Web3 IPFS Only Used for Phishing – So Far<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/web3-ipfs-only-used-for-phishing---so-far.html\"><br \/>\n<meta property=\"og:title\" content=\"Web3 IPFS Only Used for Phishing - So Far\"><br \/>\n<meta property=\"og:description\" content=\"We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/IPFS_641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Web3 IPFS Only Used for Phishing - So Far\"><br \/>\n<meta name=\"twitter:description\" content=\"We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/IPFS_641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.236897274633\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1154983159\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.6855895196507\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.585152838428\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.<\/p>\n<p class=\"article-details__author-by\">By: Matsukawa Bakuei, Morton Swimmer <time class=\"article-details__date\">December 20, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"47.739016736402\">\n<div readability=\"41.3410041841\">\n<p><a href=\"https:\/\/hbr.org\/2022\/05\/what-is-web3\">Web3<\/a> has been garnering attention recently, but it has yet to be used for anything practical and widespread except for one thing: phishing. The concept of Web 3 encompasses a variety of technologies. In this article, we will ignore the blockchain aspects of Web3 and focus instead on its storage side: specifically, the <a href=\"https:\/\/ipfs.tech\/\">InterPlanetary File System<\/a> (IPFS), a peer-to-peer (P2P) object storage system that relies on content addressing instead of location addressing.<\/p>\n<p>Simply put, each file is addressed by a cryptographic hash and a distributed hash table scheme is used to locate a copy of the file. The hash is encapsulated in a so-called content identifier (CID) and immutably identifies that file. We have been observing a rise in the misuse of this technology and will dive into it in greater detail in a future report. In the meantime, let us focus on a specific type of phishing on IPFS.<\/p>\n<p>Normally, IPFS is only available through the P2P network, although to ease the transition for ordinary web users, there are a number of public IPFS gateways that accept a URL with a CID in it and deliver the content of that IPFS file. These gateways usually take the form <i>http[s]:\/\/<gateway domain>\/ipfs\/<CID>.<\/i><\/p>\n<p><b><i>Research on gateways used for phishing attacks<\/i><\/b><\/p>\n<p>Using Trend Micro’s Web Reputation telemetry data from January 2022 to Nov. 15, 2022, we looked for instances of phishing that used IPFS gateways. Specifically, we looked for IPFS gateway URLs that contained email addresses in the form <i>hxxps[:]\/\/ipfs[.]io\/ipfs\/<CID>#<EmailAddress><\/i>, which is typical of a particular kind of phishing page. For instance, the following phishing page generates a login screen hosted by an IPFS gateway and uses a CID (the string starting with \u201c<i>baf…<\/i>\u201d). Since it uses the same favicon as that used in the domain of the target\u2019s email address, the phishing page thus appears like the official page of the target organization..<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure01.png\" alt=\"A demonstration of an IPFS phishing page\"><figcaption>Figure 1. A demonstration of an IPFS phishing page<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Searching in VirusTotal, we found examples of emails that use IPFS gateways for phishing attacks. For instance, the following email looks like a DocuSign request, but the button displayed points to a gateway hosted by Fleek, a platform that makes creating IPFS websites easy. When the link is accessed, a sign-in page that looks like it comes from Microsoft appears.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure02_A_BLURRED.png\" alt=\"An email that points to a site hosted on IPFS and generated by Fleek, an IPFS web framework\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure02_B_BLURRED.png\" alt=\"An email that points to a site hosted on IPFS and generated by Fleek, an IPFS web framework\"><figcaption>Figure 2. An email that points to a site hosted on IPFS and generated by Fleek, an IPFS web framework<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>Notably, even if Fleek decided to block such content, it would still be available through any other IPFS gateway.<\/p>\n<p><b><i>How big is this problem?<\/i><\/b><\/p>\n<p>We first observed one IPFS phishing URL being accessed on Jan. 18, 2022. Since then, the attacks have been constantly rising, as the following graph demonstrates. Recently, there was a spike on November 7, when we observed more that more than 70,000 phishing URL were accessed \u2014 double the maximum we observed up to that point. This shows us that criminal usage is increasing rapidly.