Social Engineering a Crypto Startup: Inside Job for $2M
An employee with treasury access was manipulated over 3 months. The attacker built trust through a fake job offer at a competitor. The 'interview process' included sharing screen during a wallet transaction -revealing the multi-sig setup.
The Incident
A mid-level employee at a crypto startup with treasury management responsibilities was approached via LinkedIn by a recruiter for a competing firm. Over three months of increasingly detailed 'interview' conversations, the employee shared information about their current role, responsibilities, and workflows. During a 'technical assessment' video call, the recruiter asked the employee to walk through how they handle operational transactions -the employee shared their screen while performing a routine treasury operation, revealing the multi-sig wallet address, the signing flow, the number of required signatures, and which co-signers were typically available. Three weeks later, $2 million was drained from the company treasury in two transactions.
Attack Vector: Long-Con Social Engineering
The attacker invested three months building rapport and trust. The LinkedIn profile was a sophisticated fake with a real-looking history, connections to real people in the industry (via mass connection requests), and endorsements. The 'interview process' was designed as an intelligence-gathering operation: early conversations mapped the organizational structure, middle conversations identified the treasury setup and signing procedures, and the screen-sharing session provided the specific technical details needed to plan the theft. The attacker combined this reconnaissance with a targeted phishing attack on one of the co-signers, obtaining enough signatures to execute the unauthorized transactions.
On-Chain Trail
Two transactions were executed: $1.4 million in ETH and $600,000 in USDC, both from the company's Gnosis Safe multisig wallet. The ETH was immediately swapped through multiple DEXs in rapid succession -Uniswap, SushiSwap, and Curve -fragmenting the trail across dozens of token pairs before reconsolidating and bridging to Arbitrum, then to a privacy chain. The USDC was sent directly to a centralized exchange. Circle (the USDC issuer) was contacted within 6 hours of the theft and froze the USDC on the destination exchange address before the attacker could withdraw or swap it.
Outcome
The $600,000 in USDC was frozen by Circle and is in the process of being returned through a law enforcement-mediated recovery. The $1.4 million in ETH is considered lost -the DEX swap chain and cross-chain bridging effectively obscured the trail beyond practical recovery. The employee who was socially engineered was terminated. The company implemented a complete security overhaul of its treasury management practices. Total net loss after the partial USDC recovery: approximately $1.4 million. The attacker has not been identified.
Prevention
Treasury operations should never be performed while screen-sharing with anyone outside the organization. Period. This is a non-negotiable operational security rule. Implement a policy that all wallet operations -viewing addresses, signing transactions, checking balances -are performed only on air-gapped or dedicated devices, never during video calls or in environments where the screen could be observed. Use multi-party signing ceremonies where signers verify the transaction details through a separate, pre-authenticated communication channel (not the same video call or chat where the transaction was initiated). Background check all new hires with treasury access. Apply the principle of least privilege -no single employee should be able to initiate AND approve treasury transactions. And train all employees to recognize social engineering tactics, particularly long-con approaches that build trust over weeks or months before the actual attack.