Executive Summary: While the blockchain security industry remains fixated on smart contract code, a different class of threat quietly accounts for a significant share of crypto losses: the man-in-the-middle (MITM) attack. These attacks do not require an attacker to break cryptography or exploit a contract bug. They exploit the network layer, the operational layer, and the human layer: the very areas most Web3 teams leave entirely unguarded. This guide explains exactly what a MITM attack is, how it operates in the crypto and blockchain context, and what a properly constructed operational security programme does to counter it.
What Is a Man-in-the-Middle Attack?
A man-in-the-middle attack: also referred to as an on-path attack: is a form of cyberattack in which a malicious actor secretly intercepts and potentially alters communications between two parties who each believe they are communicating directly and securely with one another. The attacker positions themselves between the sender and the recipient, effectively becoming an invisible relay: reading, recording, or modifying data in transit without either party detecting the intrusion.
The attack lifecycle typically proceeds in two stages. First, interception: the attacker inserts themselves into the communication channel using one of several techniques (detailed below). Second, decryption: if the intercepted traffic is encrypted, the attacker attempts to decrypt it: for instance by downgrading a TLS connection or presenting a forged certificate to one or both parties.
In traditional IT security, MITM attacks are a well-documented threat addressed by certificate authorities, TLS enforcement, and mutual authentication. In the crypto world, however, the attack surface is dramatically expanded. Blockchain applications communicate with nodes via JSON-RPC, interact with browser extensions, depend on DNS resolution to reach infrastructure, and route through internet exchange points: each of which represents a potential interception vector that the average Web3 team has never assessed.
How MITM Attacks Work in Blockchain and Crypto
RPC Endpoint Poisoning
Every Web3 wallet and dApp communicates with a blockchain node via a JSON-RPC endpoint. MetaMask, for example, defaults to Infura's public endpoint for Ethereum. An attacker who can intercept or redirect these requests: through DNS hijacking, a compromised WiFi router, or BGP manipulation: can substitute a malicious RPC node in place of the legitimate one.
Once a poisoned RPC endpoint is in place, the attacker can return manipulated data: fabricated balances, altered contract addresses, fake transaction confirmations, or redirected calls to malicious contracts. The user sees a normal interface and signs what they believe are legitimate transactions: sending funds directly to the attacker.
DNS Hijacking
DNS hijacking redirects a domain's DNS records to point to a server under attacker control. A user navigating to a legitimate exchange, DeFi protocol, or wallet interface is instead served a pixel-perfect clone that harvests their credentials or seed phrase, or silently substitutes wallet addresses in any transaction they attempt to execute.
DNS hijacking does not require compromising the target organisation directly. Attackers may compromise the domain registrar, the DNS provider, or an upstream resolver: all of which are infrastructure layers most Web3 projects do not monitor.
BGP Hijacking Targeting Crypto Infrastructure
Border Gateway Protocol (BGP) hijacking is a more sophisticated and nation-state-grade attack in which an attacker announces false routing information on the internet's core routing protocol, redirecting traffic at the autonomous system level. This has been documented in the context of cryptocurrency exchanges and mining pools: in 2018, traffic to Amazon Route 53 DNS service was hijacked via BGP manipulation to redirect users of MyEtherWallet to a phishing server, resulting in approximately $150,000 in ETH losses. The users' browsers showed SSL warnings, but a sufficient number proceeded anyway.
Evil Twin WiFi and Public Network Attacks
A rogue access point: also called an evil twin: mimics a legitimate WiFi network name (SSID). When a developer or finance team member connects to what appears to be the office WiFi or a hotel network, all unencrypted traffic, and TLS traffic where certificate warnings are dismissed: passes through the attacker's hardware. This is a consistent attack vector against crypto professionals who travel to conferences, work in co-working spaces, or operate from unsecured home networks without a VPN.
Types of MITM Attacks Relevant to Crypto
ARP Spoofing
Address Resolution Protocol (ARP) spoofing is a local network attack in which the attacker broadcasts forged ARP responses, associating their MAC address with the IP address of a legitimate device (typically the default gateway). All traffic from the victim's device is then routed through the attacker before being forwarded to its destination, enabling passive interception or active modification.
In a crypto team's office environment, an attacker with physical or remote access to the LAN: including a compromised employee device: can execute ARP spoofing to intercept internal communications, RPC calls, and admin panel access without any user interaction.
SSL Stripping
SSL stripping downgrades an HTTPS connection to plain HTTP by intercepting the initial HTTP request before it can be redirected to HTTPS. The victim's browser communicates over HTTP with the attacker, who maintains the HTTPS session with the legitimate server. The attacker sees all data in plaintext: including wallet credentials, API keys, and signed transaction payloads.
DNS Poisoning (Cache Poisoning)
DNS cache poisoning corrupts the records stored in a recursive DNS resolver, causing it to return fraudulent IP addresses for legitimate domain queries. Unlike DNS hijacking: which typically targets the authoritative record at the registrar: cache poisoning targets resolvers in the query chain, potentially affecting thousands of users through a single compromised resolver.
