Social engineering attacks have become a major threat in the encryption asset field

In recent years, social engineering attacks have become a significant threat to the fund security of users in the field of encryption assets. Since 2025, social engineering fraud incidents targeting users of a well-known trading platform have occurred frequently, attracting widespread attention from the community. From community discussions, it appears that such incidents are not isolated cases, but rather a type of scam with persistent and organized characteristics.

On May 15, a trading platform announced that it confirmed various speculations regarding the presence of "insiders" within the platform. It is reported that the U.S. Department of Justice ( DOJ ) has launched an investigation into this data leak incident.

This article will disclose the main methods used by scammers by organizing information provided by multiple security researchers and victims, and will explore how to effectively respond to such scams from the perspectives of both the platform and the users.

Historical Analysis

On May 7, blockchain detective Zach stated in a social media update: "In just the past week, over $45 million has been stolen from users of a certain trading platform due to social engineering scams."

Over the past year, Zach has repeatedly disclosed incidents of user theft on a certain trading platform on social media, with individual victims suffering losses of up to tens of millions of dollars. In February 2025, Zach published a detailed investigation stating that between December 2024 and January 2025 alone, the total amount of funds stolen due to similar scams had exceeded $65 million, and revealed that the platform is facing a severe "social engineering scam" crisis, with such attacks continuing to undermine user asset security at an annual scale of $300 million. He also pointed out:

• The groups leading this type of scam are mainly divided into two categories: one is low-level attackers from specific circles (skids), and the other is cybercrime organizations located in India;
• The attack targets of the scam gangs are primarily American users, with standardized methods and mature scripts.
• The actual amount of loss may be much higher than the visible statistics on the chain, as it does not include undisclosed information such as customer service tickets and police reports that cannot be obtained.

Scam Techniques

In this incident, the trading platform's technical system was not breached; the fraudsters utilized the permissions of internal employees to obtain some users' sensitive information. This information includes: name, address, contact information, account data, ID card photos, etc. The ultimate goal of the fraudsters is to use social engineering techniques to guide users to transfer funds.

This type of attack changes the traditional "net fishing" methods and instead shifts to "precision strikes," which can be described as "tailor-made" social engineering scams. A typical modus operandi is as follows:

1. Contact users as "official customer service"

Fraudsters use a forged phone system (PBX) to impersonate platform customer service, calling users to claim that their "account has encountered illegal login" or "withdrawal anomalies detected," creating a sense of urgency. They then send realistic phishing emails or text messages containing fake ticket numbers or "recovery process" links, guiding users to take action. These links may lead to cloned platform interfaces and can even send emails that appear to come from official domains, with some emails utilizing redirection techniques to bypass security protections.

2. Guide users to download the new wallet

Scammers will guide users to transfer funds to a "safe wallet" under the pretext of "protecting assets", and will also assist users in installing a new wallet and instructing them to transfer assets that were originally held on the platform into a newly created wallet.

3. Inducing users to use the mnemonic phrases provided by the scammers.

Unlike traditional "phishing for mnemonic phrases", scammers directly provide a set of mnemonics they generated themselves, luring users to use it as an "official new wallet".

4. The scammer carried out fund theft.

Victims are easily trapped when they are in a state of tension, anxiety, and trust in "customer service" - to them, a "new wallet provided by the official" naturally seems safer than an "old wallet suspected of being hacked." The result is that once funds are transferred to this new wallet, the scammers can immediately take them away. Not your keys, not your coins. - This concept is brutally validated again in social engineering attacks.

In addition, some phishing emails claim that "due to a class action lawsuit ruling, the platform will fully migrate to self-custodial wallets," and require users to complete asset migration by April 1. Under the pressure of time and the psychological suggestion of an "official directive," users are more likely to cooperate with the operation.

