How $330M was stolen without hacking: The dark power of social engineering

The $330 million attack: A stark reminder of social engineering’s power

A major crypto theft has sent shockwaves through the industry, with $330 million worth of Bitcoin (BTC) stolen. Experts say this was a social engineering attack and not a technical hack. 

Investigations led by blockchain analyst ZachXBT suggest the victim was an elderly US citizen who was manipulated into granting access to their crypto wallet. On April 28, 2025, ZachXBT detected a suspicious transfer of 3,520 BTC, worth $330.7 million. 

The stolen BTC was quickly laundered through more than six instant exchanges and converted into the privacy-oriented cryptocurrency Monero (XMR). Onchain analysis shows the victim had held over 3,000 BTC since 2017, with no previous record of substantial transactions.

Unlike typical cyberattacks that exploit software vulnerabilities, this incident relied on psychological manipulation. Scammers posed as trusted entities, slowly building credibility before persuading the victim over the phone to share sensitive credentials. This is the hallmark of social engineering — exploiting human trust rather than system weaknesses.

Decoding the laundering tactics after the attack

After the Bitcoin theft, the attacker swiftly began laundering the funds using a peel chain method, splitting the stolen amount into smaller, harder-to-trace portions. The funds were routed through hundreds of wallets and scores of exchanges or payment services, including Binance. 

A significant amount was laundered via instant exchanges and mixers, further obscuring its trail. A large portion of BTC was quickly converted into XMR, a privacy coin with untraceable architecture, causing its price to briefly surge 50% to $339.

The attackers used pre-registered accounts across exchanges and OTC desks, which suggests careful planning. Some BTC was even bridged to Ethereum and deposited into various DeFi platforms, making forensic tracing more difficult. Investigators have since notified exchanges in hopes of freezing any accessible funds. 

While attribution remains unclear, analysts like ZachXBT ruled out North Korean Lazarus Group involvement, pointing instead to skilled independent hackers. Hacken traced $284 million of BTC, now diluted to $60 million after extensive peeling and redistribution through obscure platforms.

Binance and ZachXBT were able to freeze about $7 million of the stolen funds. However, the bulk of the stolen Bitcoin remains missing. The suspects include an individual using the alias “X,” allegedly operating from the UK and believed to be of Somali origin, and another accomplice known as “W0rk.” Both have reportedly scrubbed their digital footprints since the theft.

This case underscores that crypto security isn’t just about strong passwords and hardware wallets but also about recognizing psychological threats. As the investigation continues, the community is reminded that even the most secure technologies are vulnerable to human fallibility.

What is social engineering in crypto crimes, and what psychological tactics are involved?

Social engineering is a manipulative technique used by cybercriminals to exploit human psychology. They trick you into revealing confidential information to access your wallets and perform actions that compromise security. 

Unlike traditional hacking, which targets system vulnerabilities, social engineering thrives on human weaknesses such as trust, fear, urgency and curiosity. It leverages psychological tactics to manipulate victims. 

Here are common tactics used by criminals to convince their victims and execute their plans:

• Using fake authority: A common tactic criminals use is authority, where attackers impersonate figures of trust, such as law enforcement or tech support, to pressure victims into revealing the information they want. 
• Create urgency: Urgency is another tactic, often used in phishing emails or scam calls that demand immediate action to prevent “loss” or claim a reward. 
• Preying on the instinct of reciprocity: Reciprocity involves playing on the instinct to return favors, luring victims with gifts like fake airdrops or rewards. 
• Triggering impulsive actions: Scarcity drives decisions by presenting fake limited-time offers, prompting impulsive behavior. 
• Riding herd mentality: Social proof, or the herd mentality, is also common with fraudsters often claiming others have already benefited, encouraging the victim to follow suit.

These psychological strategies are a major threat to users in the crypto space, where irreversible transactions and often decentralized platforms make it very difficult for the victims to regain the lost funds. 

Did you know? Crypto drainers-as-a-service (DaaS) offers complete social engineering toolkits, including fake DEX websites, wallet prompts and Telegram support bots for anyone to run phishing campaigns, no coding required.

Why crypto users are vulnerable to social engineering attacks

Crypto users are particularly susceptible to social engineering attacks due to a combination of technological and behavioral issues. These include irreversibility of transactions, lack of recourse, high-value targets and overreliance on trust.

• Irreversibility of transactions: Once a crypto transaction is confirmed, it is final. There is no central authority or support team to reverse a mistaken transfer or a fraudulent withdrawal. Social engineers exploit this by tricking victims into sending funds or approving malicious wallet permissions, well aware that recovery is virtually impossible.
• Anonymity and lack of recourse: DeFi thrives on anonymity, which also empowers scammers. Attackers can hide behind pseudonyms and fake profiles, often impersonating support staff, influencers or developers. Victims have little to no legal or institutional support after an incident, especially across borders.
• High-value targets: Whales, NFT collectors and DeFi project founders are frequent targets of fraudulent activities due to the large sums they control. Social engineers often tailor sophisticated scams, such as fake job offers, investment pitches or urgent support calls to manipulate these high-end users.
• Overreliance on trust in online communities: Crypto culture emphasizes decentralization and peer collaboration, but these can foster a false sense of confidence. Scammers exploit this openness in Discord, Telegram and decentralized autonomous organizations (DAOs) to gain credibility before striking.

