Social Engineering in Crypto: Why People Are Now the Main Target

Social engineering attacks now account for more than 60% of crypto security incidents, surpassing smart contract exploits as the primary source of losses (AMLBot, 2026). Rather than hunting for code vulnerabilities, attackers increasingly target the people who hold keys, approve transactions, or manage protocols. Understanding how these attacks work is a practical step in assessing whether your own setup is exposed.

How attackers build trust before they take action

Social engineering in crypto takes several distinct forms, each relying on the same core mechanic: establishing enough apparent credibility that the target acts without proper verification.

Unlike crypto phishing scams, which typically rely on fake websites and bulk email, impersonation scams target individuals directly through DMs, phone calls, or live support channels. In 2025, they grew 1,400% year-over-year, with the average payment per incident rising from $782 to $2,764 (Chainalysis, 2026). Attackers pose as exchange support agents, project founders, or regulatory bodies, then create urgency around account freezes, compliance issues, or security alerts requiring immediate action. The goal is to extract seed phrases, approve unexpected transactions, or transfer assets before the target verifies the request independently.

Fake professional relationships are a slower and more targeted variant. Attackers construct convincing personas on LinkedIn or Telegram, approach team members at conferences, and build months of correspondence before acting. The objective is not a single credential, but access to admin keys or a trusted team member willing to sign a transaction.

Insider infiltration is a third category, closely associated with North Korean state-sponsored groups. These operations involve placing individuals inside crypto firms as contractors or employees, establishing persistent internal access rather than relying on a single point of entry.

In the first half of 2025 alone, social engineering accounted for 55.3% of exploit-related losses, totaling $1.39 billion (Chainalysis mid-year update, 2025). The pattern reflects a straightforward calculation: human targets are harder to patch than code, and they scale with volume.

Months of preparation, minutes to execute: the Drift Protocol case

The April 2026 attack on Drift Protocol, a Solana-based decentralized exchange, shows how far these operations have evolved. The campaign, attributed with medium confidence to North Korean state-sponsored group UNC4736, began at a major crypto conference in fall 2025 (Chainalysis, 2026). The same group is tied to a broader pattern of North Korean crypto theft that totaled $2.02 billion in 2025.

Attackers presented themselves as representatives of a quantitative trading firm. Over the following months, they maintained a dedicated Telegram group with Drift staff, discussing trading strategies and potential vault integrations. The interaction was indistinguishable from a legitimate business relationship at each stage.

When the time came, attackers exploited Solana's "durable nonces" feature to obtain pre-signed transactions from Drift Security Council members, who believed they were approving routine operations. With admin access secured, the group whitelisted a worthless fake token as collateral, deposited 500 million units, then withdrew $285 million in real assets including USDC, SOL, and ETH. Execution took 12 minutes. Preparation took six months.

What to check in your own setup

Individual holders face different social engineering risks than protocol teams, but the defensive logic is consistent: slow down, verify through independent channels, and limit how much any single interaction can authorize.

Specific checks:

• Verify before acting on unexpected contact. If someone claims to be from an exchange or protocol, find official contact details through a separate, trusted route rather than using information they provided.
• Use hardware wallets for significant holdings. Hardware wallets require physical confirmation on the device itself, which adds friction that social engineering cannot easily bypass remotely.
• Review token approvals regularly. Unrevoked approvals give past interactions ongoing access to your assets. The guide on DeFi token approvals covers how to check and revoke them.
• Treat urgency as a red flag. Legitimate platforms do not require immediate action under threat of loss. Tight deadlines are one of the clearest signals of manipulation.

For a broader view of how your current setup holds up against these and other threat patterns, check your setup in the app.