CryptoKeySafe CK bracket markCRYPTOKEYSAFE
4/7
Module 4

The Real Threat Picture

The word "hack" covers everything from a script kiddie running a phishing page to a nation-state supply chain operation. Treating all threats the same leads to spending on the wrong defenses. This module breaks down what actually happened in each major category, with real numbers and specific cases.

Video Narration: Q3 2026

Video narration arrives Q3 2026. Full written lesson available below.

The Taxonomy: Theft, Exploits, and Breaches

Three categories, meaningfully different defenses for each.

T

Theft

Private key compromise through human failure

Examples: Phishing, SIM swaps, social engineering, seed phrase exposure
Defense: Operational security, hardware wallets, hardware 2FA, never entering seed phrases online
$14B estimated stolen via scams in 2025; $300M+ from phishing in January 2026 alone
E

Exploits

Code or protocol vulnerabilities

Examples: Reentrancy, flash loan attacks, oracle manipulation, approval exploits
Defense: Smart contract audits, approval management, using audited protocols
$905.4M in smart contract losses in 2025
B

Breaches

Infrastructure and operational failures

Examples: Exchange hot wallet compromises, supply chain attacks, multisig manipulation
Defense: Self-custody for long-term holdings, diversification, hardware signing
Bybit $1.5B (Feb 2025), Phemex $85M (Jan 2025), Nobitex $90M (2025)

Phishing and Signature Attacks

January 2026: $300 million stolen in phishing losses in a single month. Signature phishing (also called permit phishing or approval phishing) was up 207% compared to January 2025. In that one month, 4,700 wallets lost $6.27 million to signature-based attacks alone - an average of $1,334 per victim.

Classic phishing: a fake website that looks like a legitimate exchange or wallet, designed to harvest your email, password, or seed phrase. MetaMask phishing sites often include a fake emergency popup claiming your wallet needs immediate attention and asking you to "verify" by entering your seed phrase.

Signature phishing is more sophisticated and more dangerous for DeFi users. The attacker's site asks you to sign an off-chain message (no gas cost, appears harmless). The message is actually an EIP-2612 permit, an ERC-20 authorization allowing the attacker's address to transfer your tokens. You sign it, the attacker submits it on-chain, and your tokens move without any further interaction on your part.

AI-powered scams reported 4.5x more profitable per attempt than traditional methods in 2025. The voice cloning and deepfake technology that makes fake video calls appear legitimate costs less than $100 to deploy. Support scams, investment scams, and romance scams have all adopted AI-generated content to increase persuasiveness.

SIM Swaps

A SIM swap is a social engineering attack on your mobile carrier, not on your crypto. The attacker calls your carrier's customer service line, claims to be you, and requests that your phone number be transferred to a SIM card they control. Once they have your number, every SMS 2FA code for every account tied to that number is theirs.

US SIM swap losses: $28.4 million in 2025. In March 2025, T-Mobile was ordered to pay $33 million after a single SIM swap drained a customer's crypto holdings. The court found T-Mobile's verification procedures were inadequate to prevent the attack.

The attack is not sophisticated. It's a customer service representative being deceived. The growing trend of carrier employees being directly bribed for SIM swap services (investigated by the FBI in multiple cases) means even carriers with strong verification procedures are vulnerable.

Global SIM swap trends (2025)

United States

$28.4M in losses

United Kingdom

1,055% surge in reported cases

Australia

240% increase year-over-year

The defense is removing your phone number as a 2FA method for any account that holds significant value. Module 5 covers the specific steps for each carrier and exchange. The short version: set a carrier PIN, remove SMS 2FA from all crypto accounts, and use an authenticator app or hardware key instead.

Address Poisoning

Address poisoning has generated $83.8 million in losses and involved 270 million on-chain attacks targeting 17 million victims. The attack is low-tech, scalable, and highly effective against users who copy addresses from their transaction history.

The mechanism: the attacker generates a wallet address that shares the first 4-6 and last 4-6 characters with an address you've previously transacted with. They send a tiny amount (dust) from this look-alike address to your wallet. The transaction appears in your history. When you later want to send to the same recipient, you copy the address from your history instead of from the original source. You copy the attacker's address. You send to the attacker.

Case study: $50 million USDT (December 2025)

  1. 1Victim was about to send $50M USDT to a regular counterparty
  2. 2Sent a $50 test transaction first to verify the address was working
  3. 3Attacker's monitoring system detected the test transaction immediately
  4. 4Attacker sent dust from a look-alike address to the victim within minutes
  5. 526 minutes after the test transaction, victim sent $50M USDT
  6. 6The address was copied from the recent transaction history - it was the attacker's
  7. 7Funds were gone. Transaction was final. No recovery.

