I just signed a strange message on an unknown website — what should I do immediately?

First action: go to revoke.cash, connect that wallet, find any suspicious approvals and revoke them immediately. If you signed a Permit2 message, you cannot directly revoke an off-chain signature, but you can move your tokens to a new wallet — tokens that haven't been drained will be safe. Move all USDC, USDT, WETH, WBTC, and NFTs to a new wallet (preferably a hardware wallet). You'll pay gas but you'll be safe. After that, never use the old wallet again.

Is a hardware wallet like Ledger 100% safe from signing scams?

Ledger is 95-98% safe but NOT 100%. You still must READ the message displayed on the Ledger screen before confirming. Some scams use "blind signing" — asking you to sign a hex string that Ledger cannot parse clearly. Rule: if Ledger shows "Blind signing required" or "Cannot parse", REJECT unless you understand 100% of the content. Enable the "Disable blind signing" setting in Ledger for maximum safety.

Pocket Universe vs Wallet Guard — which should I use?

Both are free and good. Pocket Universe has better support for Solana and a more beginner-friendly UI. Wallet Guard has more integrations with DeFi dApps and more detailed alerts about Permit2. You can install both — they don't conflict. I personally use Pocket Universe + regular Etherscan Token Approval checks.

I don't have a Ledger, I use MetaMask on my phone — am I safe?

MetaMask mobile is technically safe (private keys are stored in the iPhone's Secure Enclave or Android Keystore), but you are STILL vulnerable to signing scams. You still need to carefully read the message before signing. The biggest warning for mobile wallets is WalletConnect connection — many scams use WalletConnect QR codes to force you to sign messages from fraudulent websites. Always check the website URL you are connecting to before scanning the QR code.

Are Vietnamese pilot exchanges (CAEX, TCEX) safer than DeFi?

Regarding signing scams — yes, they are safer because pilot exchanges are CEXs; you don't need to sign off-chain messages. You only log in with a password + 2FA, and all on-platform transactions require no Web3 signing. However, CEXs have other risks (custody risk, exchange hacks, withdrawal freezes). I recommend a hybrid approach: long-term holdings on a Ledger hardware wallet, trading on a CEX (Vietnamese pilot exchange or Binance, OKX), and avoiding heavy DeFi usage until you are familiar with Web3 security.

Can the MaHoa community support me if I get scammed?

The MaHoa AI Team does not have funds to compensate scammed users — we are an educational community, not an exchange or insurance fund. However, you can join the MaHoa Telegram group or seek support via the website daututaisanmahoa.com to ask questions and get guidance. Most importantly: prevention is better than cure — learning security thoroughly from the start will avoid most risks. This article is step 1.

Quay lại danh sách

Bảo mật & How-toTrung cấp#Web3 security#Signing scam#Phishing crypto

Signing Message Scam Web3 2026: 5 Common Scam Types and How to Avoid Them for Vietnamese Users

Cập nhật: 12 tháng 5, 2026

In the Q1/2026 Web3 loss cases reviewed within the MaHoa community, nearly 60% were not caused by private key hacks but by "signing message scams" — victims themselves signing what seemed like harmless messages in MetaMask or Phantom, only to have all their assets drained within seconds. This is currently the most sophisticated form of fraud because the victim does NOT lose their private key, and the wallet remains technically secure, yet all assets are transferred to the hacker's wallet. This article analyzes the 5 most common types of signing scams, explaining the technical mechanism in easy-to-understand language, along with 7 protection rules distilled from community support experience and 4 free tools we recommend installing this week.

Tâm — CMO MaHoa AI Team2026-05-12T01:37:51.511Z11 phút đọc695 lượt xem