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"ecdd33\" data-modal-title=\"Figure 4. The number of new CIDs per week found for the URLs that contain email addresses\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure03.jpeg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure03.jpeg\" alt=\"Number of times that IPFS phishing URLs containing email addresses were accessed\"> <\/a><figcaption>Figure 3. Number of times that IPFS phishing URLs containing email addresses were accessed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>However, not all CIDs found in this sample set were unique. We wanted to know how the growth of unique phishing content was developing, so we removed the duplicate CIDs and found that we could still see a steady rise over the last year. This is perhaps a better estimate of how campaigns using IPFS are developing. So far, we have observed 3,966 unique CIDs and an average of 148 new CIDs per week since August. Since then, we have often observed numbers greater than the average as seen in Figure 4.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"253f0d\" data-modal-title=\"Figure 4. The number of new CIDs per week found for the URLs that contain email addresses\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure04.jpeg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure04.jpeg\" alt=\"The number of new CIDs per week found for the URLs that contain email addresses\"> <\/a><figcaption>Figure 4. The number of new CIDs per week found for the URLs that contain email addresses<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Approximately 28% of the CIDs have been seen only once, and about 72% have been used for less than 10 days. Only 5% have been used for more than a month. This means that while most phishing campaigns move on to new CIDs relatively frequently, there are CIDs that have been in use for longer periods.<b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure05_pie_chart.jpeg\" alt=\"Proportion of CIDs used for different durations from this sample set\"><figcaption>Figure 5. Proportion of CIDs used for different durations from this sample set<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The targeted email addresses are much more diverse, with 455,071 email addresses from 47,734 domains. A closer look at top-level domains shows that \u201c.com\u201d is by far the most popular domain, followed by \u201c.au,\u201d \u201c.de,\u201d \u201c.uk\u201d, and \u201c.jp\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure06_pie_chart.jpeg\" alt=\"Proportion of top-level domain names targeted by IPFS phishing from this sample set\"><figcaption>Figure 6. Proportion of top-level domain names targeted by IPFS phishing from this sample set<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The most common gateways are, unsurprisingly, the official ipfs.io and Fleek’s gateway. Dweb.link is also a prominent gateway provider, probably because it is also mentioned in the official documentation. Since anyone can host a gateway, the long tail of gateways is not insignificant.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure07_pie_chart.jpeg\" alt=\"Proportions of gateway providers used in IPFS phishing from this sample set\"><figcaption>Figure 7. Proportions of gateway providers used in IPFS phishing from this sample set<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div class=\"responsive-table-wrap\" readability=\"15\">\n<p>The subject lines for phishing are surprisingly diverse. The following table shows the top 10 subject lines according to our telemetry data:<\/p>\n<table align=\"center\" cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"7.5\">\n<tr>\n<td valign=\"top\"><b>Rank<\/b><\/td>\n<td valign=\"top\"><b>Subject (Normalized)<\/b><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Host-server notification<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>2<\/td>\n<td>[WARNING]: The \u201a\u00c4\u00fa<EmailAddress>\u201a\u00c4\u00f9 email account is nearly full<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>3<\/td>\n<td>Mail delivery failed: returning message to sender<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>4<\/td>\n<td>You have recieved a file via WeTransfer<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Password Expiry notice!<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>6<\/td>\n<td>(7) Pending incoming messages, Clear Cache for <EmailAddress> to fix Errors.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>7<\/td>\n<td>Password for <EmailAddress> expires soon from Today <Date> <Time><\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Mail Account Update<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>9<\/td>\n<td>IT support <EmailAddress><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>10<\/td>\n<td>Authentication error in <EmailAddress> on <Date> <Time><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. Top 10 subject lines for phishing emails from telemetry data<\/p>\n<p>The proportion of IPFS-related phishing among all phishing instances detected by the Trend Micro Web Reputation System (WRS) is very small, but it has been gradually increasing and is expected to continue doing so.