Together, these factors make crypto users highly susceptible to human-centric attacks, more than users of traditional finance.

Did you know? Unlike traditional hacks, social engineering doesn’t target code; it targets people. It is low-tech but high-reward, exploiting trust, emotion and routine to steal assets in seconds.

Common crypto-specific social engineering tactics

Fraudsters use customized social engineering strategies to trick and exploit unsuspecting crypto users. To protect yourself from these scamsters, you must be well aware of their various tactics. From phishing scams and impersonation attacks to malicious downloads, you must have a broad idea of how these methods work.

Here are some prevalent tactics that fraudsters use:

• Phishing scams: Attackers craft deceptive emails or messages resembling those from established crypto platforms, subtly pushing users to click on malicious links. These links take users to counterfeit websites that mimic legitimate crypto exchanges or wallets, prompting users to input sensitive information like private keys or login credentials. 
• Impersonation attacks: Scammers pose as trusted figures or support staff on platforms like Discord and Telegram. By mimicking official channels or personnel, they convince users to divulge confidential information or perform actions that compromise their wallets.
• Fake airdrops: Tactics involve enticing users to connect their wallets to claim non-existent rewards. Users who fall prey to these tactics often end up losing their assets.
• Malicious downloads: Users are lured with promises of free tools or software stealthily loaded with malicious code. Once downloaded, the malware shares confidential information with its handlers.
• Honeytraps and fake job offers: Fraudsters create alluring profiles or job postings targeting developers and project founders. Once trust is established, they manipulate victims into sharing sensitive data or granting access to secure systems.
• Pretexting and quid pro quo: Attackers may fabricate scenarios, such as offering exclusive investment opportunities or lucrative rewards, to extract information or access from victims. 

Understanding these tactics is crucial for crypto users to safeguard their assets. Vigilance, verification of sources and skepticism toward unsolicited offers can mitigate the risks posed by social engineering attacks.

Case studies of crypto social engineering attacks

There have been several scams in the crypto domain exploiting human weaknesses. Fraudsters used clever tactics like phishing and impersonation to steal digital assets. 

These case studies provide key insights to boost awareness and prevent losses.

Ronin Network attack

In March 2022, the Ronin Network, which powers Axie Infinity, suffered a $600 million exploit. Investigations revealed the hack stemmed from a social engineering attack. 

Lazarus Group posed as a fake company and sent a job offer PDF to a senior engineer with Ronin Network. When the file was opened, it installed spyware that compromised validator nodes. This breach allowed attackers to authorize massive withdrawals that went undetected for days. 

Lazarus Group’s fake job offer

The Lazarus Group, a North Korea-linked cybercrime unit, has been using fake job offers to target crypto employees. In one such case, they created fake recruiter profiles on LinkedIn and sent tailored job offers to engineers at blockchain companies. 

Engineers clicking on the job documents suffered malware infections. Fraudsters getting access to the wallets culminated in them stealing digital assets worth millions.

Discord phishing scams

Discord has become a hotspot for NFT scams through social engineering. Scamsters impersonate project admins or moderators and post fake minting links in announcements. 

In 2022, the popular NFT project Bored Ape Yacht Club was targeted this way. Scammers posted a fake airdrop link in the official Discord, tricking users into connecting their wallets. Once authorized, the attackers drained the NFTs and tokens, resulting in hundreds of thousands in losses.

Did you know? Many social engineering attacks happen during project launches or major announcements. Hackers time their scams for peak traffic, using fake links that mimic official posts to steal funds from unsuspecting users.

How to protect yourself from social engineering attacks in crypto

Crypto users face an increasing wave of social engineering attacks, from fake job offers to Discord phishing links. To stay secure, you and the crypto community need to take proactive steps to build awareness and deter attacks:

• Verifying identities and URLs: Always double-check usernames, domain spellings and URLs before clicking. Use official channels to verify announcements or job offers.
• Multifactor authentication (MFA): Enable MFA or 2-factor authentication (2FA) on all accounts to make it harder for fraudsters.
• Use hardware wallets: To store funds securely for the long term, use hardware wallets as they reduce the risk of remote access.
• Community education: Circulation of scam alerts and regular security training sessions for crypto users can help raise awareness about the prowling crypto scamsters.
• Role of social platforms and devs in prevention: Platforms like Discord and Telegram should implement a reporting mechanism with quick responses. They can integrate transaction warnings and wallet-connection alerts to deter social engineering attacks at the source.

Help available to elderly victims in the event of crypto attacks

Several types of aid are available to elderly victims of cryptocurrency hacks to help them recover their possessions. Here is an insight into various options at hand.

Victims can file a formal complaint with law enforcement agencies, such as cybercrime units and local police, who can carry out investigations. Many countries have financial fraud helplines that provide victims with counsel. They may discuss the fraudulent act with their lawyer, who would help them understand their rights and legal support available. 

Nonprofits and advocacy groups in the US, such as the American Association of Retired Persons (AARP), provide support to senior victims of scams. Crypto exchanges may assist victims by freezing suspicious transactions if alerted early. They may also contact blockchain analytics firms or crypto recovery services to assist in tracing stolen assets, though positive outcomes aren’t assured. 

Legal aid organizations can help victims navigate the complex processes. It is helpful for older people to involve family members and caregivers to assist them in the aftermath of an attack.