ImToken has launched Sigil, a new security product designed to put a verifiable human approval layer between AI Agents and digital wallets, as autonomous software begins handling increasingly sensitive tasks such as blockchain transactions, contract signing, file changes, data access, and service purchases.
The product is built around a “what you see is what you sign” model, a security principle that requires users to view the exact transaction details before authorizing an action. Instead of approving an AI Agent’s request through vague prompts such as “yes,” “approve,” or “confirm,” Sigil presents structured transaction information, including the recipient, amount, protocol, and signing request, before approval is granted through Passkey and biometric verification.
The launch comes as wallet providers, blockchain infrastructure companies, and AI developers move toward agent-based systems that can perform tasks on behalf of users. That shift has created a new security challenge: if AI Agents can act independently, they also need boundaries that prevent unauthorized spending, forged approvals, hidden contract interactions, or identity misuse.
ImToken said Sigil is intended to solve that problem by separating the AI Agent from the final approval process. Users can define what an Agent is allowed to do on its own and which actions require direct human consent. When a high-risk operation is triggered, such as moving funds or signing an on-chain contract, the transaction is paused and sent to the user for secure confirmation.
The company framed Sigil as part of its broader “Sign” initiative, but its ambitions go beyond cryptocurrency. ImToken plans to apply the same approval model to actions performed by autonomous Agents across personal devices and cloud environments, including editing files, publishing content, purchasing services, and granting access to sensitive data.
The product reflects a wider shift in digital asset security, where the industry is moving away from blind signing and toward clearer, human-readable transaction prompts. Blind signing, where users approve blockchain transactions without seeing the full meaning or details of what they are authorizing, has been blamed for billions of dollars in losses across hacks, wallet drains, malicious contracts, and phishing attacks.
A response to autonomous AI risk
The rise of AI Agents has introduced a new layer of complexity to an already difficult security environment. In traditional wallet use, a person usually reviews a transaction and clicks to approve it. With autonomous Agents, software may initiate actions based on goals, prompts, permissions, or integrations with other services. That creates a gap between intention and execution.
For example, a user may ask an Agent to manage a portfolio, claim rewards, interact with a decentralized application, or pay for a service. The Agent may then decide what steps are needed to complete the task. If those steps include signing a smart contract or sending assets, a weak confirmation system could expose the user to serious risk.
ImToken said traditional confirmation methods are not sufficient for this environment because many rely on minimal text input. A prompt that asks a user to type “yes” or press “confirm” may not show what is really happening underneath. In blockchain systems, where signed messages can authorize transfers, contract permissions, or identity actions, the gap between the displayed prompt and the actual transaction can be dangerous.
Sigil is designed to reduce that gap. When an AI Agent attempts a sensitive action, the approval flow moves outside the Agent’s control. The user receives a confirmation card through Telegram showing the actual parameters of the operation. The user then approves or rejects it using Passkey authentication, which can rely on device-based biometrics such as a fingerprint or facial recognition.
The core idea is that the Agent may propose an action, but it cannot quietly change what the user sees or signs. The final approval must come from the verified account holder, and it must match the displayed transaction data.
How the security model works
ImToken described Sigil’s security model as operating through three layers.
The first layer is visual clarity. Users must see precise transaction details before signing. That includes essential information such as the destination address, amount, protocol, and the type of operation being requested. The purpose is to replace opaque approvals with transaction data that a human can review.
The second layer is verified identity. Approval must be completed by the account holder through Passkey credentials. Passkeys are generally considered more resistant to phishing than passwords because they are tied to a user’s device and domain-specific authentication flow. They can also use built-in biometrics, making it harder for attackers to steal or reuse credentials.
The third layer is isolation. The approval interface is generated by a separate module in a sandbox environment, rather than by the AI Agent itself. That separation is important because it prevents the Agent from modifying, hiding, or forging the confirmation display. In other words, the same system proposing the transaction does not control the final screen that the user relies on to approve it.
This structure is meant to prevent one of the most persistent risks in automated transaction systems: a mismatch between what a user believes they approved and what the system actually executes.
ImToken said Sigil ensures that only operations matching the parameters shown to the user can be carried out. If the content displayed to the user differs from the execution request, the system blocks the transaction automatically. Each request is also hashed and tied to a single-use, time-limited signature, preventing changes after approval has been granted.
That matters because post-approval modification is a major concern in automated environments. If an attacker or compromised Agent can change a recipient, amount, or contract call after the user approves a request, then the approval itself becomes unreliable. Sigil’s model attempts to close that window by cryptographically binding the user’s approval to the exact request they reviewed.
