Netting Phish in the IPFS Ocean: Real-Time Monitoring and Characterization of Decentralized Phishing Campaigns

The InterPlanetary File System (IPFS) is the largest decentralized content-centric storage network. While its architecture enables resilient, distributed content delivery, it can be abused to host and disseminate malicious content. Public IPFS HTTP gateways further expand this threat surface, enabling attackers to deploy phishing websites and leverage gateway reputation to evade detection. This model can keep content available even after attackers go offline and challenges traditional phishing detection systems. We present a framework for monitoring and characterizing phishing on IPFS, leveraging a measurement platform that integrates multi-source data, including IPFS traffic and passive DNS. Over 11 months, we detect 10,489 phishing CIDs, grouped into 448 phishing clusters. 80% of detected CIDs originate from only 69 clustered campaigns indicating that targeting a small number of dominant clusters could yield high mitigation leverage. We also identify 588 gateways involved in dissemination, including 573 outside public gateway lists, and show that attackers can exploit caching across reputable gateways to amplify attacks and extend content availability. Finally, we find that traditional Web phishing countermeasures and IPFS blocklists provide insufficient protection. Our findings support practical mitigation and offer broader insights for trust and safety in decentralized web infrastructures. CCS Concepts • Security and privacy → Phishing; Web protocol security; Distributed systems security; • Networks → Network measurement; Peer-to-peer protocols; Peer-to-peer networks.