Humans are the weakest link in the security system.
Written by: ChandlerZ, Foresight News
Security is like a chain, dependent on its weakest link. And humans are the Achilles' heel in the password system. While the market is still obsessed with building more complex cryptographic protection mechanisms, attackers have already discovered a shortcut: instead of cracking passwords, they simply manipulate the people using them.
Personnel are the weakest link and also the least valued aspect. In other words, personnel are the vulnerabilities that hackers can most easily exploit, while also being the area where companies invest the least and improve the slowest.
According to the latest report from blockchain analysis company Chainalysis, in 2024, North Korean hackers launched 47 complex attacks, stealing assets worth $1.3 billion from global cryptocurrency platforms, a year-on-year increase of 21%. Even more astonishing, on February 21, 2025, the Bybit exchange was hacked, resulting in the theft of approximately $1.5 billion in cryptocurrency, setting a new record for the largest single theft in crypto history.
In many past major attacks, many were not achieved through traditional technical vulnerabilities. Despite exchanges and project teams investing billions of dollars annually in technical defenses, many participants often underestimate the threats posed by social engineering in this seemingly math and code-driven world.
The Nature and Evolution of Social Engineering
In the field of information security, social engineering has always been a unique and dangerous attack method. Unlike intrusions through technical vulnerabilities or flaws in cryptographic algorithms, social engineering primarily exploits human psychological weaknesses and behavioral habits to deceive and manipulate victims. It does not require a high technical threshold but can often cause extremely serious losses.
The advent of the digital age has provided new tools and stages for social engineering. This evolution is particularly evident in the cryptocurrency field. The early cryptocurrency community was mainly composed of tech enthusiasts and crypto punks, who generally possessed vigilance and a certain level of technical literacy. However, as cryptocurrencies gradually became popular, more new users who were not well-versed in the relevant technologies entered the market, creating fertile ground for social engineering attacks.
On the other hand, the highly anonymous and irreversible nature of cryptocurrency transactions makes them an ideal target for attackers to reap profits. Once funds are transferred to wallets they control, it is nearly impossible to recover.
The ease with which social engineering can succeed in the cryptocurrency field largely stems from various cognitive biases in human decision-making processes. Confirmation bias leads investors to focus only on information that aligns with their expectations, herd mentality can easily trigger market bubbles, and FOMO (fear of missing out) often causes people to make irrational choices when facing losses. Attackers skillfully weaponize these psychological weaknesses.
Compared to attempting to crack complex cryptographic algorithms, the cost of launching social engineering attacks is lower, and the success rate is higher. A carefully forged phishing email or a seemingly legitimate job invitation that hides traps is often more effective than confronting technical challenges directly.
Common Social Engineering Techniques
Although there are many types of social engineering attack methods, the core logic still revolves around "gaining the target's trust and information." Here are a few common techniques briefly explained:
Phishing
Email/SMS Phishing: Using links disguised as exchanges, wallet service providers, or other trusted institutions to lure users into entering sensitive information such as seed phrases, private keys, or account passwords.
Impersonating Social Media Accounts: For example, impersonating "official customer service," "well-known KOLs," or "project teams" on platforms like Twitter, Telegram, or Discord, posting messages with fake links or false event information to trick users into clicking and entering keys or sending cryptocurrency.
Browser Extensions or Fake Websites: Creating counterfeit websites that closely resemble real exchanges or wallet sites, or inducing users to install malicious browser extensions. Once users input or authorize on these pages, their keys will be leaked.
Fake Customer Service / Impersonating Technical Support
Common in Telegram or Discord groups, someone impersonates an "administrator" or "technical support" to help resolve issues like failed deposits, withdrawal failures, or wallet synchronization errors, guiding users to hand over their private keys or transfer coins to specified addresses.
They may also lure victims through private messages or small groups, falsely claiming they can "help recover lost coins," ultimately tricking them into providing more funds or obtaining keys.
SIM Card Swap
Attackers buy or deceive telecom operators' customer service to transfer the victim's phone number to themselves in the background. Once the phone number is hijacked, attackers can reset passwords for exchanges, wallets, or social accounts through SMS verification, two-factor authentication (2FA), etc., thereby stealing cryptocurrency assets.
SIM swapping occurs frequently in the U.S. and has also been reported in multiple countries.
Social Engineering Combined with Malicious Recruitment / Headhunting
Attackers pose as recruiters, sending "job invitations" with malicious files or links to the target's email or social media accounts, tricking the target into downloading and executing malware.
If the target is an internal employee or core developer of a cryptocurrency company, or a "heavy user" holding a large amount of coins, it could lead to severe consequences such as infrastructure breaches or key theft.
The 2022 Axie Infinity Ronin Bridge security incident, reported by The Block, was related to a fake job advertisement. Insiders revealed that hackers contacted an employee of Axie Infinity developer Sky Mavis via LinkedIn, informing them they were hired at a high salary after several rounds of interviews. The employee then downloaded a forged acceptance letter presented as a PDF document, allowing the hacker's software to infiltrate the Ronin system, leading to the hackers attacking and taking control of four out of nine validators on the Ronin network, just one validator short of complete control, and subsequently controlling the Axie DAO with revoked permissions to achieve the final breach.
