What are zero-click attacks?

Zero-click attacks allow bad actors to access your cryptocurrencies without any input from you.

Imagine opening your crypto wallet one day and discovering that it’s all gone. You didn’t download any viruses or click on suspicious links. The funds just aren’t there. It’s possible you have fallen victim to a zero-click attack.

A zero-click attack is a digital threat that allows hackers to access your wallet without any interaction from you.

While having your wallet hacked without clicking anything sounds impossible, these threats are the latest to watch out for if you want to protect your crypto wallet.

How zero-click attacks work

Zero-click attacks are the latest in an endless variety of crypto wallet hacks.

Typically, hackers gain access to your wallet when you accidentally download malicious software or click on a suspicious link, also known as crypto phishing attacks. 

Access control vulnerabilities in crypto in 2024

However, a zero-click crypto attack executes code without any action required by you. This lack of interaction is what makes them so threatening. 

Instead of relying on user error, zero-click attacks access your wallet through flaws in your device’s software, be it a PC or mobile phone. 

how hackers steal crypto login credentials

Picture a burglar breaking your door not because you forgot to lock it but because they took advantage of a flaw in your door’s manufacturing. Zero-click attacks work similarly but in a virtual environment, often targeting mobile devices.

Did you know? Zero-click attacks aren’t exclusive to crypto. These software-threatening assaults have been around since the early 2000s, initially targeting messaging apps and email clients. Now, they’re how wallets get hacked.

How hackers target wallets with a zero-click attack

Zero-click malware targets you through programming weaknesses.

Here are some common ways zero-click attacks can target you.

Software weaknesses

If your Android phone receives an update with a specific security flaw, a bad actor can exploit that vulnerability by simply texting you a particular set of words. Once you receive the text, it may activate that flaw and give the hacker complete control. From there, they’ll commit a wallet security breach.

Similarly, hackers can target iOS devices through everyday apps like iMessage or Airdrop. In April 2024, Trust Wallet shared “credible intel” of a zero-click attack on iOS devices. The group recommended users with a crypto wallet installed disable iMessage to protect themselves until Apple produces an update. 

Zero-day vulnerability disclosure by Trust Wallet

While Trust Wallet classified this issue as a zero-day exploit, the company acknowledged that the attack could take over devices without user input, making it a clear example of a zero-click attack.

Network weaknesses

Targeted attacks can breach your wallet software through proximity if you’re connected to a public wi-fi network, like at a coffee shop. The same applies to open Bluetooth connections.

Here’s how it works: open networks transmit your unencrypted data between devices. Hackers can intercept those packets and send malware through them, targeting any devices with a specific software vulnerability.

Any connection to your device — be it wi-fi, Bluetooth, or some other one — is a potential opportunity for a zero-click attack. That’s what makes these attacks so alarming. They can come out of nowhere. One day, a bad actor finds a way to take advantage of your device and exploits it. 

Decentralized application (DApp) weaknesses

Most crypto wallets interact with Web3 apps, also known as DApps. Notably, the barrier to entry for creating a DApp is relatively low, but security measures can vary greatly. 

Even if you’re using a trusted Web3 service, its code can be vulnerable to zero-click attacks anytime. Bad actors can use that weakness, such as an error in the DApp’s smart contract programming, to access your wallet. 

While it can be fun to interact with new DApps, consider using a wallet holding minimal funds. That way, you can test the application while mitigating the damage from a potential zero-click wallet hack.

While attacks caused by such vulnerabilities may seem completely unfair, there are steps you can take to protect yourself.

What if you’ve fallen victim to a zero-click attack?

Suspect you’ve fallen victim to a zero-click attack? Immediately transfer your assets.

If you suspect you’ve fallen victim to a zero-click attack, follow these steps to protect your crypto assets:

  • Disconnect your device: Disconnect the device from the internet immediately.
  • Transfer assets: Secure your Web3 wallet. Transfer your assets to another device using your wallet’s recovery phrase.
  • Run an anti-virus check: Once your assets are safely stored on an uncompromised device, install anti-virus software to scan for any threats.