Man-in-the-Browser via Malicious Extensions
Browser extensions operate with elevated permissions and can intercept, modify, and inject content into any page the browser loads. Malicious browser extensions posing as wallet helpers, gas optimisers, or DeFi aggregators have been repeatedly documented performing real-time clipboard hijacking and transaction manipulation: replacing destination addresses with attacker-controlled wallets at the point of signing, after the user has verified the address on screen.
This is categorically a MITM attack: the extension sits between the user and the dApp interface, intercepting and modifying communications at the application layer.
Clipboard Hijacking
Clipboard hijacking malware monitors the system clipboard for content that matches a cryptocurrency address pattern (typically a regex matching the address format of Bitcoin, Ethereum, or other chains) and silently replaces the copied address with an attacker-controlled address. The victim copies an address, pastes it into a transaction form, and sends funds to the attacker: having visually confirmed a different address before copying. This attack has resulted in documented losses in the tens of millions of dollars across the industry.
Real-World Examples
MyEtherWallet BGP Hijack (2018)
In April 2018, attackers hijacked BGP routes for Amazon's Route 53 DNS service, redirecting users of MyEtherWallet to a server in Russia. The attack lasted approximately two hours. Users who dismissed the SSL certificate warning were served a fake interface that harvested their private keys. The estimated loss was $150,000: a figure that would be substantially higher in today's market context. The attack required no exploitation of MyEtherWallet's own infrastructure: the entire chain of compromise was at the network routing and DNS resolution layer.
Clipboard Hijacker Malware Campaigns
Numerous malware families: including CryptoShuffler, ComboJack, and ClipBanker: have specifically targeted cryptocurrency clipboard data. Security researchers have documented individual wallets that received tens of thousands of fraudulent transactions from victims who unknowingly pasted hijacked addresses. These malware strains are distributed via trojanised software downloads, pirated content, and malicious npm packages targeting developer environments: the latter being particularly relevant to the crypto development community.
Ethereum RPC Injection via Malicious Extensions
Multiple browser extensions available on the Chrome Web Store have been identified injecting malicious JavaScript into Ethereum dApp pages, intercepting the window.ethereum object to intercept and modify transaction parameters before they reach the user's hardware wallet or MetaMask confirmation dialogue. Users reviewing the transaction on the dApp interface see the legitimate parameters; the injected code substitutes the recipient address in the background.
Key Indicators You Are Under a MITM Attack
- Unexpected SSL/TLS certificate errors or a certificate issued by an unfamiliar or recently-issued certificate authority for a site you visit regularly.
- Certificate transparency log anomalies: unexpected certificates for your domain visible in public CT logs.
- Wallet addresses that differ at confirmation from what was copied: this is a near-certain indicator of clipboard hijacking or browser extension manipulation.
- Unexpected DNS resolution: the IP address returned for a domain differs from the expected value (verify with multiple resolvers and compare).
- Anomalous network latency on requests that should be low-latency: traffic being routed through an additional hop introduces measurable delay.
- Unexpected login prompts for services you are already authenticated to, particularly if the login page URL differs subtly from the canonical domain.
- RPC endpoint returning unexpected data: balances, block numbers, or contract states inconsistent with what is visible on a block explorer via direct query.
"The most dangerous MITM attack is the one that never triggers a single alert: because nobody was monitoring the network layer in the first place. Most Web3 teams have extensive smart contract monitoring and zero network-level visibility."
How to Protect Against MITM Attacks
Certificate Pinning and HSTS Enforcement
Certificate pinning hardcodes the expected TLS certificate or public key for a specific domain within an application, so that any connection using a different certificate: even one validly signed by a trusted CA: is rejected. For Web3 applications serving institutional clients or managing significant value, certificate pinning at the application layer is a critical control. Combined with HTTP Strict Transport Security (HSTS) with long max-age values and inclusion in browser preload lists, it eliminates the SSL stripping attack vector entirely for enrolled clients.
Always-On VPN for Development and Operations Teams
A corporate always-on VPN routes all traffic from developer and operations workstations through a trusted tunnel, defeating local network MITM attacks including ARP spoofing and evil twin access points. The VPN should enforce split-tunnelling policies that ensure all crypto-related traffic: RPC calls, exchange API connections, admin panel access: routes through the tunnel even when staff are working remotely or at conferences.
Hardware Wallets with Independent Display Verification
A hardware wallet (cold wallet device) performs transaction signing in an isolated environment and displays the full transaction details: including recipient address and value: on a tamper-evident physical screen that cannot be manipulated by a compromised host OS or browser. Regardless of what any browser extension or malicious RPC endpoint has substituted in the transaction payload, the hardware wallet displays the actual parameters being signed. Users must be trained to verify the hardware wallet display rather than the browser interface: the device display is the ground truth.