The Ethereum Fusaka upgrade in December 2025 reduced transaction costs enough that address poisoning campaigns became dramatically cheaper to run at scale. Attack attempts jumped from 628,000 in November 2025 to 3.4 million in January 2026 - a 441% increase in two months. The defense is simple and absolute: never copy a recipient address from your transaction history. Always copy from the original verified source. Verify every character, not just the first and last few.

Clipboard Hijacking

Clipboard hijackers are malware that monitor your clipboard and replace any crypto address you copy with the attacker's address. You copy what you believe is a recipient address. You paste something different. If you don't verify what you pasted, you send to the attacker.

ClipXDaemon (February 2026) is a Linux implementation that runs as a background daemon polling the clipboard every 200 milliseconds. It targets Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON addresses. It installs quietly, runs silently, and is difficult to detect without specifically auditing running processes.

GitVenom (2024-2025) was a campaign distributing clipboard hijackers through fake GitHub repositories. Attackers created repositories that appeared to be legitimate open-source crypto tools. The code included hidden scripts that installed clipboard monitoring software. Approximately $485,000 (5 BTC) was confirmed stolen through the campaign.

The defense: always verify the pasted address matches what you copied before confirming any transaction. Hardware wallets display the destination address on the device screen - if it doesn't match what you intended, the device has caught an address replacement before it cost you anything. This is one of the practical security advantages of hardware wallets over software-only signing.

Ice Phishing

Ice phishing doesn't steal your keys. It tricks you into granting authorization. Over $1 billion has been stolen since 2021 through variations of this attack.

The attack flow: you visit a malicious site (or a compromised legitimate site). The site presents a transaction for you to sign. The UI shows something appealing - "Claim your airdrop", "Mint exclusive NFT", "Verify your wallet". The actual transaction being signed is an ERC-20 approval granting the attacker's address unlimited permission to move a specific token from your wallet.

The signed approval is valid and on-chain. The attacker calls the transferFrom function at their leisure - immediately or months later. Even if you revoke the approval afterward, any transfers that already occurred are irreversible. Phishing losses in 2025 totaled $84 million (down 83% from 2024 due to awareness and tool improvements), but the average loss per victim increased. January 2026 erased much of that progress with $300 million lost in a single month.

North Korean State Actors

Lazarus Group is North Korea's primary cyber operations unit. In 2025, they stole $2.02 billion in crypto - a 51% increase year over year. This is a state-funded operation with professional teams, operational security, months-long preparation cycles, and a nation-state's backing.

Their primary method is social engineering targeting crypto company employees, not individuals. They spend weeks or months building rapport with development team members through LinkedIn, Telegram, and Discord before deploying malware via fake job opportunities, infected documents, or compromised development tools.

For individual holders, Lazarus Group is largely not your threat. They target company treasury wallets, exchange infrastructure, and protocol deployment keys - not retail accounts. The relevant lesson is systemic: if you hold assets with any company in the crypto space, that company is a target of well-resourced, patient adversaries. The Bybit attack is the evidence. Counterparty risk at the institutional level is real, which is the argument for self-custody at scale.

Social Engineering Case Studies

Four named incidents, dissected step by step. The point is not to memorize the names. It is to recognize the pattern: in every case, the keys themselves stayed where they were supposed to. The attacker compromised the workflow around the keys. Three of the four cases below also feature signers who used hardware wallets, followed established review procedures, and still lost the funds.

Case 1: Ronin Bridge - $625 million (March 2022)

  1. 1Lazarus operators built a months-long fake-recruiter persona on LinkedIn targeting senior engineers at Sky Mavis (the studio behind Axie Infinity).
  2. 2A senior engineer accepted what they believed was a job interview and received a PDF "offer document."
  3. 3The PDF carried a remote-control payload that compromised the engineer's workstation.
  4. 4Lazarus moved laterally, eventually obtaining 4 of the 5 Sky Mavis-controlled validator keys for the Ronin bridge (a 5-of-9 multisig).
  5. 5The 5th signature came from the Axie DAO. Sky Mavis had been granted signing authority on behalf of the DAO during a 2021 traffic spike. That delegation had never been revoked.
  6. 6With 5 of 9 validators in hand, the attackers approved two withdrawals: 173,600 ETH and 25.5M USDC. Around $625M at the time.
  7. 7Lesson: dormant permissions are real attack surface. The Axie DAO delegation existed for nine months past its useful life. Audit and revoke.

Case 2: Radiant Capital - ~$50 million (October 16, 2024)

  1. 1A Radiant developer received a Telegram message from someone impersonating a former Radiant contractor.
  2. 2The message included a PDF described as a smart-contract audit report from a third party.
  3. 3The PDF carried a macOS payload (INLETDRIFT family, attributed to Lazarus by Mandiant) that compromised at least three developer machines.
  4. 4On signing day, the attackers used the compromised machines to inject JavaScript into the front-end the team used to review multisig transactions.
  5. 5Signers opened Safe UI and Ledger Live, saw an expected-looking routine transaction, and approved on hardware. The bytes signed were not the bytes displayed.
  6. 6The signed payloads transferred ownership of Radiant's lending pool contracts to the attacker, who immediately drained ~$50M.
  7. 7Lesson: a tampered front-end defeats human review. Hardware wallets only protect you if you can read what they show on the device screen and reject anything that does not match.