Custom controls for different users
Sigil also gives users control over how strict the approval process should be. ImToken said users can choose from Relaxed, Balanced, or Strict security levels, or create custom rules depending on their risk tolerance and use case.
A user who wants more automation may allow an AI Agent to complete low-risk actions independently. A user who is more cautious may require manual approval for a wider range of activity. Businesses, active traders, and people managing larger balances may choose stricter settings.
Even under more permissive modes, ImToken said actions involving direct fund movement or blockchain signatures still require explicit consent. That is a key part of the design. The system is not only about convenience or automation; it is about defining a boundary around operations that carry financial or identity-related consequences.
This approach recognizes that not all Agent actions carry the same risk. Reading public data, summarizing market activity, or preparing a report may not need the same level of control as signing a transaction. But once an Agent can move assets, approve token spending, interact with a protocol, or sign messages linked to identity, the security requirements change.
The challenge for wallet providers is to preserve the usefulness of AI automation without allowing it to become a hidden signing machine. Sigil’s rule-based model is meant to make that distinction clearer.
Why blind signing remains a major threat
The introduction of Sigil comes at a time when the cryptocurrency industry is still struggling with blind signing. In many wallet interactions, users are shown technical data, incomplete information, or generic approval screens that do not clearly explain what a transaction will do. Some users approve transactions without knowing they are granting spending permissions, transferring ownership, or interacting with a malicious contract.
This has made blind signing one of the most exploited weaknesses in digital asset security. Attackers have repeatedly used phishing websites, fake airdrops, compromised front ends, malicious approvals, and social engineering campaigns to trick users into signing transactions that drain wallets.
The problem is not always that users are careless. In many cases, the tools do not show enough information for a normal person to make an informed decision. Smart contract interactions can be complex, and raw transaction data may be unreadable to anyone without technical experience. That creates an environment where users are asked to approve actions they cannot fully inspect.
The “what you see is what you sign” principle aims to change that. Instead of expecting users to decode raw transaction data, wallets and approval systems present understandable information in a structured format. The user should be able to answer basic questions before signing: where are the assets going? How much is being transferred? Which protocol is involved? What permission is being granted? Is this a one-time action or an open-ended approval?
The Ethereum Foundation has supported a similar push through an initiative known as “Clear Signing,” which promotes transparent prompts as a default standard across the ecosystem. The broader goal is to make transaction approval more understandable and reduce the risk of signing something harmful by mistake.
Sigil fits into that trend, but it applies the principle to AI Agent workflows. That is important because AI systems may add another layer between the user and the transaction. If a trader is not directly initiating every step, the need for clear confirmation becomes even more urgent.
AI scams are raising the stakes
The security concerns surrounding Sigil are not theoretical. Criminals are increasingly using artificial intelligence to scale fraud, create more convincing social engineering campaigns, and automate attacks.
Scams involving cryptocurrency resulted in estimated losses projected to surpass $17 billion in 2025, according to figures cited in the industry. The FBI’s 2025 Internet Crime Report also found that complaints related to cryptocurrency produced the highest losses of any category, totaling more than $11 billion across more than 181,000 incidents.
AI has made the threat landscape more difficult. Fraud campaigns can now use generated text, cloned voices, synthetic videos, automated messaging, and deepfake impersonations to appear more credible. Reports from early 2026 highlighted a sharp increase in impersonation scams, with some using AI-generated deepfakes and expanding by more than 1,400% compared with the previous year.
AI-enabled scams have also been described as significantly more profitable per operation than scams that do not use such tools. The reason is simple: automation helps attackers reach more victims, personalize messages, imitate trusted contacts, and adapt faster when a campaign is detected.
For digital asset users, that means the approval moment is becoming one of the most important points of defense. If attackers can trick someone into granting permission, signing a message, or approving a transaction, assets can move instantly and often irreversibly. Traditional recovery tools are limited in decentralized systems, and tracing funds after theft does not guarantee their return.
That reality has pushed wallet companies to rethink transaction approval. Better key storage is not enough if users can still be manipulated into authorizing malicious actions. Security now depends not only on protecting the private key, but also on making sure the person understands exactly what the key is being used to approve.
Telegram and Passkeys in the approval flow
One notable part of Sigil’s rollout is its use of Telegram for the user-facing confirmation card. When a high-risk action is initiated, the structured approval request is sent to the user’s Telegram account, where the user can review the details and authenticate with a Passkey.
