How Social Engineering Drained over $340M in 6 Months?
Discover how social engineering tactics led to over $340M in crypto losses in just 6 months and the key lessons for Web3 security.
e recently published a massive report on the key trends of H1 2025. In H1, the total loss of funds exceeded $2.3 billion, with the top 3 attack vectors being Access Control, Social Engineering Attacks, and Integer Overflow, responsible for 95% of the funds lost.
One attack vector holding a major chunk of the amount lost is Social Engineering Attacks, which were responsible for over $340 million lost, representing 15% of the total loss of funds. This number only comes from three major attacks across Bitcoin, Ethereum, and Solana. There might be multiple more victims, taking the amount even much higher. Some of these cases don’t surface well because they are linked to an individual user.
What are Social Engineering Attacks?
These attacks target individual users rather than code. Instead of exploiting technical vulnerabilities, attackers deceive users, often developers, signers, or governance participants, into approving of malicious actions.
This may involve phishing, fake frontends, or malware that alters transaction UIs. Even The most secure smart contracts can’t defend against compromised human judgment, making operational security, education, and hardware wallet usage essential.
The social engineering attacks span multiple platforms, including Zoom, GitHub, LinkedIn, Telegram, and others. Developers are mostly attacked through malicious GitHub repositories that have executable files that could lead to the extraction of funds from hot wallets. Moreover, Zoom scams include downloading a malicious Zoom app SDK file, which then executes multiple scripts, keyloggers, and clipboard hijackers.
The funds lost to Social Engineering Attacks in H1 were $339 million, and the users were on different chains, including Solana, Ethereum, and Bitcoin. This number could be much higher, as many Coinbase users also lost funds.
Types of Social Engineering Attacks
There are multiple types of social engineering attacks, while all are targeted at deceiving users, they are executing a normal transaction or downloading a legitimate file, but only to realize in hindsight that they indeed got trapped by the attackers. While this list is not completely exhaustive, it tries to cover most of the social engineering attacks occurring in the space at the moment.
Phishing Attacks
Phishing remains one of the most common and effective social engineering techniques in Web3. Attackers create fake versions of popular dApps or wallet interfaces, like MetaMask, Uniswap, or staking platforms, and lure users to them via email, social media, Discord, or even paid ads. Once on the fake site, users are tricked into entering seed phrases or signing malicious transactions that grant attackers access to their assets. Because these sites closely mimic legitimate platforms, they often bypass a user’s normal caution.
Malicious GitHub Repositories
Developers are often targeted through GitHub, where attackers publish or contribute to repositories containing harmful code. These repositories may appear to offer useful tools or scripts for Web3 development, but include hidden malware, such as keyloggers or clipboard hijackers, that silently compromise hot wallets or extract private keys once executed. This form of attack takes advantage of the open-source culture and the trust developers place in community-contributed code.
Zoom-Based Scams
A more targeted approach involves fake Zoom meetings, often under the guise of investment calls, partnerships, or interviews. During the call, the attacker shares a malicious Zoom SDK or installer that, once downloaded, deploys a series of background scripts. These can include keyloggers, clipboard monitors, and even remote access trojans, which give attackers full visibility into wallet activity and transaction signing behavior.
Malicious Transaction UIs
In this attack, malware or browser extensions interfere with the way transactions are displayed in wallet interfaces. The attacker may alter the UI to make a dangerous action look harmless, for example, disguising a token approval as a simple swap. Users, trusting the interface, approve the transaction without realizing they are granting the attacker access to their tokens. This method is especially dangerous because it manipulates what users see, not what they’re doing.
Impersonation Attacks
Impersonation is a widespread tactic across LinkedIn, Telegram, Discord, and GitHub. Attackers pretend to be trusted figures in a project, such as founders, developers, or moderators, and initiate conversations to gain trust. Once rapport is built, they may ask the victim to open a file, click a link, or sign a transaction. These scams often feel personal and credible, making them highly effective, especially within DAO and startup communities.
Address Poisoning
Address poisoning exploits the way users copy-paste wallet addresses. An attacker sends a zero-value transaction from a wallet that closely resembles one the user has recently interacted with, typically matching the first and last few characters. Later, if the user copies the wrong address from their transaction history or clipboard, they may unintentionally send funds to the attacker. This attack doesn’t require malware or credentials, just a lapse in attention.
Governance Manipulation
In decentralized governance systems, attackers may submit proposals that appear legitimate but contain malicious changes hidden in the code. These changes might redirect funds or grant privileged access to attacker-controlled contracts. By relying on rushed voting, low participation, or the community’s trust in known contributors, these proposals can pass unnoticed. This form of social engineering targets not individuals, but collective decision-making.
