Social engineering attacks have become a major security threat in the encryption asset field.

In recent years, social engineering attacks targeting users of cryptocurrency trading platforms have become frequent, attracting widespread attention in the industry. These types of attacks are not isolated incidents but exhibit characteristics of persistence and organization.

On May 15, a well-known trading platform released an announcement confirming that there was indeed a data leakage issue within the platform. The U.S. Department of Justice has launched an investigation into the matter.

Historical Review

According to statistics from on-chain analysis experts, over $45 million was stolen from users due to social engineering scams in just the past week. Over the past year, multiple incidents of user theft have been reported, with some individual cases resulting in losses of up to tens of millions of dollars. Research reports indicate that the financial losses from such scams during the period from December 2024 to January 2025 have exceeded $65 million. Experts estimate that the annual losses from such attacks could reach as high as $300 million.

The groups that dominate this type of scam can be mainly divided into two categories: one category consists of low-level attackers from specific circles, while the other category comprises cybercrime organizations located in South Asia. They primarily target users in the United States, employing standardized methods and mature rhetoric. The actual amount of losses may be much higher than the visible statistics, as there are many undisclosed cases.

Scam Techniques

In this incident, the platform's technical system was not compromised; the scammers exploited the permissions of internal employees to obtain some users' sensitive information, including names, addresses, contact information, account data, and ID photos. The ultimate goal of the scammers was to use social engineering techniques to guide users into transferring funds.

This type of attack has changed the traditional "net-style" phishing methods, shifting to "precision strikes," which can be described as "tailor-made" social engineering scams. A typical modus operandi is as follows:

1. Contact users as "official customer service"
2. Guide users to download a specific wallet
3. Inducing users to use the mnemonic phrases provided by the scammers
4. The scammer conducts fund theft

In addition, some phishing emails claim that "due to a class action ruling, the platform will fully migrate to self-custody wallets," and require users to complete asset migration within a short period. Under the pressure of time and the psychological suggestion of "official instructions," users are more likely to comply with the operation.

According to industry insiders, these attacks are often organized in their planning and execution:

• Fraud toolchain improvement: Scammers use PBX systems to spoof caller numbers, simulating official customer service calls. When sending phishing emails, they utilize third-party tools to impersonate official email addresses, accompanied by "Account Recovery Guide" to guide transfers.
• Targeting Precision: Scammers rely on stolen user data purchased from illegal channels to lock in specific regional users as their main targets. They may even use AI tools to process the stolen data, splitting and reorganizing phone numbers, generating files in bulk, and then sending scam messages through software.
• Coherent deception process: From phone calls, text messages to emails, the scam path is usually seamless, continuously诱导 victims to perform "security verification" until the wallet transfer is completed.

On-chain Analysis

Through the on-chain analysis system, we tracked some publicly known scammer addresses and found that these scammers possess strong on-chain operational capabilities. Below are some key pieces of information:

The attack targets of the scammers cover various assets held by users, with the active time of these addresses concentrated between December 2024 and May 2025. The target assets are mainly BTC and ETH. BTC is currently the primary target of scams, with multiple addresses profiting hundreds of BTC at once, with single transactions valued at millions of dollars.

After obtaining the funds, the fraudsters quickly use a set of laundering processes to exchange and transfer the assets, the main patterns are as follows:

• ETH-based assets are often quickly exchanged for stablecoins through decentralized exchanges, then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms.
• BTC is mainly cross-chain bridged to Ethereum and then exchanged for stablecoins to avoid tracking risks.

Multiple scam addresses remain in a "static" state after receiving stablecoins and have not yet been transferred out.

To avoid interactions between your address and suspicious addresses, which may lead to the risk of asset freezing, it is recommended that users utilize the on-chain tracking system to conduct risk assessments on target addresses before trading, in order to effectively mitigate potential threats.

Measures

platform

The current mainstream security measures are more focused on "technical level" protections, while social engineering scams often circumvent these mechanisms, directly targeting user psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a "human-centric" security defense.

• Regularly push anti-fraud education content: enhance users' phishing prevention ability through app pop-ups, transaction confirmation interfaces, emails, and other means;
• Optimize risk control models and introduce "interactive anomaly behavior recognition": Most social engineering scams will induce users to complete a series of operations in a short period of time ( such as transferring funds, changing whitelists, binding devices, etc. ). The platform should identify suspicious interactive combinations based on behavior chain models ( such as "frequent interactions + new addresses + large withdrawals" ), triggering a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification entry" to clarify the unique official communication channel and avoid confusion.

user

• Implement identity isolation strategies: Avoid using the same email address or phone number across multiple platforms to reduce associated risks. Regularly check if your email has been leaked using leak query tools.
• Enable transfer whitelist and withdrawal cooling mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.
• Stay updated on security information: Keep informed about the latest attack methods through channels such as security companies, media, and trading platforms, and remain vigilant.
• Pay attention to offline risks and privacy protection: Personal information leakage may also lead to personal safety issues.

In summary, maintain skepticism and continue to verify. For any urgent operations, be sure to require the other party to prove their identity and independently verify through official channels, avoiding making irreversible decisions under pressure.

Summary

This incident once again exposes the obvious shortcomings in the industry regarding customer data and asset protection in the face of increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions on the platform do not have fund permissions, a lack of sufficient security awareness and capability may still lead to serious consequences due to unintentional leaks or being coerced. As the platform continues to grow, the complexity of personnel security management has increased, becoming one of the most challenging risks in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically build a "social engineering defense system" that covers internal personnel and outsourced services, integrating human risk into the overall security strategy.

In addition, once it is discovered that an attack is not an isolated incident but rather an organized and large-scale ongoing threat, the platform should respond immediately, actively investigate potential vulnerabilities, alert users to take precautions, and control the scope of damage. Only by addressing both the technical and organizational levels can we truly maintain trust and uphold the bottom line in an increasingly complex security environment.