Illusions and Mysteries: Social Engineering and Humanity Game in the Encrypted World

Author: ChandlerZ, Foresight News

Safety is like a chain, depending on the weakest link. And humans are the Achilles heel in the cryptographic system. When the market is still addicted to building more complex cryptographic protection mechanisms, attackers have already discovered a shortcut: there is no need to crack the password, just manipulate the person using the password.

Personnel is the weakest link and the least valued link. In other words, personnel are the vulnerabilities that hackers are most likely to break through and exploit, and they are also the shortcomings that enterprises have the least investment in security and the slowest improvement.

According to a latest report by blockchain analytics firm Chainalysis, in 2024, North Korean hackers launched 47 complex attacks, stealing $1.3 billion worth of assets from global crypto asset platforms, a year-on-year increase of 21%. What’s even more amazing is that on February 21, 2025, Bybit Exchange was hacked, resulting in the theft of approximately US$1.5 billion in crypto assets, setting a new record for a single theft in crypto history.

Among the many major attacks in the past, many of them were not achieved through traditional technical vulnerabilities. Although exchanges and project parties invest billions of dollars each year on technical protection, in a world that seems to be constructed from mathematics and code, many players often underestimate the threats posed by social engineering.

The Essence and Evolution of Social Engineering

In the field of information security, social engineering has always been a unique and dangerous means of attack. Unlike invading systems through technical vulnerabilities or cryptographic algorithm defects, social engineering mainly exploits human psychological weaknesses and behavioral habits to deceive and manipulate victims. It does not require too high technical thresholds, but it can often cause extremely serious losses.

The advent of the digital age provides new tools and stages for social engineering. This evolution is particularly evident in the field of encryption. The early crypto asset community was mainly composed of technology enthusiasts and crypto-punks, who were generally vigilant and had certain technical literacy. But as crypto assets gradually become popular, more and more new users who are not proficient in related technologies have entered the market, thus creating a fertile soil for social engineering attacks.

On the other hand, the highly anonymous and irreversible trading characteristics make crypto assets an ideal target for attackers to harvest profits. Once funds are transferred to their controlled wallets, they are almost impossible to recover.

The reason why social engineering can be easily succeed in the field of encryption is largely due to various cognitive biases in human decision-making. Confirmation errors will make investors focus only on information that meets their expectations, while herd mentality can easily trigger market bubbles, and FOMO sentiment often leads to people making irrational choices when facing losses. It is precisely by skillfully applying these psychological weaknesses that the attacker skillfully "weaponizes" them.

Compared to trying to crack complex encryption algorithms, launching social engineering attacks is lower cost and has a higher success rate. A carefully forged phishing email and a seemingly formal but hidden job seeking invitation are often more effective than facing technical difficulties.

Common social engineering techniques

Although there are many types of social engineering attack methods, the core logic still revolves around "deceiving the trust and information of the target." Here are a brief description of several common methods:

Fishing (Phishing)

Email/SMS phishing: Use links disguised as exchanges, wallet service providers or other trusted institutions to induce users to enter sensitive information such as seed phrases, private keys, account passwords, etc.

Forged social platform accounts: For example, fake "official customer service", "famous KOL" or "project parties" on Twitter, Telegram, Discord and other platforms, posts with fake links or fake activity information, tricking users into clicking and entering keys or sending cryptocurrencies.

Browser extensions or fake websites: build a copycat website that is extremely similar to a real exchange or wallet website, or induce the installation of a malicious browser extension, and once the user enters or authorizes on these pages, the key will be leaked.

Fake customer service/ impersonation technical support

Commonly in Telegram or Discord groups, some people pretend to be "administrator" or "technical customer service" to guide users to hand over their private keys or transfer coins to the specified address on the grounds of helping to solve problems such as unpaid recharge, failed withdrawals, and errors in wallet synchronization.

It may also attract victims through private messages or small groups, lying that they can "help recover the lost coins", which is actually to lure more funds or obtain keys.

SIM Swap

By bribing or deceiving telecom operator customer service, the victim's mobile phone number is transferred to the attacker's hands in the background. Once the mobile phone number is stolen, the attacker can reset the password of the exchange, wallet or social account through SMS verification, two-factor verification (2FA), etc., thereby stealing crypto assets.

SIM Swap has occurred a lot in the United States and other places, and such cases have also occurred in many countries.

Social engineering combined with malicious recruitment/headhunter

In the name of recruitment, the attacker sent a "job invitation" with malicious files or links to the target's email or social media account, tricking the target into downloading and executing the Trojan.

If the target of the attack is an internal employee or core developer of the crypto company, or a "heavy user" who holds a large amount of coins in person, it may lead to serious consequences such as intrusion of the company's infrastructure and theft of the keys.

A 2022 Ronin Bridge security accident at Axie Infinity, according to The Block, the attack was linked to a false job ad. The hacker contacted an employee of Axie Infinity developer Sky Mavis through LinkedIn and told him that he was hired for a high salary after several rounds of interviews. The employee then downloaded a fake admission letter presented in PDF documents, causing hackers to penetrate Ronin's system, which hacked and took over four of the nine validators on the Ronin network, leaving only one validator unable to fully control, and then controlled the unrevoked Axie DAO to achieve the final intrusion.

