The Real Threat Picture

The Taxonomy: Theft, Exploits, and Breaches

Three categories, meaningfully different defenses for each.

Phishing and Signature Attacks

January 2026: $300 million stolen in phishing losses in a single month. Signature phishing (also called permit phishing or approval phishing) was up 207% compared to January 2025. In that one month, 4,700 wallets lost $6.27 million to signature-based attacks alone - an average of $1,334 per victim.

Classic phishing: a fake website that looks like a legitimate exchange or wallet, designed to harvest your email, password, or seed phrase. MetaMask phishing sites often include a fake emergency popup claiming your wallet needs immediate attention and asking you to "verify" by entering your seed phrase.

Signature phishing is more sophisticated and more dangerous for DeFi users. The attacker's site asks you to sign an off-chain message (no gas cost, appears harmless). The message is actually an EIP-2612 permit, an ERC-20 authorization allowing the attacker's address to transfer your tokens. You sign it, the attacker submits it on-chain, and your tokens move without any further interaction on your part.

AI-powered scams reported 4.5x more profitable per attempt than traditional methods in 2025. The voice cloning and deepfake technology that makes fake video calls appear legitimate costs less than $100 to deploy. Support scams, investment scams, and romance scams have all adopted AI-generated content to increase persuasiveness.

SIM Swaps

A SIM swap is a social engineering attack on your mobile carrier, not on your crypto. The attacker calls your carrier's customer service line, claims to be you, and requests that your phone number be transferred to a SIM card they control. Once they have your number, every SMS 2FA code for every account tied to that number is theirs.

US SIM swap losses: $28.4 million in 2025. In March 2025, T-Mobile was ordered to pay $33 million after a single SIM swap drained a customer's crypto holdings. The court found T-Mobile's verification procedures were inadequate to prevent the attack.

The attack is not sophisticated. It's a customer service representative being deceived. The growing trend of carrier employees being directly bribed for SIM swap services (investigated by the FBI in multiple cases) means even carriers with strong verification procedures are vulnerable.

The defense is removing your phone number as a 2FA method for any account that holds significant value. Module 5 covers the specific steps for each carrier and exchange. The short version: set a carrier PIN, remove SMS 2FA from all crypto accounts, and use an authenticator app or hardware key instead.

Address Poisoning

Address poisoning has generated $83.8 million in losses and involved 270 million on-chain attacks targeting 17 million victims. The attack is low-tech, scalable, and highly effective against users who copy addresses from their transaction history.

The mechanism: the attacker generates a wallet address that shares the first 4-6 and last 4-6 characters with an address you've previously transacted with. They send a tiny amount (dust) from this look-alike address to your wallet. The transaction appears in your history. When you later want to send to the same recipient, you copy the address from your history instead of from the original source. You copy the attacker's address. You send to the attacker.

The Ethereum Fusaka upgrade in December 2025 reduced transaction costs enough that address poisoning campaigns became dramatically cheaper to run at scale. Attack attempts jumped from 628,000 in November 2025 to 3.4 million in January 2026 - a 441% increase in two months. The defense is simple and absolute: never copy a recipient address from your transaction history. Always copy from the original verified source. Verify every character, not just the first and last few.

Clipboard Hijacking

Clipboard hijackers are malware that monitor your clipboard and replace any crypto address you copy with the attacker's address. You copy what you believe is a recipient address. You paste something different. If you don't verify what you pasted, you send to the attacker.

ClipXDaemon (February 2026) is a Linux implementation that runs as a background daemon polling the clipboard every 200 milliseconds. It targets Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON addresses. It installs quietly, runs silently, and is difficult to detect without specifically auditing running processes.

GitVenom (2024-2025) was a campaign distributing clipboard hijackers through fake GitHub repositories. Attackers created repositories that appeared to be legitimate open-source crypto tools. The code included hidden scripts that installed clipboard monitoring software. Approximately $485,000 (5 BTC) was confirmed stolen through the campaign.

The defense: always verify the pasted address matches what you copied before confirming any transaction. Hardware wallets display the destination address on the device screen - if it doesn't match what you intended, the device has caught an address replacement before it cost you anything. This is one of the practical security advantages of hardware wallets over software-only signing.

Ice Phishing

Ice phishing doesn't steal your keys. It tricks you into granting authorization. Over $1 billion has been stolen since 2021 through variations of this attack.

The attack flow: you visit a malicious site (or a compromised legitimate site). The site presents a transaction for you to sign. The UI shows something appealing - "Claim your airdrop", "Mint exclusive NFT", "Verify your wallet". The actual transaction being signed is an ERC-20 approval granting the attacker's address unlimited permission to move a specific token from your wallet.

The signed approval is valid and on-chain. The attacker calls the transferFrom function at their leisure - immediately or months later. Even if you revoke the approval afterward, any transfers that already occurred are irreversible. Phishing losses in 2025 totaled $84 million (down 83% from 2024 due to awareness and tool improvements), but the average loss per victim increased. January 2026 erased much of that progress with $300 million lost in a single month.

North Korean State Actors

Lazarus Group is North Korea's primary cyber operations unit. In 2025, they stole $2.02 billion in crypto - a 51% increase year over year. This is a state-funded operation with professional teams, operational security, months-long preparation cycles, and a nation-state's backing.

Their primary method is social engineering targeting crypto company employees, not individuals. They spend weeks or months building rapport with development team members through LinkedIn, Telegram, and Discord before deploying malware via fake job opportunities, infected documents, or compromised development tools.

For individual holders, Lazarus Group is largely not your threat. They target company treasury wallets, exchange infrastructure, and protocol deployment keys - not retail accounts. The relevant lesson is systemic: if you hold assets with any company in the crypto space, that company is a target of well-resourced, patient adversaries. The Bybit attack is the evidence. Counterparty risk at the institutional level is real, which is the argument for self-custody at scale.