Social engineering attacks are the dominant threat vector against crypto firms. Not smart contract bugs. Not network intrusions. People. The largest single theft in crypto history, the February 2025 Bybit heist, was not the product of a blockchain vulnerability or a protocol flaw. It succeeded because human operators were deceived into approving transactions they believed were legitimate. The $1.5 billion that left Bybit's cold wallet was authorised by its own staff.
This is the defining security problem of the Web3 industry and, as an industry, it is largely unaddressed. Firms invest heavily in smart contract audits and almost nothing in the people and processes that sit above the code. This guide sets out the full picture: why crypto firms are the highest-value social engineering targets on earth, how nation-state actors operate, what the attack types look like in practice, and how to build a genuinely resilient human-layer defence.
1. Why Crypto Firms Are Prime Social Engineering Targets
Crypto firms sit at the intersection of several properties that make social engineering attacks uniquely rewarding for adversaries.
Transactions are irreversible. A successful manipulation of a single approver in a multisignature workflow can move hundreds of millions of dollars to an address with no recourse. There is no fraud department, no chargeback mechanism, no central authority that can freeze or reverse the transfer. The attacker needs to succeed only once.
High value is concentrated in small teams. Unlike a bank, where thousands of staff collectively manage client funds, a crypto exchange may have three to five individuals with the keys or signing authority to move its entire treasury. The attack surface is narrow and the reward per successful compromise is enormous. A single deceived operator can expose the full balance of a cold wallet.
Pseudonymity removes verification anchors. In traditional finance, a counterparty calling to request a fund transfer can be checked against a registered legal entity, a regulatory register, or a verified institutional contact. In Web3, communications routinely happen via Telegram, Discord, or anonymous wallet addresses. There is no reliable out-of-band way to confirm that the person you are corresponding with is who they claim to be.
Speed culture creates pressure to bypass verification. The crypto industry moves fast. Founders pride themselves on execution velocity. This creates an environment where pausing a transaction to verify a counterparty feels like a competitive disadvantage. Attackers exploit this culture deliberately, adding time pressure to their manipulations: "The arbitrage window closes in 90 seconds", "The investor call is about to start, please sign now."
Remote-first operations expand the attack surface. Most crypto firms operate distributed, remote teams spread across multiple jurisdictions. Employees routinely communicate entirely via digital channels, never meeting colleagues or counterparties in person. This means there is no physical baseline to compare against, and AI-generated voice or video impersonation is more likely to succeed.
2. The Lazarus Group Social Engineering Playbook
The most sophisticated and consistently damaging social engineering programme targeting the crypto industry is operated by Lazarus Group, specifically the TraderTraitor subgroup, assessed by the FBI and multiple allied intelligence agencies to be a North Korean state-sponsored unit. Understanding their methodology is not an academic exercise. It is a threat-modelling requirement for any firm holding significant digital assets.
TraderTraitor has been linked to some of the largest crypto thefts ever recorded: the $308 million DMM Bitcoin exchange heist in May 2024, attributed jointly by the FBI and Japan's National Police Agency, and the $1.5 billion Bybit theft in February 2025. In the latter, North Korean TraderTraitor actors used social engineering to compromise a developer at Safe{Wallet}, the third-party wallet interface used by Bybit, and inject malicious JavaScript into its frontend to redirect transaction signing requests.
"As recently as September 2024, the United States government observed aggressive targeting of the cryptocurrency industry by the DPRK with well-disguised social engineering attacks that ultimately deploy malware." U.S. Department of State joint statement, January 2025
The TraderTraitor methodology, referred to by researchers as Operation Dream Job, follows a consistent pattern.
Phase 1: Target identification and persona construction. The group identifies developers, security researchers, finance staff, and exchange personnel with access to wallet infrastructure. Targets are typically found via LinkedIn, GitHub contribution histories, and conference speaker lists. A convincing recruiter persona is constructed, often using AI-augmented stock photography and fabricated employment histories at credible firms.