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/l\/ipfs-phishing\/IPFS_Figure08.jpeg\" alt=\"Distribution of IPFS to non-IPFS phishing over the year\"><figcaption>Figure 8. Distribution of IPFS to non-IPFS phishing over the year<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.843109869646\">\n<div readability=\"27.556797020484\">\n<p><b><i>Conclusion<\/i><\/b><\/p>\n<p>The rise of IPFS-related phishing is concerning because this kind of content <a href=\"https:\/\/www.techrepublic.com\/article\/ipfs-phishing-on-the-rise-makes-campaign-takedown-more-complicated\/\">cannot be deleted<\/a> as it is not stored centrally. Since August, we have been seeing a marked rise in phishing URLs that contain email addresses and use IPFS this year. This is likely because this kind of phishing gives attackers an advantage, not to mention that other alternatives have been discontinued. We expect that the exploitation of IPFS will increase further in the future, emphasizing the need for vigilance.<\/p>\n<p>In the meantime, blocking all gateways individually might not be feasible, as NFTs also often use IPFS. Blocking CIDs by URL patterns is more realistic, but this has its own limitations. However, the entire ecosystem of IPFS is already much bigger than just IPFS and is constantly evolving; this calls for a complete report that we will publish soon. At present, however, phishing unfortunately seems to be the main use-case for IPFS.<\/p>\n<p><b><i>Indicators of Compromise (IOCs)<\/i><\/b><\/p>\n<p>The email sample is from VirusTotal:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">570ab44831e863671b06f3ec8e489715ca5a346daae09c3c00ec4b4db34292fb<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/web3-ipfs-only-used-for-phishing---so-far.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49822,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9509],"class_list":["post-49821","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"\n<title>Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-20T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/IPFS_641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Web3 IPFS Only Used for Phishing – So Far\",\"datePublished\":\"2022-12-20T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/\"},\"wordCount\":1181,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/web3-ipfs-only-used-for-phishing-so-far.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/\",\"name\":\"Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/web3-ipfs-only-used-for-phishing-so-far.png\",\"datePublished\":\"2022-12-20T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/web3-ipfs-only-used-for-phishing-so-far.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/web3-ipfs-only-used-for-phishing-so-far.png\",\"width\":621,\"height\":331},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/web3-ipfs-only-used-for-phishing-so-far\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Web3 IPFS Only Used for Phishing – So Far\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/","og_locale":"en_US","og_type":"article","og_title":"Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-12-20T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/IPFS_641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Web3 IPFS Only Used for Phishing – So Far","datePublished":"2022-12-20T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/"},"wordCount":1181,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/web3-ipfs-only-used-for-phishing-so-far.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/","url":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/","name":"Web3 IPFS Only Used for Phishing - So Far 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/web3-ipfs-only-used-for-phishing-so-far.png","datePublished":"2022-12-20T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/web3-ipfs-only-used-for-phishing-so-far.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/web3-ipfs-only-used-for-phishing-so-far.png","width":621,"height":331},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Web3 IPFS Only Used for Phishing – So Far"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49821"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49821\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49822"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49821,"date":"2022-12-20T00:00:00","date_gmt":"2022-12-20T00:00:00","guid":{"rendered":"urn:uuid:01fcfd8f-0151-1d7f-c97a-029167791ff7"},"modified":"2022-12-20T00:00:00","modified_gmt":"2022-12-20T00:00:00","slug":"web3-ipfs-only-used-for-phishing-so-far","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/web3-ipfs-only-used-for-phishing-so-far\/","title":{"rendered":"Web3 IPFS Only Used for Phishing – So Far"},"content":{"rendered":"