Malware Shared in Communities
Telegram, Discord, and other Web3 community channels are often used to distribute malware disguised as helpful tools, such as airdrop claimers, staking utilities, or gas optimizers. Once downloaded, these scripts may execute keylogging functions, alter clipboard data, or open backdoors to the attacker. These attacks are especially dangerous in developer-focused spaces, where sharing and testing code is common practice.
Pig Butchering Scams
Pig butchering scams are long-term social engineering schemes where scammers build trust with victims over time, often posing as romantic partners, business contacts, or mentors on platforms like Telegram, WhatsApp, or dating apps. Once a relationship is established, the scammer introduces the victim to a fake crypto investment platform, staking protocol, or trading dApp that appears legitimate, complete with fabricated dashboards and transaction history. Victims are lured into depositing increasing amounts of crypto, sometimes even allowed small withdrawals to reinforce trust, until the scammer eventually disappears with all funds. These scams are particularly damaging because they combine emotional manipulation with technical deception, making them one of the most insidious forms of fraud in the Web3 space.
Don't Let Social Engineering Catch You Off Guard
Don't Let Social Engineering Catch You Off Guard
Even the most secure code can’t protect against human manipulation. Fortify your project with a security-first approach. Request a smart contract audit today to stay ahead of evolving threats.
Recent Incidents
Individual Bitcoin User
An individual bitcoin user was attacked by a Social Engineering Attack that led to the loss of 3520 BTC (~$300m). Out of these assets, $7m+ have been frozen with the help of multiple entities, including Binance.
Two suspects whose names came forward as per investigations by ZachXBT are Nina/Mo, who operates a call scam center in Camden, UK, and W0rk, who assisted with the site/call.
Fake Zoom Calls
Scams through Zoom calls and their sophistication level are on the rise. The usual flow is that the scammers make a fake TG account or reach out through email or a compromised X account to a victim playing a legitimate entity.
Once they enter the Zoom call, everything feels legitimate, as in some cases, they use a deepfake of the actual intended speaker the victim wanted to talk to. A few months back, Kenny Li, co-founder of Manta, was targeted through a similar attack, and more recently, the scammers utilized a deepfake of Sandeep Nailwal, CEO of Polygon Labs, to trick people.
The biggest red flag is being continuously prompted to install anything on your system. Also, disable remote access control in Zoom. Scammers can easily target your funds or install malware if they get remote access to the system.
The image below is a perfect example of such a scenario, as an attacker changes their name to “Zoom” and asks for the remote access of the victim's system.
Prompt from Zoom (Attacker) to delegate remote access of the system, Source: Trailofbits
Coinbase Data Breach
Coinbase's data breach occurred in May this year, and the attackers asked for $20 million in ransom. Data like physical address, names, and transaction details were captured.
The reason for the data getting lost is that the overseas customer support agents went rogue and colluded with the attackers and provided them with this data. Coinbase took full responsibility and would reimburse any user who got socially engineered into sending funds to these attackers, as they might be impersonating Coinbase support. The attackers got access to information like name, address, phone, email, masked social security number, and more PII (Personally Identifiable Information).
Moreover, Coinbase turned the tables on the ransom demand by starting a bounty worth $20M to anyone who helps identify these attackers.
Read more about the exploit here: https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists
Fake Ledger Scams
Scammers are sending legitimate hardware wallets to crypto holders; they might have gotten the information from the Ledger 2020 breach. With these wallets, they claim it to be a patch as the user’s old wallet got compromised, which sounds like a scam.
Anything like this should be officially communicated, but users might fall for this because the letter and the wallet are mailed to a physical address. Once the user transferred the funds from their old wallet (vulnerable according to the letter) to their new wallet (fake wallet), their funds got drained.
Comparison between Fake and Real Ledger Wallet
Conclusion
In the first half of 2025, social engineering attacks have proven to be a major threat, draining over $340 million from users across multiple blockchains. As these attacks grow more sophisticated, leveraging phishing, impersonation, malware, and even deepfakes, it's clear that technical security alone is not enough. Staying vigilant, prioritizing operational security, and maintaining a healthy skepticism are essential for anyone managing digital assets in the evolving Web3 landscape.
This rise in social engineering is just one facet of the broader security crisis. Our H1 2025 Crypto Hacks Report reveals that over $2.24 billion was stolen across 120+ incidents, many exploiting similar patterns. The crypto space must adopt proactive, automated defense systems before external regulations force less agile solutions upon it.
Contents
