Illusions and Traps: Social Engineering and Human Nature Games in the Crypto World

Author: ChandlerZ, Foresight News

Security is like a chain, dependent on its weakest link. And people are the Achilles' heel in the password system. While the market is still obsessed with building more complex cryptographic protection mechanisms, attackers have already found a shortcut: instead of cracking passwords, they simply manipulate the people using them.

Personnel are the weakest link and also the least valued aspect. In other words, personnel are the easiest vulnerabilities for hackers to exploit, while also being the area where companies invest the least and improve the slowest.

According to the latest report from blockchain analysis firm Chainalysis, in 2024, North Korean hackers launched 47 complex attacks, stealing assets worth $1.3 billion from global crypto asset platforms, a year-on-year increase of 21%. Even more astonishing, on February 21, 2025, the Bybit exchange was hacked, resulting in the theft of approximately $1.5 billion in crypto assets, setting a new record for the largest single theft in crypto history.

In many past major attack incidents, many were not achieved through traditional technical vulnerabilities. Despite exchanges and project teams investing billions of dollars each year in technical defenses, many participants often underestimate the threats posed by social engineering in this seemingly math and code-driven world.

The Nature and Evolution of Social Engineering

In the field of information security, social engineering has always been a unique and dangerous attack method. Unlike intrusions through technical vulnerabilities or flaws in cryptographic algorithms, social engineering primarily exploits human psychological weaknesses and behavioral habits to deceive and manipulate victims. It does not require a high technical threshold but can often cause extremely severe losses.

The advent of the digital age has provided new tools and stages for social engineering. This evolution is particularly evident in the crypto space. The early crypto asset community was mainly composed of tech enthusiasts and cypherpunks, who generally possessed vigilance and a certain level of technical literacy. However, as crypto assets became more widespread, an increasing number of new users who are not well-versed in the relevant technologies entered the market, creating fertile ground for social engineering attacks.

On the other hand, the highly anonymous and irreversible nature of transactions makes crypto assets an ideal target for attackers to reap profits. Once funds are transferred to wallets they control, it is nearly impossible to recover them.

The ease with which social engineering can succeed in the crypto space largely stems from various cognitive biases in human decision-making processes. Confirmation bias leads investors to focus only on information that aligns with their expectations, herd mentality can easily trigger market bubbles, and FOMO (fear of missing out) often causes people to make irrational choices when facing losses. Attackers skillfully weaponize these psychological weaknesses.

Compared to attempting to crack complex cryptographic algorithms, the cost of launching a social engineering attack is lower, and the success rate is higher. A carefully forged phishing email or a seemingly legitimate job invitation that hides traps is often more effective than facing technical challenges directly.

Common Social Engineering Techniques

Although there are many types of social engineering attack methods, the core logic still revolves around "gaining the target's trust and information." Here are a few common techniques briefly explained:

Phishing

Email/SMS Phishing: Using links disguised as exchanges, wallet service providers, or other trusted institutions to lure users into entering sensitive information such as seed phrases, private keys, or account passwords.

Impersonating Social Media Accounts: For example, impersonating "official customer service," "well-known KOLs," or "project teams" on platforms like Twitter, Telegram, or Discord, posting messages with fake links or false activity information to trick users into clicking and entering keys or sending cryptocurrency.

Browser Extensions or Fake Websites: Creating counterfeit websites that closely resemble real exchanges or wallet sites, or inducing users to install malicious browser extensions. Once users input or authorize on these pages, their keys will be leaked.

Fake Customer Service / Impersonating Technical Support

Common in Telegram or Discord groups, where someone impersonates an "administrator" or "technical support" to help resolve issues like failed deposits, withdrawal failures, or wallet synchronization errors, guiding users to hand over their private keys or transfer coins to specified addresses.

They may also lure victims through private messages or small groups, falsely claiming they can "help recover lost coins," effectively tricking them into providing more funds or obtaining keys.

SIM Card Swap

Attackers buy or deceive telecom operators' customer service to transfer the victim's phone number to themselves in the background. Once the phone number is stolen, attackers can reset passwords for exchanges, wallets, or social accounts through SMS verification, two-factor authentication (2FA), etc., thereby stealing crypto assets.

SIM swap incidents are more common in the U.S. and have also occurred in multiple countries.

Social Engineering Combined with Malicious Recruitment / Head Hunting

Attackers pose as recruiters, sending "job invitations" with malicious files or links to the target's email or social media accounts, tricking the target into downloading and executing malware.

If the target is an internal employee or core developer of a crypto company, or a "heavy user" holding a large amount of coins, it could lead to severe consequences like infrastructure breaches or key theft.

The 2022 Axie Infinity Ronin Bridge security incident, reported by The Block, was related to a fake job advertisement. Insiders revealed that hackers contacted an employee of Axie Infinity developer Sky Mavis via LinkedIn, informing them after several interviews that they had been hired at a high salary. The employee then downloaded a forged acceptance letter presented as a PDF document, allowing the hacker's software to infiltrate the Ronin system, leading to the hacker attacking and taking control of four out of nine validators on the Ronin network, just one validator short of complete control, and subsequently controlling the Axie DAO with unrevoked permissions to achieve the final breach.

