One week after Pudgy World, a free-to-play browser game tied to the Pudgy Penguins NFT brand, launched on March 10, cybercriminals had already created a sophisticated phishing operation targeting players. The fake site demonstrates a level of technical sophistication that raises troubling questions about security preparedness in emerging Web3 platforms.
The NFT brand has made its way onto Walmart shelves and launched a game this month, which has already been hit by a pretty nasty phishing scam. The phishing site abuses the fact that the web browser game Pudgy World connects to users' crypto wallets to verify digital items. The fake site presents highly convincing forgeries of 11 different cryptocurrency wallet interfaces to steal user credentials, including MetaMask, Trust Wallet, Coinbase Wallet, and others.
What makes this attack particularly troubling is its technical evasion capability. The attackers employ advanced evasion techniques to avoid detection by security researchers and sandbox environments, using methods such as sandbox detection and anti-research techniques. The campaign's evasion techniques complicate detection and response efforts, potentially allowing attackers to harvest large volumes of credentials before mitigation.
The phishing site is highly detailed, accurately replicating the site's design with a pop-up window designed to resemble Reown WalletConnect, the wallet connection library that Pudgy World uses. The fake pop-up renders an overlay designed to look like the legitimate unlock screen, tricking users into believing their own applications are being used. For every browser extension wallet on the list, the phishing site renders an unlock screen built to match the real extension's own visual identity, with the correct logo, colour scheme, button layout, and wording.
This incident underscores a broader problem in cryptocurrency security. The campaign exploits users' excitement about the game launch and their unfamiliarity with Web3 wallet onboarding. According to the FBI's Internet Crime Complaint Center, phishing and spoofing scams accounted for 193,407 complaints in 2024, with reported losses exceeding $70 million. The speed with which scammers mobilised against a newly launched game suggests a well-organised operation with commercial tools.
The technical sophistication suggests the use of a commercial phishing kit tailored for crypto-related attacks. This indicates the problem extends beyond opportunistic criminals; it reflects an industrialised infrastructure supporting credential theft at scale.
For users, the defence remains relatively straightforward but requires discipline. Bookmark the official Pudgy Penguins site and the official game URL, and navigate to it directly from that bookmark, never from a link in Discord, Twitter, or a direct message. Install a browser extension that flags known phishing domains before you interact with them. Malwarebytes Browser Guard will block this domain.
The incident reveals a tension at the heart of mainstream Web3 adoption. As projects like Pudgy World work to simplify crypto interaction for ordinary users, that very accessibility creates a target-rich environment for attacks. The scammers' ability to create convincing replicas of multiple wallet interfaces and deploy detection-evasion code suggests they are well-funded and technically competent. That combination poses a real risk to the credibility of Web3 platforms as they attempt to reach mass audiences.