Social engineering attacks have become a significant threat to encryption asset security.

In recent years, social engineering attacks targeting encryption asset users have become increasingly rampant, becoming one of the main means of threatening users' asset security. Since 2025, social engineering fraud incidents targeting users of a well-known trading platform have occurred frequently, attracting widespread attention in the industry. From community discussions, it appears that such incidents are not isolated cases, but rather a new type of scam characterized by persistence and organization.

On May 15, the trading platform issued an announcement confirming previous speculation about the existence of an "insider" within the platform. It is reported that the U.S. Department of Justice has launched an investigation into the data breach incident.

This article will reveal the main methods used by scammers by organizing information provided by multiple security researchers and victims, and will explore countermeasures from both the platform and user perspectives.

Historical Analysis

"In just the past week, over $45 million has been stolen from users of a certain platform due to social engineering fraud," on-chain detective Zach wrote in a social media update on May 7.

Over the past year, Zach has repeatedly disclosed incidents of theft faced by users of the platform, with individual victims losing as much as tens of millions of dollars. His detailed investigation published in February 2025 shows that from December 2024 to January 2025 alone, the monetary losses caused by such scams have exceeded 65 million dollars. The platform is facing a serious "social engineering scam" crisis, with attacks continuing to infringe upon asset security at an annual scale of 300 million dollars. Zach also pointed out:

• The groups that lead this type of scam are mainly divided into two categories: one is low-level attackers from specific circles, and the other is cybercrime organizations located in India;
• Fraud gangs target American users as their main attack objective, with standardized methods and mature scripts.
• The actual loss amount may be much higher than the on-chain visible statistics, as it does not include unreported information such as customer service tickets and police reports that cannot be obtained.

Fraud Techniques

In this incident, the platform's technical system was not breached; instead, the fraudsters exploited the privileges of internal employees to obtain some sensitive information of users. This information includes: names, addresses, contact information, account data, ID card photos, etc. The ultimate goal of the fraudsters was to use social engineering techniques to guide users to transfer funds.

This type of attack changes the traditional "scattergun" phishing methods to a "precision strike," which can be described as a "tailor-made" social engineering scam. A typical modus operandi is as follows:

1. Contact users as "official customer service"

Scammers use a forged phone system (PBX) to impersonate platform customer service, calling users to say their "account has encountered illegal login" or "withdrawal anomalies detected," creating a sense of urgency. They then send realistic phishing emails or text messages containing fake ticket numbers or "recovery process" links to guide users into action. These links may lead to cloned platform interfaces and can even send emails that appear to come from official domains, with some emails using redirection technology to bypass security protections.

2. Guide users to download a self-custody wallet

Fraudsters use "asset security" as a reason to guide users to transfer funds to a "secure wallet", assist users in installing a self-custody wallet, and instruct them to transfer the assets originally held on the platform to the newly created wallet.

3. Induce users to use the mnemonic phrases provided by the scammers.

Unlike traditional "phishing for mnemonic phrases", scammers directly provide a set of mnemonics they generated themselves, luring users to use them as the "official new wallet".

4. The scammer carried out fund theft.

Under the state of tension, anxiety, and trust in the "customer service", victims are easily trapped. In their view, the "new wallet provided by the official" is naturally safer than the "old wallet suspected of being hacked". The result is that once the funds are transferred to this new wallet, the scammers can immediately withdraw them. This once again brutally validates the concept of "Not your keys, not your coins".

In addition, some phishing emails claim that "due to the ruling of a class action lawsuit, the platform will fully migrate to self-custody wallets," and require users to complete asset migration within a short period. Under the pressure of time and the psychological suggestion of an "official directive," users are more likely to comply with the operation.

