Phishing and social engineering: the real front line of crypto theft

Most “hacks” are consent under deception—users sign malicious permits or paste seeds. After an incident, combine this article with tracing and preservation steps.

Modern drainer workflows

Attackers clone legitimate project sites or sponsor search results linking to wallet-connect prompts that request broad token approvals or setOperator powers. Victims believe they are minting an NFT or claiming an airdrop; instead they grant programmatic spend rights. Because the victim signs voluntarily, exchanges may treat downstream theft as self-custody loss unless a CEX endpoint appears in the trace.

Fake support and “security desk” impersonation

Scammers monitor public posts about lost funds and reply as “MetaMask support” or “Binance help.” They route victims to phishing forms or AnyDesk sessions. Real support almost never initiates via DM. Collect screenshots of fraudulent accounts for investigation packages, but do not engage financially.

Clipboard malware and address substitution

Windows malware watches clipboards for address regexes and swaps attacker-controlled addresses in flight. Mitigation: verify several prefix and suffix characters out of band, use address books, and send a tiny test transaction when feasible.

Immediate containment checklist

  1. Revoke suspicious token approvals where chain tooling allows.
  2. Move remaining assets to a freshly generated wallet on a clean device if you suspect key compromise.
  3. Rotate email and 2FA on exchanges; assume session cookies may be stolen.
  4. Preserve malware samples only if counsel advises—sometimes better to image disk forensically.

Report a phishing-related loss Prevention checklist