Fake Airdrops / Fake Token Giveaway Activities
Fake "official" activities appearing on platforms like Twitter and Telegram, such as "transfer x coins to a certain address to double your return," are actually scams.
Attackers often use terms like "whitelist airdrop" or "testnet airdrop" to lure users into clicking unknown links or connecting to phishing wallet sites, tricking them into revealing keys or authorizing theft.
In 2020, several prominent American political and business figures, including Obama, Biden, Buffett, and Bill Gates, had their Twitter accounts hacked. After stealing passwords and taking over accounts, hackers posted messages using double return as bait, prompting users to send cryptocurrency funds to specified account address links. In recent years, there have still been numerous "double return" scams impersonating Musk on YouTube.
Insider Penetration / Employee Misconduct
Some former employees of cryptocurrency companies or project teams, or current employees bribed by attackers, use their familiarity with internal systems and processes to steal user databases, private keys, or execute unauthorized transactions.
In these scenarios, technical vulnerabilities and social engineering are more closely intertwined, often resulting in significant losses.
Implanted "Backdoors" or Tampered Fake Hardware Wallets
Attackers sell hardware wallets on eBay, Xianyu, Telegram groups, or other e-commerce/second-hand trading platforms at prices below market value or with authenticity guarantees, but the devices have had their chips or firmware replaced. Some users may inadvertently purchase refurbished or second-hand devices that have had private keys preloaded by the seller; once the buyer deposits funds, the attacker can withdraw them at any time using the same private key.
Additionally, some users have received free replacement devices or upgraded security devices disguised as manufacturers (like Ledger) after data breaches, with new mnemonic cards and operating instructions included. If users use these pre-set mnemonics or migrate their original mnemonics to the fake device, attackers can gain full access to the wallet's assets.
The above examples are just the tip of the iceberg; the diversity and flexibility of social engineering make its destructive power particularly significant in the cryptocurrency field. For the vast majority of ordinary users, these attacks are often difficult to defend against.
Greed and Fear
Greed is always the easiest weakness to manipulate. During periods of extreme market activity, some people may rush into suddenly popular projects due to herd mentality. Fear and uncertainty are also common entry points for social engineering. During severe market fluctuations or project issues, scammers may issue "urgent notices," claiming that a project is in extreme danger, inducing users to quickly transfer funds to so-called safe addresses. Many newcomers, fearing losses, find it hard to think clearly and are often swept up in this panic.
Moreover, the FOMO mentality is ubiquitous in the cryptocurrency ecosystem. The fear of missing out on the next bull market or the next Bitcoin leads people to hastily invest and participate in projects, lacking the basic ability to discern risks and authenticity. Social engineering attackers only need to create an atmosphere of fleeting opportunities, where missing out means no chance of doubling returns, to ensnare some investors.
Risk Identification and Prevention
The difficulty in preventing social engineering lies in its targeting of human cognitive blind spots and psychological weaknesses. As investors, one should pay attention to the following key points:
Enhance Security Awareness
Do not casually disclose private keys and mnemonic phrases. Under no circumstances should you trust others enough to reveal your private keys, mnemonic phrases, or sensitive identity information. Genuine official teams will almost never ask for such information through private messages.
Be wary of "unreasonable profit promises." Any activity claiming "zero risk high returns" or "multiple returns of principal" is likely a scam.
Verify Links and Sources
Use browser plugins or official channels to verify URLs. For cryptocurrency exchanges, wallets, or decentralized applications (DApps), repeatedly confirm that the domain name is correct.
Do not click on unknown links casually. If someone claims to offer "airdrop benefits" or "official compensation," verify it immediately through legitimate social media or official channels.
Focus on Community and Social Media Verification
Check the verification marks, follower counts, and interaction records of official accounts. Avoid blindly adding unknown private chat groups or clicking unknown links within groups.
Maintain a skeptical attitude towards "free lunch" information; ask questions and seek verification from experienced investors or official channels.
Establish a Healthy Investment Mindset
Rationally view market fluctuations and avoid being swept up by the emotions of short-term volatility.
Always be prepared for the worst-case scenario, and do not overlook potential risks out of "fear of missing out."
The Eternal Importance of Human Factors
Human nature is the foundation upon which social engineering repeatedly succeeds. Attackers design various scams targeting traits such as herd mentality, greed, fear, insecurity, and FOMO (fear of missing out).
As the technology iterations and business models in the blockchain and cryptocurrency fields continue to expand, social engineering techniques will also evolve. The maturity of deepfake technology may present even greater threats in the near future, as attackers could realistically impersonate project leaders through synthesized video and audio, connecting with victims in real-time. Multi-dimensional social engineering will also upgrade, with attackers potentially lurking across multiple social platforms for extended periods to gather information, then launching attacks through carefully designed emotional manipulation.
The persistent existence of social engineering reminds us that no matter how advanced technology becomes, human factors remain a core component of the system. Completely eliminating the influence of social engineering may be unrealistic; only by focusing on both code and people can we help build more resilient systems.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