Fake airdrop/fake coin gift activity

Fake "official" activities that appear on platforms such as Twitter and Telegram, such as "just transfer x coins to a certain address, you can double the return", are actually frauds.

Attackers also often use the names of "whitelist airdrop" and "testnet airdrop", and trick the keys or authorizations into stealing coins by allowing users to click unknown links or connect to phishing website wallets.

In 2020, many American political and business celebrities, including Obama, Biden, Buffett, Bill Gates, and social media Twitter accounts of many well-known companies were stolen. Hackers stole passwords and took over the account and posted messages, using double returns as bait, allowing users to send cryptocurrency funds to the specified account address link. In recent years, there are still a large number of "double return" scams impersonating Musk.

Internal personnel infiltration/resignation work case

Some cryptocurrency companies or project teams, or employees who are bribed by attackers, use their familiarity with internal systems and operational processes to steal user databases, private keys, or perform unauthorized transactions.

In this kind of scenario, technical loopholes are more closely integrated with social engineering, often causing large-scale losses.

Fake hardware wallets that have been implanted in a "backdoor" or have been tampered with

Attackers will sell hardware wallets on eBay, Xianyu, Telegram groups or other e-commerce/second-hand trading platforms with gimmicks such as lower than market price or fidelity guarantee. In fact, the chip or firmware has been replaced inside the device. Some users may accidentally purchase a refurbished phone or a second-hand phone and the seller has imported the private key in advance. Once the buyer deposits the funds, the attacker can withdraw it with the same private key at any time.

In addition, after the data breach, some users received free replacement equipment or security upgraded equipment sent by manufacturers (such as Ledger). The packaging also comes with new mnemonic cards and operating instructions. Once users use these preset mnemonics or migrate the original mnemonics to a fake device, the attacker can gain access to all assets of the wallet.

The above examples are just the tip of the iceberg, and the diversity and flexibility of social engineering make it particularly destructive in the cryptocurrency field. For most ordinary users, these attacks are often unpredictable.

Greed and fear

Greed is always the most easily manipulated weakness. When the market is extremely active, some people will rush to projects that suddenly become popular due to the herd effect. Fear and uncertainty are also common breakthroughs in social engineering. When encryption is violently fluctuating or there is a problem with the project, the scammer will issue an "emergency notice" claiming that the project is in an extremely dangerous situation and induce users to quickly transfer funds to the so-called secure address. Many novices are afraid of losses and find it difficult to keep thinking clearly, and are often easily trapped in this panic.

In addition, the FOMO mentality can be seen everywhere in the crypto ecosystem. Fear of missing the next bull market or the next Bitcoin leads people to rush to invest money and participate in projects, but lack the basic ability to identify risks and authenticity. Social engineering attackers only need to create an atmosphere where opportunities are fleeting and no longer doubled once they are missed, which is enough to allow some investors to commit suicide.

Risk identification and prevention

The reason why social engineering is difficult to prevent is precisely because it focuses on people's cognitive blind spots and psychological weaknesses. As an investor, you should pay attention to the following key points:

Improve safety awareness

Do not disclose private keys and mnemonic words at will. In no case, do not trust others and disclose your private key, mnemonic or sensitive identity information. A real official team will hardly ask for such information through private chats.

Be wary of "unreasonable commitments to gain". Any activity that claims to be "zero risk and high returns" and "returning several times of principal" is very likely to be a scam.

Verify links and sources

Use browser plug-ins or official channels to check the URL. For websites of cryptocurrency exchanges, wallets or decentralized applications (DApps), you need to repeatedly confirm whether the domain name is correct.

Don't click links of unknown origin at will. If the other party claims to be "airdrop benefits" or "official compensation", it should be verified at the first time on formal social media or official channels.

Focus on the distinction between community and social media

Verify the certification mark, number of fans and interaction records of the official account. Avoid blindly adding unfamiliar private chat groups and clicking on unknown links in the group.

Regarding the information of "free lunch", you should remain skeptical, read more and ask more questions, and verify with experienced investors or official channels.

Establish a healthy investment mindset

Look at market volatility rationally and avoid being swept by short-term surges and plummeted emotions.

Always make the worst plan and don’t ignore potential risks because you are “afraid of missing out”.

The eternal importance of human factors

Human nature is the foundation for social engineering to succeed repeatedly. Attackers will design various scams against herd mentality, greed, fear, insecurity, and FOMO (fear of missing out).

The technology iteration and business models in the fields of blockchain and encryption are constantly expanding, and social engineering methods will also evolve. The maturity of deep fake technology (Deepfake) may present a greater threat in the near future. Attackers may realistically impersonate the project leader by synthesizing video and audio to connect with the victims in real time. Multi-dimensional social engineering will also be upgraded. Attackers may lurk and collect information across multiple social platforms for a long time, and then start the target through carefully designed emotional manipulation.

The ongoing existence of social engineering reminds us that no matter how advanced the technology is, human factors remain a core component of the system. It may be unrealistic to completely eliminate the impact of social engineering. Only by focusing on both code and people can we help build more resilient systems.