Verified and Pinned RPC Endpoints
Teams should operate their own full nodes where operationally feasible, and where public RPC endpoints are used, these should be accessed over HTTPS with certificate validation enabled and the endpoint URL hardcoded rather than dynamically resolved. Regularly cross-referencing RPC-returned data against multiple independent providers and block explorers provides anomaly detection capability.
DNS Security (DNSSEC and DNS-over-HTTPS)
DNSSEC cryptographically signs DNS records, enabling resolvers to verify that responses have not been tampered with in transit. DNS-over-HTTPS (DoH) encrypts DNS queries between the client and the resolver, preventing ISP-level DNS tampering and eavesdropping. Both should be enabled at the organisation's DNS infrastructure and enforced at the workstation level via MDM policy.
Multi-Signature Confirmation Protocols
For high-value transactions, multi-signature (multisig) approval processes require independent confirmation from multiple key holders: each of whom must independently verify the transaction parameters on their own hardware wallet before signing. A MITM attack that successfully manipulates the transaction parameters on one signer's interface cannot simultaneously manipulate the independent verification of all required signers, providing a robust defence at the process layer.
Browser Extension Hygiene
Establish and enforce a whitelist of approved browser extensions for all staff who interact with crypto interfaces. Conduct periodic audits of installed extensions. Prohibit extension installation outside of the approved list via browser management policies. Consider using isolated browser profiles or virtual machines for sensitive crypto operations, preventing any extension installed for personal use from accessing the operational environment.
The Operational Security Layer: What Most Teams Miss
The blockchain security industry has made significant progress on smart contract auditing methodology. Automated scanners, formal verification tools, and competitive audit firms have raised the bar for code-level security. But this progress has created a dangerous blind spot: teams that pass a clean audit report conclude they are secure, without ever having examined the network infrastructure, the development environment, or the operational practices of the people who deploy and manage the contracts.
MITM attacks are a perfect illustration of this gap. No smart contract audit will identify a poisoned RPC endpoint in the deployment pipeline. No code review will detect a clipboard hijacking malware infection on a developer's workstation. No formal verification will prevent an attacker from intercepting the private key transmission during a multisig ceremony conducted over an unsecured conference WiFi network.
The People, Process, Technology framework: borrowed from the defence and enterprise security industries: addresses this gap systematically:
- People: Security awareness training covering MITM vectors, phishing, and social engineering. Protocols for identifying and reporting anomalous network behaviour. Clear escalation paths when indicators of compromise are observed.
- Process: Mandatory VPN use for all operational activities. Independent transaction verification protocols using hardware wallet displays. Checklist-based procedures for deployment and key management operations that include network security validation steps.
- Technology: Always-on VPN, DNSSEC/DoH enforcement, certificate transparency monitoring, hardware wallets for all signing operations, browser extension management via MDM, RPC endpoint validation tooling, and network anomaly detection.
At Security4Web3, our security reviews cover all three layers: not just the contract code. Our team's background in defence-sector security means we approach the operational threat model with the same rigour applied to the highest-value targets: because for a sufficiently motivated attacker, your protocol's operational layer will always be the path of least resistance.
Frequently Asked Questions
Can a man-in-the-middle attack steal crypto?
Yes. MITM attacks can steal crypto by intercepting and replacing wallet addresses during transactions, poisoning RPC endpoints to redirect signed transactions to attacker-controlled contracts, or capturing private keys and login credentials transmitted over compromised connections.
What is the difference between a MITM attack and phishing?
Phishing tricks a user into voluntarily submitting credentials or signing malicious transactions by impersonating a trusted entity. A MITM attack silently intercepts legitimate communications between two parties without either party necessarily being deceived: the interception happens at the network or application layer, not through social manipulation alone. In practice, many sophisticated attacks combine both: phishing to gain initial access, followed by MITM techniques to maintain persistent interception.
Does a VPN protect against MITM attacks in crypto?
A VPN reduces exposure to local network MITM attacks such as ARP spoofing on public WiFi, but it does not protect against all vectors. DNS poisoning, BGP hijacking, malicious browser extensions, and RPC endpoint compromise operate at layers a VPN does not address. Defence-in-depth: combining VPN, certificate pinning, hardware wallets, and verified RPC endpoints: is required for robust protection.
What is RPC endpoint poisoning in crypto?
RPC endpoint poisoning occurs when an attacker substitutes or compromises the JSON-RPC node a wallet or dApp uses to communicate with a blockchain. The poisoned endpoint can return manipulated data: altered balances, fake transaction statuses, or redirected contract addresses: causing users to unknowingly interact with attacker-controlled infrastructure.
How do I know if I am under a MITM attack?
Warning signs include unexpected SSL certificate errors or certificate authority changes, unexpected redirects to login pages you did not initiate, wallet addresses that appear different at confirmation vs. what you copied, DNS resolution returning unexpected IP addresses, and anomalous network latency. Routine certificate transparency monitoring and endpoint verification are the most reliable detection methods.