According to security researchers, these attacks are often organized in their planning and execution:

• Scam toolchain improvement: Scammers use PBX systems (such as FreePBX, Bitrix24) to spoof caller numbers, simulating official customer service calls. When sending phishing emails, they use specific tools to impersonate official email addresses, attaching "account recovery guides" to prompt transfers.
• Targeted Precision: Fraudsters rely on stolen user data purchased from specific channels and the dark web, targeting users in specific regions as their main objective. They may even use AI tools to process the stolen data, segmenting and reorganizing phone numbers, generating TXT files in bulk, and then sending SMS scams through brute-force software.
• Coherent deception process: From phone calls, text messages to emails, the scam path is usually seamless. Common phishing phrases include "Account withdrawal request received", "Password has been reset", "Abnormal login detected on the account", and so on, continuously inducing victims to perform "security verification" until the wallet transfer is completed.

On-Chain Analysis

By analyzing certain scammer addresses through the on-chain anti-money laundering and tracking system, it was found that these scammers possess strong on-chain operational capabilities. Below are some key pieces of information:

The attackers target various assets held by platform users, with the activity of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting hundreds of BTC at once, with individual transactions worth millions of dollars.

After obtaining funds, the scammers quickly use a set of laundering processes to exchange and transfer the assets. The main patterns are as follows:

• ETH assets are often quickly exchanged for DAI or USDT through a certain DEX, then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms;

• BTC mainly crosses to Ethereum through cross-chain bridges, and then is exchanged for DAI or USDT to avoid tracking risks.

Multiple scam addresses remain in a "static" state after receiving DAI or USDT, and have not been transferred out.

To avoid interaction between one's address and suspicious addresses, thus facing the risk of asset freezing, it is recommended that users conduct risk detection on the target address using on-chain anti-money laundering and tracking systems before trading, in order to effectively avoid potential threats.

Countermeasures

platform

Current mainstream security measures are more about "technical level" protection, whereas social engineering scams often bypass these mechanisms and directly target users' psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a "human-centered" security defense.

• Regularly push anti-fraud education content: Enhance users' phishing prevention capabilities through App pop-ups, transaction confirmation interfaces, emails, and other channels;
• Optimize risk control models by introducing "interactive anomaly behavior recognition": Most social engineering scams induce users to complete a series of operations (such as transfers, whitelist changes, device bindings, etc.) within a short period. The platform should identify suspicious interaction combinations (such as "frequent interactions + new address + large withdrawal") based on behavior chain models, triggering a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification entry" to clarify the unique official communication channel and avoid confusion.

user

• Implement identity isolation policies: Avoid using the same email or phone number across multiple platforms to reduce associated risks. You can use leakage query tools to regularly check whether your email has been compromised.

• Enable transfer whitelist and withdrawal cooldown mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.

• Stay updated on security information: Stay alert by learning about the latest attack methods through security companies, media, trading platforms, and other channels. Currently, several security agencies are about to launch a Web3 phishing drill platform, which will simulate various typical phishing techniques, including social engineering poisoning, signature phishing, malicious contract interactions, etc., and continuously update scenario content in conjunction with historical cases. This will help users enhance their recognition and response capabilities in a risk-free environment.

• Be aware of offline risks and privacy protection: Personal information leaks can also lead to personal safety issues.

This is not a case of unnecessary worry; since the beginning of this year, encryption practitioners/users have encountered multiple incidents that threaten personal safety. Given that the leaked data includes names, addresses, contact information, account data, ID card photos, and other content, relevant users should also remain vigilant offline and pay attention to safety.

In summary, remain skeptical and continue to verify. For any urgent operations, be sure to require the other party to prove their identity and independently verify through official channels, to avoid making irreversible decisions under pressure.

Summary

This incident once again exposes the obvious shortcomings in the industry regarding customer data and asset protection in the face of increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions on the platform do not have access to funds, a lack of sufficient security awareness and capability may still lead to serious consequences due to unintentional leaks or being coerced. As the scale of the platform continues to grow, the complexity of personnel security management has also increased, becoming one of the most challenging risks in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must systematically build a "social engineering defense system" that covers internal personnel and outsourced services, integrating human risks into the overall security strategy.

In addition, once an attack is found to be not an isolated incident, but rather an organized and large-scale ongoing threat, the platform should respond immediately, proactively identify potential vulnerabilities, remind users to take precautions, and control the extent of the damage. Only through dual responses at both the technical and organizational levels can trust and bottom lines be truly safeguarded in an increasingly complex security environment.