Security Alliance (SEAL) released verifiable phishing reports to help teams prove what a phishing site served. The rollout comes after reports of over $400 million lost to crypto phishing in the first half of the year. In this context, the tool focuses on evidence rather than claims.
SEAL said the system is for experienced users.
“It’s intended to be a tool to help experienced ‘good guys’ work better together, rather than the average user,”
SEAL told. The group framed the work as a way to confirm phishing evidence fast.
Attackers use cloaking to show safe pages to scanners and malicious pages to victims. As a result, many reports lack reproducible phishing evidence. SEAL verifiable phishing reports aim to remove that gap with cryptographic proof.
TLS Attestations create cryptographic proof of crypto phishing
The core is TLS Attestations. TLS stands for Transport Layer Security. It encrypts web traffic and preserves integrity. SEAL adds an attestation server into that flow as a trusted cryptographic oracle.
The attestation server performs the encryption and decryption operations. It confirms what passed over the wire. Meanwhile, the user still owns the network connection. This split preserves control while enabling cryptographic proof.
With TLS Attestations, the output is a signed object. It binds the served payload to that session. Teams can treat the file as verifiable phishing evidence. Therefore, disputes over “what was served” drop.
HTTP proxy capture enables verifiable phishing reports
First, users run a local HTTP proxy. The proxy intercepts the connection, captures details, and forwards cryptographic steps to the attestation server. Meanwhile, the suspicious site never sees the attestation server.
Next, the attestation server anchors the session data. Then it packages the content and the cryptographic proof. As a result, the package becomes a verifiable phishing report. It shows exactly what the user saw.
SEAL can verify the verifiable phishing report without visiting the phishing host. This reduces exposure to malicious pages. It also speeds action by incident teams and platforms.
Cloaking no longer hides malicious content from researchers
Meanwhile, Cloaking has blocked reproducible crypto phishing evidence for years. Scanners and crawlers often get clean pages. Victims get wallet-drain prompts or seed requests. The mismatch stalls takedowns and timelines.
SEAL addressed that mismatch directly.
“What we needed was a way to see what the user was seeing. After all, if someone claims that a URL was serving malicious content, we can’t just take their word for it,”
SEAL said. The quotes describe the verification gap, not user error.
By converting the session into cryptographic proof, SEAL verifiable phishing reports let teams compare payloads. They can check hashes, headers, and content, not screenshots. Moreover, the evidence can move across ticketing systems intact.