PhishingHook: Catching Phishing Ethereum Smart Contracts leveraging EVM Opcodes

TL;DR

PhishingHook is a machine learning framework that detects phishing smart contracts on Ethereum by analyzing bytecode and opcodes, achieving around 90% accuracy without transaction replay.

Contribution

This work introduces PhishingHook, a novel approach that uses static bytecode analysis and machine learning to identify malicious smart contracts before deployment.

Findings

Achieves about 90% average accuracy in phishing detection

Evaluates 16 different machine learning techniques

Demonstrates effectiveness of static code analysis for security

Abstract

The Ethereum Virtual Machine (EVM) is a decentralized computing engine. It enables the Ethereum blockchain to execute smart contracts and decentralized applications (dApps). The increasing adoption of Ethereum sparked the rise of phishing activities. Phishing attacks often target users through deceptive means, e.g., fake websites, wallet scams, or malicious smart contracts, aiming to steal sensitive information or funds. A timely detection of phishing activities in the EVM is therefore crucial to preserve the user trust and network integrity. Some state-of-the art approaches to phishing detection in smart contracts rely on the online analysis of transactions and their traces. However, replaying transactions often exposes sensitive user data and interactions, with several security concerns. In this work, we present PhishingHook, a framework that applies machine learning techniques to detect phishing activities in smart contracts by directly analyzing the contract's bytecode and its constituent opcodes. We evaluate the efficacy of such techniques in identifying malicious patterns, suspicious function calls, or anomalous behaviors within the contract's code itself before it is deployed or interacted with. We experimentally compare 16 techniques, belonging to four main categories (Histogram Similarity Classifiers, Vision Models, Language Models and Vulnerability Detection Models), using 7,000 real-world malware smart contracts. Our results demonstrate the efficiency of PhishingHook in performing phishing classification systems, with about 90% average accuracy among all the models. We support experimental reproducibility, and we release our code and datasets to the research community.