @WellsFargo_Help replies within minutes. Victims hand over credentials and one-time codes; attackers drain via wire or Zelle before fraud teams catch up.

Airlines after flight cancellations

A canceled flight at 11pm with stranded passengers tweeting @AmericanAir, @Delta, @united, or @SouthwestAir is an angler phisher's harvest. Fake "rebooking link" replies capture frequent-flyer credentials and card numbers. The FTC flagged airline impersonation in its 2024 reports.

Ecommerce support

Amazon (@AmazonHelp), Etsy, eBay, and Shopify storefronts all attract impersonators. A buyer complaining about a missing package gets a DM offering a "refund verification" page that wants the card plus CVV.

Real verifiable examples

This is not theoretical. ZachXBT has documented Phantom and Solana DM phishing campaigns across 2023 and 2024 in public X threads, including drained wallet addresses and typosquat handles used. Phantom's official security blog has published guidance specifically about Telegram and X DM impersonators. Chainalysis's 2024 Crypto Crime Report attributes roughly $1 billion in annual crypto theft to social-media-driven phishing, with DM lures the dominant delivery method. The FTC Consumer Sentinel Network 2024 release showed social media scam reports up about 80% year over year, with crypto investment fraud via social media exceeding $2.5 billion cumulatively since 2021. X's own Trust and Safety reports list account impersonation as a top-volume policy violation.

Why this works on you specifically

The victim is never randomly targeted. You self-selected by tweeting about a problem. You are in panic mode. Your wallet is stuck, your card is frozen, your flight is canceled. Anyone replying "hi, we can help, please DM us" is the friendly face in a stressful moment. The attacker knows your exact problem because you posted it. A cold phishing email has to invent a fake problem. Angler phishing skips that step. The problem is real. Only the help is fake.

The 10-second sanity check

Four checks before you click anything from "support."

  1. Real support almost never DMs first. Coinbase, MetaMask, Phantom, Binance, Chase, and major airlines publish notices saying their support handles do not DM users out of the blue. An unsolicited DM from "support" is the single strongest scam signal.
  2. Verified badges can be bought. X Premium ($8/month) gives any account a blue check with no identity verification. The gold organization badge has been gamed. Tap the badge. "Subscribed to Premium" is not the same as "verified as the brand."
  3. Check the username letter by letter. Real @CoinbaseSupport vs fake @Coinbase_Support. Real @MetaMaskSupport vs fake @MetaMask_Helpdesk. Real @phantom vs fake @phantom_wallets. Underscores, extra letters, swapped i and l, capital I vs lowercase l are common tricks.
  4. Real support points to the brand's own help center. Coinbase: help.coinbase.com. MetaMask: support.metamask.io. Phantom: help.phantom.com. If the DM link goes to a Google Form, a non-brand Zendesk subdomain, a Netlify/Vercel preview URL, or a .help / .live / .app domain you do not recognize, it is not real support.

What to do instead of replying

Close the DM. Do not reply, do not click, do not hover. Then:

  1. Type the brand's URL yourself. coinbase.com, metamask.io, phantom.com, chase.com - typed into the address bar, not from any link.
  2. File a ticket through the real channel. Most exchanges and wallets handle support inside the app, not on social media.
  3. Report the impersonator. On X: three dots, "Report," "Impersonation." Tag the real brand handle in a separate tweet (do not reply to the impersonator; that boosts their visibility).

If you already DMed or clicked their link

Move fast.

  1. Within 10 minutes. If you signed any wallet transaction, revoke every active approval at revoke.cash (or etherscan / solscan / basescan). Move remaining funds to a fresh wallet on a clean device. Treat the original wallet as burned.
  2. Within 30 minutes. Change any password you entered, everywhere you reused it. Turn on hardware-key or app-based 2FA on every account, especially email. If you entered an exchange login, contact the exchange through their app to freeze withdrawals.
  3. Within 2 hours. File a fraud alert at reportfraud.ftc.gov and FBI IC3 at ic3.gov (UK: Action Fraud). Include the transaction hash for blockchain tracing.
  4. Within 24 hours. Report the impersonator and the phishing domain to X, the brand's official security email, and Chainabuse.com if crypto-related.

Where browser security fits in

Angler phishing defense is mostly behavior. When you do click a DM link, browser-layer detection is the last guard. SafeBrowz is a free Chrome, Firefox, and Edge extension that recognizes the destination phishing page after a user clicks the DM link, even when the social platform never flagged the impersonator. Coinbase, MetaMask, Phantom, and Binance lookalike domains are matched against our brand database of 539+ brands, and seed-phrase capture and wallet-drainer patterns are caught at the page level.

Frequently asked questions

How do attackers find me so fast after I tweet?

Automated monitors on the X API or tools like TweetDeck and Hootsuite filter brand mentions plus keywords like "help" or "stuck." A reply DM can be sent within seconds. Speed makes the response feel like the brand was watching for you.

The account had a blue checkmark. Doesn't that mean it is verified?

Not anymore. X Premium subscribers get a blue check for $8 per month with no identity verification. The gold organization badge has also been gamed. Tap the badge to see why the account has it. "Subscribed to Premium" is not the same as "verified as the brand."

The DM looked exactly like @Coinbase. How can I be sure it was fake?

Compare the handle letter by letter to the official one on the brand's website. Real @CoinbaseSupport has no underscore. Fake variants add an underscore, an extra letter, or a swapped character. Coinbase, MetaMask, Phantom, and Binance support do not DM first - unsolicited DMs are almost always fake.

I gave them my seed phrase. Can the funds be recovered?

Crypto transactions on Ethereum, Solana, Base, and most chains are irreversible. Recovery is rare. Move remaining funds to a fresh wallet on a clean device, revoke all token approvals, and treat the original wallet as burned. Report the theft with the transaction hash to FBI IC3 and Chainabuse.com so it feeds tracing databases.

Should I reply to the impersonator to warn other people?

No. Replying boosts the impersonator in the X algorithm. Report the account through X's "Impersonation" flow, tag the real brand handle in a fresh tweet, and warn others with a screenshot in a separate post that does not link back.

Does this only happen on X, or also on Discord and Telegram?

Every social platform with DMs. Discord crypto servers see constant fake MetaMask and OpenSea support DMs from bots that join and message new members. Telegram has the same problem at higher volume. Same five-step playbook, same defense: real support does not DM first.

Related reading

Bottom line: Angler phishing works because you raise your hand first. The fake support reply is fast, friendly, and built around the exact problem you just posted. Real Coinbase, MetaMask, Phantom, Binance, Chase, and airline support do not DM you out of the blue, and a blue check no longer proves identity. Check the handle letter by letter, type brand URLs by hand, and treat any "secure link" in a DM as hostile. Once you know the playbook, the lure stops glowing.