Author: ChandlerZ, Foresight News
Security is like a chain, depending on the weakest link. And people are the Achilles' heel in the password system. While the market is still obsessed with building more complex cryptographic protection mechanisms, attackers have already found a shortcut: they don't need to crack the password, they just need to manipulate the people who use the password.
Personnel are the weakest link, and also the most overlooked. In other words, personnel are the vulnerabilities that hackers can most easily breach and exploit, and also the weakest link in which companies invest the least in security and the slowest to improve.
According to the latest report by blockchain analysis firm Chainalysis, in 2024, North Korean hackers launched 47 sophisticated attack activities, stealing $1.3 billion worth of assets from global cryptocurrency platforms, an increase of 21% year-on-year. Even more shocking is that on February 21, 2025, the Bybit exchange was hacked, resulting in the theft of about $1.5 billion worth of cryptocurrency assets, setting a new record for the largest single theft in cryptocurrency history.
In many of the major attack incidents in the past, many were not achieved through traditional technical vulnerabilities. Although exchanges and project parties invest billions of dollars each year in technical protection, in this seemingly mathematically and code-built world, many participants often underestimate the threats posed by social engineering.
The Essence and Evolution of Social Engineering
In the field of information security, social engineering has always been a unique and dangerous attack method. Unlike infiltrating systems through technical vulnerabilities or cryptographic algorithm defects, social engineering mainly exploits human psychological weaknesses and behavioral habits to deceive and manipulate victims. It does not require a high technical threshold, but can often cause extremely serious losses.
The advent of the digital age has provided new tools and stages for social engineering. In the field of encryption, this evolution is particularly evident. The early cryptocurrency community was mainly composed of technology enthusiasts and cryptopunks, who generally had a high level of vigilance and technical literacy. But as cryptocurrencies have become more widespread, more and more new users who are not proficient in the relevant technologies have entered the market, creating fertile ground for social engineering attacks.
On the other hand, the highly anonymous and irreversible transaction characteristics make cryptocurrencies an ideal target for attackers to reap profits. Once the funds are transferred to wallets under their control, they are almost impossible to recover.
The reason why social engineering can easily succeed in the cryptocurrency field is largely due to various cognitive biases in the human decision-making process. Confirmation bias will make investors only focus on information that matches their expectations, and herd mentality is easy to trigger market bubbles, and FOMO (Fear of Missing Out) emotion often leads people to make irrational choices when facing losses. Attackers skillfully "weaponize" these psychological weaknesses.
Compared to attempting to crack complex encryption algorithms, launching social engineering attacks is less costly and more successful. A carefully forged phishing email, or a seemingly legitimate but trap-laden job invitation, is often more effective than facing technical challenges.
Common Social Engineering Techniques
Although social engineering attack methods are diverse, the core logic still revolves around "deceiving the target's trust and information". Here are brief descriptions of some common methods:
Phishing
Email/SMS Phishing: Using links disguised as exchanges, wallet service providers or other trusted institutions to induce users to enter sensitive information such as seed phrases, private keys, account passwords, etc.
Impersonating social media accounts: Posing as "official customer service", "famous KOLs" or "project parties" on platforms like Twitter, Telegram, and Discord, posting posts with fake links or fake event information to lure users to click and enter keys or send cryptocurrencies.
Browser extensions or fake websites: Building counterfeit websites that are extremely similar to real exchange or wallet websites, or inducing the installation of malicious browser extensions. Once users input or authorize on these pages, their keys will be leaked.
Fake customer service/impersonating technical support
Common in Telegram or Discord groups, someone impersonating a "moderator" or "technical customer service" claims to help solve problems such as failed deposits, failed withdrawals, or wallet sync errors, and guides users to hand over their private keys or transfer coins to a specified address.
They may also recruit victims through private messages or small group chats, claiming they can "help recover lost coins", which is actually a ploy to lure more funds or obtain keys.
SIM Swap
Attackers bribe or deceive telecom operator customer service to transfer the victim's phone number to the attacker's hands. Once the phone number is stolen, the attacker can reset the passwords of exchanges, wallets or social media accounts through SMS verification, two-factor authentication (2FA), etc., and steal the cryptocurrency assets.
SIM Swap occurs more frequently in the US and other countries.
Social engineering combined with malicious recruitment/headhunting
Attackers pose as recruiters and send "job invitations" containing malicious files or links to the target's email or social media accounts, luring the target to download and execute malware.
If the attack target is an internal employee or core developer of a cryptocurrency company, or an individual holding a large amount of coins as a "heavy user", it may lead to serious consequences such as the company's infrastructure being invaded and keys being stolen.
In the 2022 Axie Infinity Ronin bridge security incident, according to The Block, the attack was related to a fake recruitment advertisement. Insiders revealed that hackers contacted an Axie Infinity developer Sky Mavis employee through LinkedIn, informing him that he had been hired with a high salary after several rounds of interviews. The employee then downloaded a forged job offer presented as a PDF document, allowing the hacker's software to penetrate the Ronin system, and the hacker took control of four out of nine Ronin network validators, just one short of full control, and then controlled the unrevoked Axie DAO permissions to achieve the final intrusion.