Fake Airdrops / Fake Giveaway Activities

Fake "official" activities appearing on platforms like Twitter and Telegram, such as "just transfer x coins to a certain address, and you will get double back," are actually scams.

Attackers often use "whitelist airdrops" or "testnet airdrops" to lure users into clicking unknown links or connecting to phishing wallet sites, tricking them into revealing keys or authorizing theft.

In 2020, social media Twitter accounts of several American political and business figures, including Obama, Biden, Buffett, and Bill Gates, were hacked. After stealing passwords and taking over accounts, hackers posted messages using double return as bait, prompting users to send cryptocurrency funds to specified account address links. In recent years, there have still been numerous "double return" scams impersonating Musk on YouTube.

Insider Penetration / Ex-Employee Cases

Some former employees of cryptocurrency companies or project teams, or current employees bribed by attackers, use their familiarity with internal systems and operational processes to steal user databases, private keys, or execute unauthorized transactions.

In such scenarios, technical vulnerabilities and social engineering are more closely intertwined, often resulting in significant losses.

Implanted "Backdoors" or Already Tampered Fake Hardware Wallets

Attackers sell hardware wallets on eBay, Xianyu, Telegram groups, or other e-commerce/second-hand trading platforms at below-market prices or with authenticity guarantees, while the devices have actually had their chips or firmware replaced. Some users may inadvertently purchase refurbished or second-hand devices that have had private keys pre-loaded by the seller; once the buyer deposits funds, the attacker can withdraw them at any time using the same private key.

Additionally, some users have received free replacement devices or upgraded security devices disguised as manufacturers (like Ledger) after data breaches, with new mnemonic cards and operating instructions included in the packaging. Once users use these pre-set mnemonics or migrate their original mnemonics to the fake device, attackers gain full access to the wallet's assets.

The above examples are just the tip of the iceberg; the diversity and flexibility of social engineering make its destructive power particularly significant in the cryptocurrency field. For the vast majority of ordinary users, these attacks are often difficult to defend against.

Greed and Fear

Greed is always the easiest weakness to manipulate. During periods of extreme market activity, some people may rush into suddenly popular projects due to herd mentality. Fear and uncertainty are also common entry points for social engineering. During severe crypto fluctuations or project issues, scammers may issue "urgent notifications," claiming that the project is in extreme danger, luring users to quickly transfer funds to so-called safe addresses. Many newcomers, fearing losses, find it hard to maintain clear thinking and are often easily swept up in this panic.

Moreover, the FOMO mentality is ubiquitous in the crypto ecosystem. The fear of missing out on the next bull market or the next Bitcoin leads people to rush to invest and participate in projects, lacking the basic ability to discern risks and authenticity. Social engineering attackers only need to create an atmosphere where opportunities are fleeting and once missed, there is no chance for doubling, enough to ensnare some investors.

Risk Identification and Prevention

The difficulty in preventing social engineering lies in its targeting of human cognitive blind spots and psychological weaknesses. As investors, one should pay attention to the following key points:

Enhance Security Awareness

Do not casually disclose private keys and mnemonic phrases. Under no circumstances should you trust others enough to reveal your private keys, mnemonic phrases, or sensitive identity information. Genuine official teams rarely ask for such information through private chats.

Be wary of "unreasonable profit promises." Any activity claiming "zero risk high returns" or "multiple returns of principal" is likely a scam.

Verify Links and Sources

Use browser plugins or official channels to verify URLs. For cryptocurrency exchanges, wallets, or decentralized applications (DApps), repeatedly confirm that the domain name is correct.

Do not click on unknown links casually. If someone claims to offer "airdrop benefits" or "official compensation," verify it immediately through legitimate social media or official channels.

Focus on Community and Social Media Verification

Check the verification marks, follower counts, and interaction records of official accounts. Avoid blindly adding unknown private chat groups or clicking unknown links within groups.

Maintain a skeptical attitude towards "free lunch" information. Look, ask, and verify with experienced investors or official channels.

Establish a Healthy Investment Mindset

Rationally view market fluctuations and avoid being swept up by the emotions of short-term volatility.

Always be prepared for the worst-case scenario, and do not overlook potential risks due to "fear of missing out."

The Eternal Importance of Human Factors

Human nature is the foundation upon which social engineering repeatedly succeeds. Attackers design various scams targeting traits such as herd mentality, greed, fear, insecurity, and FOMO (fear of missing out).

As blockchain and crypto technology iterates and business models expand, social engineering techniques will also evolve. The maturity of deepfake technology may present greater threats in the near future, as attackers could realistically impersonate project leaders through synthesized video and audio, connecting with victims in real-time. Multi-dimensional social engineering will also upgrade, with attackers potentially lurking across multiple social platforms for extended periods, gathering information, and then launching attacks through carefully designed emotional manipulation.

The persistent existence of social engineering reminds us that no matter how advanced technology becomes, human factors remain a core component of the system. Completely eliminating the influence of social engineering may be unrealistic; only by focusing on both code and people can we help build more resilient systems.