Phase 2: Trust building. The initial contact is low-pressure and professionally framed. A message offering a well-paid role at a named crypto firm, a consulting opportunity, or an investment discussion. No malware, no link, no urgency. The attacker invests days or weeks building rapport, exchanging messages, scheduling calls, and establishing credibility.
Phase 3: Malware delivery. Once trust is established, the target is invited to complete a coding challenge, review a PDF document, or download a repository from GitHub. These files contain backdoors that, once executed, give the attacker persistent access to the developer's workstation. From there, Lazarus pivots to internal systems, identifies wallet infrastructure, and eventually manipulates transaction flows.
Phase 4: Execution and obfuscation. In the Bybit case, the compromise of a Safe{Wallet} developer's macOS workstation via a malicious Python application delivered through Telegram allowed the attackers to modify statically hosted frontend JavaScript. This payload detected Bybit transactions in real time and redirected funds to the attacker's wallet while displaying a legitimate-looking interface to the signers. The technical sophistication of the final step relied entirely on the initial social engineering success.
Read our detailed breakdown of the Lazarus Group's tradecraft and how it applies to Web3 operational security in Lazarus Group Crypto OpSec: How Nation-State Attackers Target Web3 Teams, and the specific mechanics of the Bybit attack in Inside the Bybit Hack: Lazarus Group's Largest Crypto Heist.
3. Attack Types: Spear Phishing, Vishing, SIM Swapping and Fake Job Applicants
Beyond nation-state actors, the crypto industry faces a broad spectrum of social engineering attack types. Each exploits a different communication channel or organisational process.
Spear Phishing
Spear phishing is targeted email-based deception, distinguished from mass phishing by the level of personalisation. An attacker researching a target's LinkedIn profile, public GitHub commits, and conference talks can construct a message that references their real employer, colleagues, recent projects, and professional interests. The message may impersonate a known auditor, a legal counterparty, an institutional investor, or an industry contact the target has met.
In the Web3 context, spear phishing often manifests as fake MetaMask security alerts, spoofed Gnosis Safe interface notifications, fabricated airdrop claim pages, and imitation communications from regulated custodians or compliance partners. The payload is typically either credential theft, via a convincing login page, or malware delivery through a document or link.
Vishing: Voice and Video Impersonation
Vishing, voice phishing, has evolved significantly with the availability of AI voice cloning and deepfake video. Organised criminal networks now operate purpose-built vishing programmes targeting crypto executives, with operatives reportedly earning up to $20,000 per month for experienced callers according to a 2025 GK8 analysis reviewed by Decrypt. These operations use detailed datasets about their targets, professional VoIP infrastructure, and curated pretexts designed to create urgency around transaction approval or credential disclosure.
The threat extends beyond external callers. Deepfake video is increasingly used to impersonate counterparties or executives on calls, bypassing the additional verification that video was once assumed to provide. Binance's chief security officer noted in 2025 that attackers were using deepfake video during job interview calls in attempts to infiltrate the firm.
SIM Swapping
SIM swapping targets the mobile carrier authentication process. An attacker, often using data obtained from prior breaches or purchased on dark web markets, contacts the target's mobile carrier posing as the account holder. If the carrier's authentication process is weak, typically requiring only date of birth, address, or a partial account number, the attacker persuades the carrier to transfer the phone number to an attacker-controlled SIM card.
Once the number is transferred, the victim's phone loses signal while the attacker receives all SMS messages, including two-factor authentication codes. This enables account takeover across email, exchange platforms, and any service relying on phone-based verification. The FBI investigated 1,075 SIM swap attacks in 2023 with losses approaching $50 million, and IDCARE reported a 240% surge in cases in 2024. For individuals with custody over crypto accounts, SIM swapping is a prerequisite attack that unlocks further access.
Discord and Telegram Impersonation
Crypto teams conduct significant operational communication through Discord and Telegram, creating rich impersonation opportunities. Attackers compromise or clone moderator accounts in project communities, then post urgent messages directing users to migrate tokens, claim airdrops, or sign into a new platform. Because the message appears to come from a trusted community figure, the social proof is strong and the time-pressure framing bypasses rational scrutiny.
