Kastantin, Anas and Balduf, Leonhard and Ascigil, Onur and Sokoto, Saidu and Scheuermann, Bjorn and Duda, Andrzej and Król, Michał and Korczynski, Maciej (2026) Netting Phish in the IPFS Ocean : Real-Time Monitoring and Characterization of Decentralized Phishing Campaigns. In: WWW'26 : Proceedings of the ACM Web Conference 2026. UNSPECIFIED. (In Press)
![[thumbnail of Phish_hunters-3]](https://eprints.lancs.ac.uk/style/images/fileicons/text.png)
Phish_hunters-3.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (2MB)
Abstract
The InterPlanetary File System (IPFS) is the largest decentralized content-centric storage network. While its architecture enables resilient, distributed content delivery, it can be abused to host and disseminate malicious content. Public IPFS HTTP gateways further expand this threat surface, enabling attackers to deploy phishing websites and leverage gateway reputation to evade detection. This model can keep content available even after attackers go offline and challenges traditional phishing detection systems. We present a framework for monitoring and characterizing phish- ing on IPFS, leveraging a measurement platform that integrates multi-source data, including IPFS traffic and passive DNS. Over 11 months, we detect 10,489 phishing CIDs, grouped into 448 phishing clusters. 80% of detected CIDs originate from only 69 clustered campaigns indicating that targeting a small number of dominant clusters could yield high mitigation leverage. We also identify 588 gateways involved in dissemination, including 573 outside public gateway lists, and show that attackers can exploit caching across reputable gateways to amplify attacks and extend content availabil- ity. Finally, we find that traditional Web phishing countermeasures and IPFS blocklists provide insufficient protection. Our findings support practical mitigation and offer broader in- sights for trust and safety in decentralized web infrastructures.