Fake airdrops/fake giveaway activities
Fake "official" activities appearing on platforms like Twitter and Telegram, such as "just transfer x coins to a certain address and you'll get double the return", are actually scams.
Attackers also often use the names of "whitelist airdrops" or "testnet airdrops" to lure users to click on unknown links or connect their wallets to phishing websites, deceiving them into revealing their keys or authorizing theft.
In 2020, the social media accounts of multiple American political and business figures, including Obama, Biden, Buffett, and Bill Gates, as well as many well-known companies, were hacked on Twitter, and the hackers stole passwords, took over the accounts, and posted messages offering "double the return" as bait to get users to send cryptocurrency funds to specified account addresses. In recent years, there are still a large number of "double the return" scams impersonating Musk on YouTube.
Internal employee infiltration/ex-employee crimes
Some former employees of cryptocurrency companies or project teams, or current employees bribed by attackers, use their familiarity with the company's internal systems and operations to steal user databases, private keys, or execute unauthorized transactions.
In such scenarios, the combination of technical vulnerabilities and social engineering is more closely integrated, often resulting in larger-scale losses.
Implanted "backdoors" or pre-tampered fake hardware wallets
Attackers may sell hardware wallets on eBay, Xianyu, Telegram groups or other e-commerce/second-hand trading platforms at below market prices or with authenticity guarantees, but the devices have actually had their chips or firmware replaced inside. Users may also unknowingly purchase refurbished or second-hand devices where the seller has pre-loaded the private keys, and once the buyer deposits funds, the attacker can immediately withdraw them.
Furthermore, some users have received fake replacement devices or security upgrade versions disguised as the manufacturer (such as Ledger) after data breach incidents, with new seed phrase cards and operation instructions included in the packaging. Once the user uses these pre-set seed phrases or migrates the original seed phrase to the fake device, the attacker can gain full access to the wallet's assets.
The above examples are just the tip of the iceberg. The diversity and flexibility of social engineering make it particularly destructive in the field of cryptocurrency. For the vast majority of ordinary users, these attacks are often difficult to defend against.
Greed and Fear
Greed is always the most easily manipulated weakness. When the market is extremely active, some people will follow the crowd effect and rush into suddenly popular projects due to the herd mentality. Fear and uncertainty are also common breakthroughs for social engineering. When the cryptocurrency market experiences violent fluctuations or problems with a project, scammers will release "urgent notices" claiming the project is in extreme danger, inducing users to quickly transfer their funds to the so-called "safe address". Many beginners, fearing losses, find it difficult to maintain clear thinking and are often swept up in this panic.
Additionally, the FOMO (Fear of Missing Out) mentality is ubiquitous in the cryptocurrency ecosystem. The fear of missing the next bull market or the next Bitcoin leads people to rush to invest funds and participate in projects, but they lack the basic ability to identify risks and authenticity. Social engineering attackers only need to create an atmosphere where opportunities are fleeting and there is no chance of doubling returns if missed, and a portion of investors will fall into their trap.
Risk Identification and Prevention
The reason why social engineering is difficult to defend against is that it targets people's cognitive blind spots and psychological weaknesses. As investors, we should pay attention to the following key points:
Improve Security Awareness
Do not casually disclose private keys and seed phrases. Under no circumstances should you trust others and reveal your private key, seed phrase, or sensitive personal information. Genuine official teams rarely ask for this type of information through private chats.
Be wary of "unreasonable profit promises". Any activity that claims "zero risk, high returns" or "multiple times the principal" is highly likely to be a scam.
Verify Links and Sources
Use browser extensions or official channels to check website addresses. For cryptocurrency exchanges, wallets, or decentralized applications (DApps), you need to repeatedly confirm that the domain name is correct.
Do not click on links from unknown sources. If the other party claims it is an "airdrop benefit" or "official compensation", you should immediately verify it on official social media or official channels.
Focus on Community and Social Media Discernment
Check the verification badge, follower count, and interaction history of official accounts. Avoid blindly adding unknown private chat groups and clicking on unknown links in the groups.
Maintain a skeptical attitude towards "free lunch" information, look into it more, and seek verification from experienced investors or official channels.
Establish a Healthy Investment Mindset
Rationally view market fluctuations and avoid being swept up by short-term volatility.
Always be prepared for the worst-case scenario and do not ignore potential risks due to "fear of missing out".
The Eternal Importance of the Human Factor
Human nature is the foundation for social engineering to repeatedly succeed. Attackers will design various scams by targeting herd mentality, greed, fear, insecurity, and FOMO (Fear of Missing Out).
As blockchain and cryptocurrency technology evolve and business models continue to expand, social engineering methods will also evolve. The maturity of deep fake technology may pose an even greater threat in the near future, where attackers may impersonate project leaders through synthetic videos and audios in real-time interactions with victims. Multi-dimensional social engineering may also be upgraded, where attackers may lurk across multiple social platforms for an extended period, collect information, and then strike their targets through carefully designed emotional manipulation.
The continued existence of social engineering reminds us that, no matter how advanced the technology, the human factor is still the core component of the system. Completely eliminating the impact of social engineering may be unrealistic, and we can only build more resilient systems by focusing on both code and people.