The "try-my-game" attack vector, identified in 2024 and active through 2025, uses fake AI, gaming, or Web3 startup personas with professional websites, Notion whitepapers, and GitHub repositories to approach developers and community members. Targets are invited to test software in exchange for payment. The downloaded application deploys information-stealing malware targeting browser sessions, seed phrases, and crypto wallet files.
Fake Investor Outreach
Founders and business development staff face social engineering through fake investor approaches. Attackers impersonate venture capital firms, family offices, or institutional investors seeking to deploy capital. The pretext provides a plausible reason to request sensitive documents, share screen during a call where malware can be installed, or access a private demo environment. The reputational credibility of the impersonated firm makes the approach difficult to dismiss without a dedicated verification process.
For more context on how interception and manipulation attacks operate at the communication layer, see our guide on Man-in-the-Middle Attacks in Crypto: How They Work and How to Stop Them.
4. The HR Security Gap: From Hiring to Offboarding
The hiring process is an attack surface that most crypto firms have not adequately secured. North Korean operatives are systematically applying for roles at crypto exchanges and Web3 infrastructure firms. This is not a fringe concern. Amazon's Chief Security Officer disclosed in 2025 that the company had prevented more than 1,800 suspected North Korean operatives from being hired using fake or stolen identities, representing a 27% quarter-over-quarter increase.
KnowBe4's July 2024 case is the most documented public example. A software engineer candidate passed four video conference interviews, background checks, and reference verification before being hired. The individual was using a stolen US identity enhanced with AI-generated photographs. The deception was only uncovered when the company's security operations centre detected malware being loaded onto the shipped Mac workstation within 25 minutes of delivery. A Raspberry Pi was used to route the connection, and the operative was working overnight North Korean hours while appearing to work US business hours via VPN.
"This is a well-organised, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams." KnowBe4 CEO Stu Sjouwerman, July 2024
The threat extends across the employment lifecycle, not just hiring.
During employment: Contractors and remote staff with access to internal systems represent an ongoing exposure. Privileged access granted during onboarding is frequently not reviewed or revoked as roles change. Attackers who gain employment maintain long-dwell persistence, exfiltrating credentials and mapping infrastructure over months before acting. See our guide to Privileged Access Management for Crypto for the access control framework that limits this exposure.
At offboarding: Departing employees with unrevoked access to wallet infrastructure, key management systems, or internal communication channels represent an ongoing risk. Organisations that do not have a structured, verified offboarding checklist, confirmed by IT and security, are routinely exposed through stale credentials. This is a process failure, not a technical one.
Contractor and third-party risk: The Bybit hack was ultimately executed through a compromised third-party developer, not a Bybit employee. Supply chain social engineering, targeting the contractors, auditors, custody partners, and software vendors a firm relies on, bypasses the security controls organisations apply to their own staff entirely.
Key HR security controls for crypto firms:
- Require live, unobscured video in interviews and ask location-specific or context-specific questions that AI personas cannot plausibly answer
- Ship hardware only to the verified address on identity documents; delay system access until hardware delivery is confirmed and background checks are complete
- Cross-check candidate photographs against social media profiles, conference recordings, and professional networks independently
- Flag VoIP-only contact numbers, discrepancies between stated location and working hours, and inconsistencies across submitted documents
- Implement least-privilege access from day one and review access quarterly against current role scope
- Maintain a verified, sequenced offboarding checklist that revokes all access before or concurrent with termination
5. Security Awareness Training for Web3 Teams
Generic security awareness training, designed for corporate IT environments, does not address the specific attack patterns that crypto teams face. A training programme for a Web3 firm must cover the concrete threat scenarios staff will encounter.
What phishing looks like in Web3. Staff should be able to identify fake MetaMask prompts, wallet connect permission dialogs requesting excessive token approvals, spoofed Gnosis Safe interfaces, and fraudulent airdrop claim pages. The visual and interactive similarity between legitimate and malicious interfaces in Web3 is high. Training must include side-by-side comparisons and the specific indicators of compromise: URL discrepancies, unexpected permission scopes, unsolicited pop-ups during existing sessions.
