City Research Online

Abstract

The InterPlanetary File System (IPFS) is the largest decentralized content-centric storage network. While its architecture enables resilient, distributed content delivery, it can be abused to host and disseminate malicious content. Public IPFS HTTP gateways further expand this threat surface, enabling attackers to deploy phishing websites and leverage gateway reputation to evade detection. This model can keep content available even after attackers go offline and challenges traditional phishing detection systems. We present a framework for monitoring and characterizing phishing on IPFS, leveraging a measurement platform that integrates multi-source data, including IPFS traffic and passive DNS. Over 11 months, we detect 10,489 phishing CIDs, grouped into 448 phishing clusters. 80% of detected CIDs originate from only 69 clustered campaigns indicating that targeting a small number of dominant clusters could yield high mitigation leverage. We also identify 588 gateways involved in dissemination, including 573 outside public gateway lists, and show that attackers can exploit caching across reputable gateways to amplify attacks and extend content availability. Finally, we find that traditional Web phishing countermeasures and IPFS blocklists provide insufficient protection. Our findings support practical mitigation and offer broader insights for trust and safety in decentralized web infrastructures.

Publication Type:	Conference or Workshop Item (Paper)
Additional Information:	This work is licensed under a Creative Commons Attribution 4.0 International License.
Publisher Keywords:	IPFS, phishing, decentralized web, HTTP gateways, network measurement, passive DNS, threat intelligence
Subjects:	Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments:	School of Science & Technology School of Science & Technology > Department of Computer Science
SWORD Depositor:	Symplectic Administrator

Export

Downloads