According to security researchers, these attacks are often organized and systematically planned and implemented:

• Fraud toolchain improvement: Scammers use PBX systems to spoof caller ID and simulate official customer service calls. When sending phishing emails, they use bots on social media to impersonate official email accounts, attaching "Account Recovery Guide" to prompt transfers.
• Targeted Precision: Scammers rely on stolen user data purchased from social media channels and the dark web to lock in specific regional users as primary targets. They may even use AI to process the stolen data, segmenting and reorganizing phone numbers, generating TXT files in bulk, and then sending SMS scams through brute force software.
• The deception process is coherent: from phone calls, text messages to emails, the fraud path is usually seamless. Common phishing phrases include "Withdrawal request received for the account", "Password has been reset", "Abnormal login detected for the account", etc., continuously inducing victims to perform "security verification" until the wallet transfer is completed.

On-chain fund flow analysis

Through the on-chain anti-money laundering and tracking system, analysis of certain scammer addresses revealed that these scammers possess strong on-chain operational capabilities. Here are some key pieces of information:

The attackers' targets include various assets held by platform users, with the active time of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting hundreds of BTC at once, with a single transaction valued at several million dollars.

After obtaining the funds, the scammers quickly use a set of laundering processes to exchange and transfer the assets, with the main patterns as follows:

• ETH-based assets are often quickly exchanged for DAI or USDT through a certain DEX, then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms;

• BTC mainly crosses to Ethereum through cross-chain bridges, and then is exchanged for DAI or USDT to avoid tracking risks.

Multiple scam addresses remain in a "dormant" state after receiving DAI or USDT, and have not been transferred out.

To avoid interactions between your address and suspicious addresses, which may lead to the risk of asset freezing, it is recommended that users conduct risk assessments on target addresses using on-chain anti-money laundering and tracking systems before trading, to effectively mitigate potential threats.

Countermeasures

platform

Current mainstream security measures are more about "technical layer" protection, while social engineering scams often bypass these mechanisms and directly target users' psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a "human-centered" security defense.

• Regularly push anti-fraud education content: Enhance users' phishing prevention capabilities through app pop-ups, transaction confirmation interfaces, emails, and other means;
• Optimize risk control models by introducing "interactive anomaly behavior recognition": Most social engineering scams will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as "frequent interactions + new address + large withdrawal") based on behavior chain models, triggering a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service representatives to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification entrance" to clarify the only official communication channel and avoid confusion.

user

• Implement identity isolation policies: Avoid sharing the same email address and phone number across multiple platforms to reduce associated risks. You can use leak query tools to regularly check if your email has been compromised.

• Enable transfer whitelist and withdrawal cooling mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.

• Stay informed about security news: Keep abreast of the latest attack methods through channels such as security companies, media, and trading platforms, and remain vigilant. Currently, several security companies are developing a Web3 phishing simulation platform that will simulate various typical phishing techniques, including social engineering poisoning, signature phishing, and malicious contract interactions, and continuously update scenario content in conjunction with real cases. This enables users to enhance their recognition and response capabilities in a risk-free environment.

• Pay attention to offline risks and privacy protection: Personal information leakage may also lead to personal safety issues.

This is not an unnecessary worry; since the beginning of this year, encryption practitioners/users have encountered multiple incidents threatening personal safety. Given that the leaked data includes names, addresses, contact information, account data, and ID photos, relevant users should also be vigilant offline and pay attention to safety.

In summary, maintain skepticism and continue to verify. For any urgent operations, be sure to ask the other party to prove their identity, and independently verify through official channels to avoid making irreversible decisions under pressure.

Summary

This incident once again exposes the obvious shortcomings in customer data and asset protection in the industry when faced with increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions on the platform do not have financial authority, a lack of sufficient security awareness and capability could lead to serious consequences due to unintentional leaks or being subverted. As the scale of the platform continues to expand, the complexity of personnel security management has also increased, becoming one of the hardest risks to tackle in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically build a "social engineering defense system" covering internal personnel and outsourced services, incorporating human risks into the overall security strategy.

In addition, once it is discovered that the attack is not an isolated incident, but rather an organized and large-scale persistent threat, the platform should respond immediately, actively check for potential vulnerabilities, alert users to take precautions, and control the extent of the damage. Only by addressing both the technical and organizational levels can trust and bottom lines be truly maintained in an increasingly complex security environment.