Transaction verification discipline. Every member of a team with any role in transaction workflows should understand the principle that legitimate processes do not create urgency to bypass verification steps. This applies to multisig approvals, large transfers, smart contract interactions, and any instruction arriving through a single, unverified channel. The "never rush a transaction" principle must be institutionalised, not just communicated.
Social media and operational security. Publishing holdings, roles, or involvement in high-value protocols on social media creates targeting data for attackers. Staff should understand the risk of over-sharing and have clear guidance on what organisational information is not appropriate to make public.
Verification protocols for inbound outreach. Anyone receiving a job offer, investment approach, technical collaboration request, or urgent communication from an unknown party should have a defined procedure: no file execution without approval, no credential sharing, independent verification of the requesting organisation through channels not provided by the requester.
Simulation exercises. Awareness training without simulation is insufficient. Regular spear phishing simulations, tailored to the firm's actual threat profile, test whether training has changed behaviour. The most effective programmes run exercises that mirror the specific social engineering tactics the firm is likely to face, including fake recruiter approaches via LinkedIn and fabricated investor outreach.
A well-structured incident response capability is the necessary complement to awareness training. When a staff member does click a link or execute a suspicious file, the quality of the detection and response determines the outcome. See our guide on building an Incident Response Plan for Crypto.
6. Technical Controls That Support the Human Layer
Technical controls do not replace human judgement, but they significantly raise the cost of successful social engineering. The most effective controls in this context are those that prevent a single deceived individual from being sufficient to cause a catastrophic loss.
Hardware security keys for all privileged access. FIDO2 hardware keys, such as YubiKeys, make credential phishing practically useless for privileged accounts. Even if a staff member enters credentials into a convincing phishing page, the hardware key binds authentication to the legitimate origin domain. Without the physical key, the credential is worthless to the attacker. This is the single highest-impact control for eliminating password and OTP phishing.
Out-of-band verification for high-value transactions. Any transaction above a defined threshold should require verification through a channel entirely separate from the one in which the instruction was received. If an instruction arrives via Telegram, confirmation must occur via a separate, pre-registered voice call or an independent secure communication channel. This breaks the attack chain used in UI-manipulation and impersonation attacks.
Multi-signature approval with independent signing devices. Multi-signature wallet architectures require that multiple parties independently approve a transaction before it executes. The operative lesson from Bybit is that this control is only effective if each signer uses a genuinely independent device and connection, and independently verifies the transaction details rather than relying on a shared interface that may have been compromised.
Privileged Access Management. PAM solutions enforce least-privilege access, provide session recording for privileged operations, and require just-in-time approval workflows for high-risk actions. They also produce an audit trail that is essential for post-incident forensics. Implemented correctly, PAM means that a compromised operator's access is bounded, time-limited, and monitored.
Endpoint protection on all devices accessing critical systems. Developer workstations and operator machines are a primary attack surface. Endpoint detection and response (EDR) tools that monitor for anomalous process execution, suspicious outbound connections, and malware indicators provide a last line of defence when social engineering has succeeded in delivering a payload. The KnowBe4 incident was detected by precisely this mechanism: the SOC identified anomalous activity on the shipped workstation within minutes.
For the governance framework that brings these controls together within a regulatory compliance structure, see our analysis of DORA Compliance and what it requires of crypto and digital asset firms operating in or adjacent to European regulated markets.
7. Building a Security-Aware Culture
Controls and training are necessary but not sufficient. The most resilient firms against social engineering attacks are those where security-conscious behaviour is a cultural norm rather than a compliance obligation. This requires deliberate design.
Clear escalation paths without penalty. Staff who encounter a suspicious interaction, a message that feels off, a request that does not match normal workflow, must have a clear, frictionless way to escalate without fear of appearing overcautious or obstructing a business process. If the culture treats security escalations as interruptions, staff will resolve the doubt themselves and the wrong way. The correct response to uncertainty is always escalation.