Did you know? Zero-click attacks are different from zero-day attacks. Zero-click attacks can happen without interaction, while zero-day attacks require clicking on something or opening a file.

Security best practices to protect against a zero-click attack

Zero-click attacks may be scary, but wallet exploit prevention steps exist to protect yourself.

To protect yourself from zero-click attacks, consider adopting these crypto-security best practices:

  • Turn off auto-receive: Turn off auto-receive for texts and multimedia in any messaging apps you use.
  • Minimize Bluetooth usage: Keep Bluetooth off when you’re not using it. This step limits access points for some zero-click attacks.
  • Monitor your wallet connection history: Regularly check your wallet connection history. Consider moving your assets to another wallet if you notice transactions with an unknown source.
  • Utilize a hardware wallet: Hardware wallets are USB-like devices that store your cryptocurrencies offline. Since hardware wallets are disconnected, they’re safer from cyber threats like zero-click attacks. This is always one of our top wallet security tips.
  • Use a multisignature wallet: Multisignature crypto wallets require multiple approvals before executing a transaction. This added layer of protection can significantly reduce the risk of unauthorized transactions.
  • Update apps and software: Keep your apps and device software up to date. Updates often introduce new protections and bug fixes that can prevent zero-click attacks.
  • Install anti-virus software: Anti-virus software regularly scans your device for abnormalities, warning you of anything suspicious.

Security

  • Back up your data: Most devices automatically back up your data regularly. Enable auto-backups to roll back to a previous version if your device is compromised.
  • Tighten up app permissions: Adjust your app permissions to require manual input for activities like wallet transactions. That way, nothing can happen without your input.
  • Two-factor authentication (2FA): Add 2FA to your important log-ins. That way, you’ll be notified if a threat attempts to access your wallet.
  • Use a VPN: VPNs encrypt your internet traffic, making it harder for hackers to intercept your data.
  • Pay attention: Perhaps the most important protection is to pay attention. Browse social media like Reddit for emerging threats, follow credible cybersecurity sources, and take the proper precautions. You can never be too safe.

How to check for a zero-click attack

Zero-click attacks may appear out of nowhere, but there are signs of invasion.

If you’re suspicious of a zero-click attack but aren’t sure, watch out for these signs:

  • Faster battery drain: If the attack installs malware, your device battery may drain faster. You can check your battery health in your device settings.
  • Slower device performance: Alongside faster battery drain, you may notice your device running slower than usual.
  • Random app installs: Occasionally, zero-click attacks may install apps without your approval. If you notice an app you never installed, be wary.
  • Unknown background processes: If your phone suddenly has new background processes going on, delve a bit deeper. These processes may be the result of a zero-click attack.
  • Increased data usage: You can also check your device’s data usage. If you notice a spike in data consumption, it may be time to run a virus scan.
  • Unusual text messages: If you receive unrecognized text messages or emails, block the sender immediately. 

These attacks may not happen right away but can lie awaiting a specific trigger.

The future of zero-click attacks

Zero-click attacks are hardly a new threat. They’ll continue to evolve just as security processes will.

As crypto technology continues to evolve, so will crypto cybersecurity threats. Crypto wallets operate without a central authority, meaning crypto wallet security falls entirely on you. This autonomy makes crypto wallets a target for hackers, meaning delving into the space comes with risk.

Additionally, as artificial intelligence (AI) becomes more advanced, bad actors may leverage it to develop even more complex zero-click spyware. Future threats could include code that auto-updates after infecting your device, protecting itself from whatever you throw at it. 

Protecting yourself from these threats is more important than ever. You can do so by following cybersecurity experts and blogs and abiding by strong security best practices. The best protection against zero-click or any form of attack is to evolve with them.