At GITEX Global’s Tech Talks stage, ethical hacker Daniel Kalinowski staged a live, eye-opening demonstration: an attacker using a reverse-proxy phishing setup can completely bypass SMS and TOTP two-factor authentication (2FA), steal session cookies, and seize authenticated sessions — in seconds. For crypto traders, custodial platforms, and self-custody wallet users, the implications are immediate and severe.
If you thought 2FA was bulletproof, this demo proved otherwise: 2FA still raises the attacker’s bar, but modern phishing techniques close that bar by acting as an invisible man-in-the-middle that relays credentials and tokens as the victim types them.
During the live session, the audience took part in an instant poll revealing how seriously organizations take phishing prevention. Nearly half (48%) said they train employees quarterly or more often to recognize sophisticated phishing attacks — but a worrying 21% admitted they never conduct such training. The result underscored the point of the live demo: Even the best authentication tools fail when users aren’t consistently educated about evolving threats.
What is reverse-proxy phishing — in plain terms?
A reverse-proxy phishing attack sits between the victim and the legitimate service. The victim thinks they’re visiting the real site (the UI looks right), but their browser is connected to an attacker-controlled proxy that forwards requests to the real site. When the victim types their username, password, and one-time code, the proxy relays those to the real service and instantly captures the returned session cookie or token. The attacker then uses that cookie/token to log in from their side — often without the victim ever realizing they’ve been hijacked.
Key outcomes of the attack demo:
- SMS, TOTP apps, and even push-based 2FA can be relayed and abused in real time.
- Session cookies and OAuth tokens can be stolen and replayed, bypassing the need for credentials thereafter.
- Corporate accounts (Office 365, cloud consoles) and crypto exchange accounts are both viable targets.
- Why crypto users should be alarmed — and not just exchange users
- Crypto platforms combine three high-risk elements: high value, irreversible transfers, and often single-factor recovery (seed phrases).
Reverse-proxy phishing affects crypto in several ways:
- Exchange account takeover: An attacker who captures session cookies or 2FA tokens can withdraw funds or change withdrawal whitelists before the user notices.
- Self-custody wallet sign requests: If a web wallet or a browser extension (or a compromised machine) is used, phishing can push malicious signing requests to the wallet UI. Users who habitually approve pop-ups are at risk.
- Seed-phrase harvesting: Sophisticated phishing pages can mimic wallet recovery flows and trick users into entering seed phrases; these are irreversible losses.
- Social engineering escalation: Once an attacker controls one account (email or Exchange), they can escalate to other services via account-recovery flows.
What actually works — prioritized mitigations
At GITEX, cybersecurity firms warned that even the strongest 2FA isn’t bulletproof — especially against reverse-proxy phishing that steals session tokens in real time. Instead, they called for a new security mindset: One built around phishing-resistant authentication, hardware-based protection, and strict environment isolation.
1. Use phishing-resistant authentication (top priority)
Switch from SMS/TOTP to hardware security keys (FIDO2 / WebAuthn / U2F). These protocols verify the site origin and won’t authenticate through a proxy that changes the origin — they’re effectively immune to reverse-proxy phishing.
2. Adopt hardware wallets + multisig for crypto
Keep large balances in hardware wallets (Ledger, Trezor alternatives that you trust), never on a browser extension used for daily browsing.
3. Isolate signing environments
Use a dedicated, hardened device for wallet operations (a clean laptop or smartphone that only runs wallet apps).
4. Protect session tokens and email
Enable conditional access and device-based policies for SSO and major services (block new sessions from unknown IPs). Hardened email with phishing-resistant login keys and treat it as the master recovery — protect it strongly.
Don’t let hackers control you
The live demo at GITEX wasn’t alarmism — it was a warning shot. Two-factor authentication raises the cost of an attack, but it’s not a panacea. Reverse-proxy phishing demonstrates that authentication must be phishing-resistant; for crypto users, this means using hardware keys, hardware wallets, transaction signing, and separation of duties (such as multisig and isolated signing devices).
If you care about funds or sensitive data, treat SMS/TOTP as only one layer — not the last line of defense. In this new threat environment, trust anchors that validate origin (FIDO2, hardware wallets) and architecture choices (multisig, isolation) are the difference between a scary demo and a catastrophic breach.