Named security ownership. Someone in the organisation must own security responsibility and be accessible to all staff. In firms without a CISO, this is typically a founder or technical director. The name and contact of the person to call when something looks wrong should be universally known.
"Never rush a transaction" as an organisational principle. This phrase should appear in onboarding documentation, transaction approval procedures, and security briefings. It should be reinforced by the example of leadership: when a founder or CFO models the behaviour of pausing to verify even a routine-seeming transfer, the principle becomes cultural rather than procedural.
Regular tabletop exercises. Scenario-based exercises, where leadership teams walk through a simulated social engineering incident, build the muscle memory for decision-making under pressure. Scenarios might include: a convincing fake investor calling to request an urgent token transfer before a window closes; a Telegram message from what appears to be a team member requesting seed phrase recovery; a fake legal notice demanding access to wallet infrastructure. The goal is not to embarrass participants but to surface the points at which normal verification procedures break down.
Security briefings tied to current threat intelligence. When Lazarus Group launches a new campaign, when a competitor is compromised via a novel vector, when a new fake recruiter persona is identified in the industry, the people in your organisation who are most likely to be targeted should know about it before it reaches them. Proactive threat briefings convert general awareness into specific, actionable recognition.
The firms that consistently avoid catastrophic social engineering losses are not those with the most complex technology stacks. They are those that treat operational security with the same rigour they apply to smart contract audits: systematic, documented, regularly tested, and treated as a first-order business risk rather than an IT concern.
Frequently Asked Questions
What makes crypto firms uniquely vulnerable to social engineering attacks?
Crypto firms combine irreversible transactions, pseudonymous communications, small key-holding teams, and a culture of moving fast with limited verification. Attackers can impersonate counterparties with no reliable way for staff to confirm identities out of band. A single approved transaction cannot be reversed, making every successful manipulation immediately profitable for the attacker.
How does the Lazarus Group use fake job offers to compromise crypto firms?
The TraderTraitor campaign uses fake recruiter personas on LinkedIn, Telegram, and Discord to approach developers and finance staff at crypto exchanges. Targets receive coding challenges or PDF attachments hosted on GitHub repositories. Opening these installs backdoors, giving Lazarus persistent access to internal systems from which they pivot toward wallet infrastructure and transaction signing flows.
What is SIM swapping and how does it affect crypto security?
SIM swapping involves persuading a mobile carrier to transfer a target's phone number to an attacker-controlled SIM card. Once successful, the attacker intercepts SMS-based two-factor authentication codes, enabling password resets and account takeovers for email, exchange, and wallet accounts. The FBI investigated 1,075 SIM swap attacks in 2023 with losses approaching $50 million.
How should crypto firms screen for fake job applicants?
Require live unobscured video interviews and ask location-specific questions that AI-generated personas cannot answer. Ship hardware only to the verified address on identity documents. Cross-check photos against social media profiles and verify prior employment independently. Flag VoIP-only contact numbers and inconsistencies in dates of birth or marital status across documents. Delay system access until all background checks are complete.
What technical controls most effectively reduce social engineering risk in Web3 firms?
Hardware security keys for all privileged access eliminate credential phishing. Out-of-band verification channels for high-value transaction approval prevent UI-manipulation attacks. Privileged access management limits the blast radius of any single compromised operator. Gnosis Safe-style multi-signature workflows with independent signing devices mean no single person can approve a large transfer. Combining these controls with regular simulation exercises is the most effective layered defence.
What is vishing and why is it a growing threat to crypto executives?
Vishing is voice phishing, where attackers use phone calls, often with AI voice-cloning or deepfake video, to impersonate trusted parties such as regulators, auditors, or institutional counterparties. Organised criminal networks now recruit operatives specifically to target crypto executives, with compensation reportedly reaching $20,000 per month for experienced callers. Targets are typically individuals with custody authority over private keys or approval authority for large transfers.