Case 3: Bybit - $1.5 billion (February 21, 2025)

  1. 1Lazarus (specifically the TraderTraitor / UNC4899 cluster) compromised a Safe{Wallet} developer machine through a targeted social-engineering campaign.
  2. 2The attackers planted JavaScript in the Safe UI build that activated only for transactions involving Bybit's specific cold-wallet Safe contract address.
  3. 3When Bybit's signers loaded the Safe UI to approve a routine cold-to-warm wallet rebalance, the page displayed the expected destination and amount.
  4. 4Behind that display, the actual transaction was a delegatecall to an attacker-controlled contract that overwrote the Safe's implementation slot.
  5. 5Three signers reviewed on Ledger devices and approved. Because Safe-multisig signing on Ledger displays a SafeTxHash rather than a decoded transaction, the signers blind-signed a hash the UI told them was safe.
  6. 6Once the implementation was swapped, the attacker controlled the Safe. ~401,000 ETH (about $1.5B at the time) moved within minutes.
  7. 7Lesson: blind-signing a hash relies on the UI being trustworthy. If the UI is compromised, the hardware wallet cannot save you. Use signing tools that decode the full transaction on the hardware screen.

Case 4: Pig butchering and romance scams - retail-facing pattern

  1. 1Initial contact via dating app, social media, or a wrong-number text. The opener is friendly, plausible, and patient. There is no immediate ask.
  2. 2Weeks of grooming. Daily messages. The relationship feels real because, at this stage, it largely is - except the opener is one operator running dozens of these threads in parallel from a scam compound.
  3. 3Gradual introduction of an investment opportunity. A relative or mentor is doing well in crypto trading. The platform looks like a real exchange, complete with charts, balance pages, and customer service.
  4. 4Initial deposit shows a small profit. A second deposit shows a larger one. The platform displays gains the victim could withdraw if they wanted to.
  5. 5When the victim tries to withdraw, they are asked to pay tax, fees, or unlock charges first. Each payment unlocks a new requirement. The withdrawal never arrives.
  6. 6FBI IC3 reported approximately $3.96 billion in cryptocurrency investment fraud losses in 2023 and approximately $5.6 billion in 2024 - the umbrella category that includes pig butchering. The pattern dwarfs every protocol exploit and exchange hack combined.
  7. 7Lesson: any investment platform you reach through a stranger's introduction is a scam until proven otherwise. Real exchanges do not need a charming intermediary, and real crypto withdrawals do not require pre-payment of fees.

The pattern across all four

Cases 1 through 3 are institutional. Case 4 is retail. They share one mechanic: a long, patient build-up of trust or context that is entirely orthogonal to the technical control being attacked. Ronin and Radiant compromised developer machines through human contact before any code was touched. Bybit compromised a third-party build pipeline before any signature was requested. Pig butchering compromises the victim's trust before any deposit is made. The technical attack at the end is short. The setup is always months.

For an institutional signer, the defenses are: decoded-transaction signing on the hardware device (so the bytes you sign are the bytes you see), independent verification of every signing UI, periodic revocation of dormant cross-organization permissions, and out-of-band confirmation that the human asking you to sign is the human you think it is. For a retail user, the defenses are simpler and harder: every unsolicited message that becomes about money is the start of a scam, every platform you reach through a stranger is fake, and any service that asks you to pay before withdrawing is taking the fee and disappearing.

Knowledge Check

Module 4 - 9 questions

1

Address poisoning attacks work by which mechanism?

2

In 2025, US losses attributed to SIM swap attacks totaled approximately how much?

3

ClipXDaemon, discovered in February 2026, is a piece of malware that targets which operating system and uses what method?

4

A flash loan attack allows an attacker to borrow millions of dollars in a single transaction. What collateral is required?

5

North Korean Lazarus Group stole approximately how much in 2025, and what was their primary method?

6

Ice phishing attacks differ from traditional phishing by not stealing your private key. Instead, what do they achieve?

7

The OWASP Smart Contract Top 10 lists which vulnerability as a common attack pattern involving borrowed external function calls?

8

In the Radiant Capital attack (October 2024, ~$50M) and the Bybit attack (February 2025, $1.5B), the multisig signers used hardware wallets and reviewed every transaction. Why did review-on-hardware fail to stop either attack?

9

Pig butchering scams produce a withdrawal-fee escalator after the victim has been groomed and made initial deposits. What is the actual purpose of those fees?

Previous Module
Next Module