This creates an out-of-band approval flow. Instead of approving the action inside the same environment where the AI Agent is operating, the user reviews it through a separate channel. That design helps reduce the risk that a compromised Agent or malicious interface can manipulate the approval screen.
However, the use of messaging platforms in security workflows also requires careful implementation. The strength of the system depends on whether the confirmation data is tamper-resistant, whether the user is truly authenticating through the correct flow, and whether phishing attempts can be distinguished from legitimate requests.
Passkeys strengthen this model by reducing reliance on passwords and one-time codes, which are often vulnerable to phishing or interception. Because Passkeys typically authenticate to a specific service and device, they make it harder for attackers to capture credentials and reuse them elsewhere.
The combination of Passkeys, biometrics, hashed transaction requests, and sandboxed approval screens is intended to create a higher-friction barrier for high-risk actions. While more friction can sometimes reduce convenience, it may be necessary for operations involving digital assets, identity credentials, and autonomous software permissions.
Part of a wider wallet industry shift
ImToken’s move also reflects a broader competitive shift among major wallet providers. As AI Agents become more common, wallets are no longer only tools for storing and sending tokens. They are becoming permission hubs for automated services, decentralized applications, identity systems, and financial execution.
That changes the role of a wallet. In the past, the main question was whether the wallet could secure private keys. Now, the question is whether the wallet can govern what connected software is allowed to do.
Agent-based products are already appearing across the market, and wallet providers are experimenting with tools that allow automation while maintaining user control. The challenge is to avoid turning convenience into a security liability. If Agents can execute without enough oversight, they may become attractive targets for attackers. If approval processes are too complex, users may ignore them or approve without reading.
Sigil attempts to position ImToken around a middle path: allow Agents to act within limits, but require clear human confirmation when the action becomes risky.
That model may become more common as traders use AI tools for market monitoring, decentralized finance interactions, payment automation, and portfolio management. Even users outside cryptocurrency may face similar risks as AI Agents gain permission to book services, edit documents, publish content, access private data, and make purchases.
Human consent as a security standard
The broader message behind Sigil is that human consent must remain verifiable even as automation expands. AI Agents may be able to plan, recommend, and execute, but ImToken’s design assumes that certain decisions should still require direct user approval.
This is especially important in blockchain systems because transactions are generally final once confirmed. A bank payment may sometimes be reversed, flagged, or frozen. A blockchain transfer, once settled, usually cannot be undone without the recipient’s cooperation. That makes the margin for error smaller.
Clear transaction displays help, but they are only useful if the approval screen can be trusted. That is why the sandboxed architecture matters. By separating the AI Agent from the final approval display, Sigil tries to ensure that the user is not approving a forged or manipulated request.
For traders managing digital assets, the practical implication is straightforward: simplistic confirmations are no longer adequate. Any system that allows automated software to move funds or sign contracts should show explicit transaction parameters and require strong authentication. Destination addresses, transfer amounts, protocol names, approval scopes, and contract actions should be visible before signing.
Users should also review permissions granted to automated services. If an Agent has broad access, those permissions should be narrowed where possible. Actions involving fund movement or on-chain signatures should require manual consent through a trusted approval channel. Security profiles should be set according to the value at risk, not merely the desire for convenience.
What comes next
ImToken’s Sigil arrives at a point where two powerful trends are converging: the growing autonomy of AI systems and the continued financial relevance of digital wallets. As those systems overlap, the industry is being forced to design approval processes that are both readable and enforceable.
The product is not just a new wallet feature. It is part of a larger debate about how much authority users should delegate to software, and how that authority should be controlled. In a world where an Agent can make decisions, interact with protocols, and initiate transactions, the approval layer becomes a critical security boundary.
If Sigil’s model gains traction, it could help push the market toward more transparent signing standards. That would align with the broader movement around clear signing and safer wallet prompts. It could also influence how non-crypto AI Agent systems handle permissions for data access, digital identity, and online payments.
For now, the central claim is simple: users should not have to trust an AI Agent blindly when assets or identity are at stake. They should see what is being done, verify the details, and approve through a secure channel that the Agent cannot manipulate.
As AI tools become more capable, that principle may become one of the most important safeguards in digital finance. Sigil is ImToken’s attempt to make that safeguard practical before autonomous systems become deeply embedded in everyday transactions.
Enhance AI‑driven wallet protection by exploring secure automation with Toobit’s AI copy trading tools today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.

