How to Protect Against Crypto Hacks and Social Engineering

Social engineering is a hazard in crypto, enabling hackers to manipulate users and steal funds. Learn how to protect against crypto hacks and scams.

Introduction

Cryptocurrency offers financial freedom, but it also attracts cybercriminals looking for new ways to exploit users. Unlike traditional banking, crypto transactions are irreversible, making security a top priority. One of the most dangerous threats in the space is social engineering, a technique where attackers manipulate people rather than hacking systems.

From phishing scams to impersonation attacks, social engineering has been responsible for some of the largest crypto heists, including the Bybit hack in early 2025, which resulted in a US$1.5 billion loss. 

Understanding how these scams work and learning how to stay protected is crucial for anyone involved in the crypto world.

In this article, we break down how social engineering leads to crypto hacks, highlight real-world examples, and provide actionable tips to safeguard funds.

What Is Social Engineering?

Social engineering is a manipulation technique used to exploit human psychology to gain access to sensitive information, systems, or physical locations. Rather than attacking technical vulnerabilities, social engineers target human vulnerabilities like trust, helpfulness, fear, and curiosity.

Common social engineering tactics include:

• Phishing: Fake emails or messages designed to steal credentials.
• Pretexting: Creating a fabricated scenario to extract information.
• Baiting: Offering something enticing, like free tokens or software, to lure victims.
• Tailgating: Following authorised personnel into restricted areas.
• Quid pro quo: Offering a service in exchange for information.
• Impersonation: Posing as a trusted person (like support staff or team leads) to extract info.

These attacks are particularly dangerous because they bypass technical security measures by exploiting human psychology.

Effective defenses include security awareness training, verification procedures, and creating a culture where questioning unusual requests is encouraged.

How Does Social Engineering Lead to Crypto Hacks?

Social engineering plays a critical role in cryptocurrency hacks by targeting human vulnerabilities rather than technical flaws in blockchain systems. 

Impersonation is common; attackers pose as exchange staff or team leads on platforms like Discord, X, and Telegram, convincing users to share sensitive data or click malicious links.

They create convincing phishing websites mimicking legitimate exchanges to steal private keys and seed phrases, or employ SIM-swapping techniques to bypass MFA by taking control of victims’ phone numbers. Many scammers promote fraudulent investment opportunities, as well, including fake initial coin offerings (ICOs) or exclusive pre-sales that simply disappear with investors’ funds. 

More technically sophisticated attackers trick users into connecting their wallets to malicious decentralised applications (dapps) or approving dangerous smart contract interactions that drain their accounts. Some go deeper, targeting developers and treasury managers with social engineering, putting entire decentralised autonomous organisations (DAOs) or exchanges’ hot wallets at risk.

In crypto, there are no chargebacks. Once assets are transferred, they’re gone. That’s what makes social engineering so effective, and so dangerous.

A High-Profile Crypto Hacking Case: The Lazarus Group Social Engineering Hack

In February 2025, Bybit, a prominent cryptocurrency exchange, suffered a significant security breach, resulting in the theft of approximately $1.5 billion worth of Ethereum. 

Investigations revealed that the North Korean state-sponsored hacking group, known as the Lazarus Group or TraderTraitor, orchestrated this attack. The breach was executed through a sophisticated supply chain attack that incorporated social engineering tactics, including:

1. Targeting a Developer: The attack began when a Safe{Wallet} developer was socially engineered by someone posing as a trusted open-source contributor. They convinced the developer to run a malicious Docker Python project on their Mac.
   
2. AWS Session Hijack: Once the developer’s workstation was compromised, the hackers extracted temporary session tokens for Amazon Web Services (AWS), the cloud infrastructure platform used by Safe{Wallet}. These tokens allowed them to bypass multi-factor authentication (MFA) and quietly maintain access to critical systems for nearly 20 days.
   
3. Manipulating Transaction Processes: The attackers injected malicious JavaScript into Safe{Wallet}’s UI — the tool Bybit used to approve cold wallet transactions — causing signers to unknowingly send funds to the attackers.

By exploiting human trust and targeting the software supply chain, the hackers effectively bypassed traditional security measures, leading to one of the largest cryptocurrency heists to date.

How to Spot (and Stop) Social Engineering Scams in Crypto

1. Verify Identity

Always double-check the other party in question, especially if they ask for sensitive information. Use official contact points, not links or emails they provide.

•  Enable MFA using an authenticator app, not SMS.
• Consider using passkeys for added protection where supported.

Here are more details on how to enable 2FA for Crypto.com accounts.

2. Be Mindful About Personal Information

Scammers mine social media for clues to craft convincing attacks. Never share seed phrases, passwords, or private keys — not even with someone claiming to be from customer support.

Use unique, strong passwords for each account, and consider a password manager.

3. Be Sceptical of Unexpected Messages

Exercise extra caution with links or attachments in DMs or emails, especially if they are unsolicited. When in doubt, navigate manually to trusted URLs. Watch for subtle signs of phishing like slight misspellings in domain names or email addresses.

4. Maintain Security Hygiene

Keep everything updated, from wallet apps to browser extensions. Update patches can tackle known vulnerabilities. For maximum protection, use a hardware wallet, and think twice before approving smart contract interactions.

5. Stay Informed

Stay informed about current scam techniques, as social engineering tactics constantly evolve. If something feels suspicious or too good to be true, it probably is.

Conclusion

Social engineering remains one of the most effective ways for cybercriminals to bypass security measures and steal cryptocurrency. As seen in the Bybit hack, even large institutions with advanced security can fall victim when human trust is exploited.

By staying vigilant, verifying identities, protecting personal information, and maintaining strong security hygiene, users can significantly reduce their risk of being targeted. Education is the best defence — keep learning about emerging scams and always question unexpected requests, no matter how convincing they seem.

In the crypto world, security is non-negotiable, so take every precaution to safeguard all assets. Stay informed, stay sceptical, and stay safe.

Due Diligence and Do Your Own Research

All examples listed in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, cybersecurity, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation. 

Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.